NIST provides assessment guidance for the NIST SP 800-53 control catalog in NIST SP 800-53A Rev. 537, a technical guide for information security testing and assessment in NIST SP 800-115,38 and specific guidance for the assessment of access control systems in NISTIR 7316.39 NIST also provides a process maturity-based security assessment methodology called PRISMA (Program Review for Information Security Management Assistance) in NISTIR 7358.40 Although not formally incorporated in the NIST RMF, PRISMA provides an intuitive approach to the evaluation of information security controls by considering whether the requirement is specified in policy, supported by formal processes, implemented across the organization, tested to ensure continued effectiveness, and that activities supporting the first four levels are fully integrated with each other and the organization’s control environment. NISTIR 7358 also provides guidance on how to prepare for and execute a PRISMA-based assessment as well as information around the practical application of the formal report.
In addition to those publications already addressed, related RMF publications include but are not necessarily limited to NIST SP 800-171A41 and NIST SP 800-172A.42
Like NIST, other RMFs use a risk management process as their basis.43 However, as shown in the table below, many if not most are simply variations of the 4-step process outlined above with some activities being broken out in more or less detail or compressed into a single step.
Table 1. Comparison of Various Risk Management Processes
| 4-Step Process | 5-Step Process44 | 7-Step Process45 | 8-Step Process46 |
|---|---|---|---|
| Implement an RMF | |||
| Conduct a Risk Analysis | Identify the Risk Analyze the Risk Prioritize the Risk |
Prepare Categorize |
Establish Context Identify Risks Analyze & Evaluate Risks |
| Specify Controls Implement Controls |
Treat the Risk | Select Implement |
Treat & Manage Risks |
| Assess & Report | Monitor the Risk | Assess Authorize Monitor |
Communicate and Consult Monitor & Review |
| Record |
We also note that, with respect to the 8-step process shown in the table, implementing a risk management framework (RMF) is something that would be done outside of a cyclical risk management process (although one could admittedly reconsider the use of one’s selected RMF at this stage), and recording the input, decisions, and output of each step of the risk management process would necessarily be done regardless of the process used. We subsequently exclude the first and last steps of the 8-step process from the cyclical process.
37 JTF (2022, Jan). Assessing Security and Privacy Controls in Information Systems and Organizations (NIST SP 800-53 Rev. 5). Gaithersburg, MD: NIST.
38 Scarfone, K., Souppaya, M., Cody, A., and Orebaugh, A. (2008, Sep). Technical Guide to Information Security Testing and Assessment (NIST SP 800-115). Gaithersburg, MD: NIST.
39 Hu, V., Ferraiolo, D., and Kuhn, R. (2006, Sep). Assessment of Access Control Systems (NISTIR 7316). Gaithersburg, MD: NIST.
40 Bowen, P. and Kissel, R. (2007, Jan). Program Review for Information Security Management Assistance (PRISMA) (NISTIR 7358). Gaithersburg, MD: NIST.
41 Ross, R., Dempsey, K., and Pillitteri, V. (2018, Jun). Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A). Gaithersburg, MD: NIST.
42 Ross, R., Dempsey, K., and Pillitteri, V. (2022, Mar). Assessing Enhanced Security Requirements for Controlled Unclassified Information (NIST SP 800-172A). Gaithersburg, MD: NIST.
43 For example, see International Standards Organization, ISO (2018). Risk management – Guidelines (ISO 31000:2018). Geneva: Author.
44 Lucidchart (2022). 5 Steps to any Effective Risk Management Process (Blog).
45 NIST (2022d). information Technology Laboratory: Computer Security Resource Center: NIST Risk Management Framework (RMF).
46 Foerster, M. and Arnold, C. (2019, 21 Jul). Eight Steps to Establish a Firm Risk Management Program. International Federation of Accountants.