NIST SP 800-39 and 800-37Table of ContentsNIST SP 800-39 . 2NIST SP 800-39: Tiers of Risk Management . 3NIST SP 800-39 : Process Applied . 4NIST SP 800-39 : Risk Framing. 5NIST SP 800-39 : Risk Monitoring. 7NIST SP 800-39 : Risk Response . 9NIST SP 800-37 . 10Risk Management Framework . 13Notices . 16Page 1 of 16

NIST SP 800-39NIST SP 800-39Managing Risk from Information Systems Provides guidelines for managing risk to organizational operationsand assets Provides a structured yet flexible approach for managing risk A flagship document in the series of FISMA-related publications22**022 So all of that came out of800-30. It's quite a bit. There's 80039, which actually will go throughanother part of risk management.Some guidelines here. It really is astructured approach. They call itflexible, so you can apply it indifferent areas or different aspects ofyour business. If you are subject toFISMA compliance, you want to getfriendly with 800-39. Thirty-nine willhelp you kind of figure out what youneed to be FISMA-compliant, howyou report it, what you do with it,and that sort of thing, along with acouple documents out there. But 39will lay that out for you.Page 2 of 16

NIST SP 800-39: Tiers of Risk ManagementNIST SP 800-39: Tiers of Risk ManagementRisk management can be viewed as a holistic activity thatis fully integrated into every aspect of the organization. The organization level The mission and business process level The information system level Multi-tier Organization-Wide Risk Management Implemented by the Risk Executive Function Tightly coupled to Enterprise Architecture andInformation Security Architecture System Development Lifecycle Focus Disciplined and Structured Process Flexible and Agile ImplementationTier 1 – Organization(Governance)StrategicRiskTier 2 – Mission(Business Process)Tier 3 – InformationSystem (Environmentof Operations)TacticalRiskRef: NIST SP 800-39, Managing Information Security Risk23**023 You probably recall that thereare three tiers of risk management.Where did this come from? Well, itcame from 800-39. And again,you've got strategic risk, businessrisk, and system, or particularapplication risk. And just keep inmind that with each of these riskmanagement functions, it might bedifferent people looking at theseparticular functions.Page 3 of 16

NIST SP 800-39 : Process AppliedNIST SP 800-39: Process AppliedRef: NIST SP 800-39, Managing Information Security Risk24**024 Thirty-nine shows a genericprocess, and this is a nice littlebubble diagram for you. So if youlook in the center here, you see eachof these triangles is a different tier.So you've got organizational orstrategic risk at tier one, you've gotmission or business process at tiertwo, and then actual systems at tierthree. What do all of these arrows inthese bubbles mean? It means thatthey all communicate with eachother. So by assessing risk, you'reable to respond by putting inadditional controls. If you canmonitor risk and understand what'sgoing on, maybe you can have abetter, or more informed, riskPage 4 of 16

assessment. If you're monitoringyour controls or your risk, maybeyou're better able to respond becauseyou can detect when things gowrong.NIST SP 800-39 : Risk FramingNIST SP 800-39: Risk FramingEstablishes the context and provides a common perspectiveon how organizations manage riskRisk framing produces a risk management strategy thataddresses how organizations intend to Assess risk Respond to risk, and Monitor risk.The risk management strategy makes explicit the specificassumptions, constraints, risk tolerances, and priorities/tradeoffs used within organizations for making investment andoperational decisions.Ref: NIST SP 800-39, Managing Information Security Risk25**025 So, risk framing, that bubblein the center of the diagram on theprevious slide-- this is framing risk.How does it impact yourorganization? How do you deal withit? What do you do? So the idea isyou're looking at a context for therisk management process andestablishing some type of commonperspective on how to manage that.Again, across the organization,Page 5 of 16

looking at the different tiers-strategic, the operational piece withthe business functions, and theindividual systems.So what should come out of thisframing discussion is: What do wedo to assess risk, respond to risk, andmonitor risk? Now, if you rememberfrom the bubble chart on theprevious slide, that's each of thosebubbles that are on the corners.Right? So you're looking at: How doI assess the risk? How do I respondto it? And what do I do about it?And this, the strategy that you comeup with, should address all of thesethings that are here. So,assumptions, constraints, risktolerance, and priorities when you'regoing through and doing your riskmanagement.Page 6 of 16

NIST SP 800-39 : Risk MonitoringNIST SP 800-39: Risk MonitoringProvides organizations with the means to Verify compliance Determine the ongoing effectiveness of risk response measures Identify risk-impacting changes to organizational informationsystems and environments of operationAnalyzing monitoring results provides organizations thecapability to Maintain awareness of the risk being incurred Highlight the need to revisit other steps in the risk managementprocess Initiate process improvement activities as neededRef: NIST SP 800-39, Managing Information Security Risk26**026 Risk monitoring. So this wasone of the side bubbles there. Whyyou do this is because it gives youthe ability to say, "I'm compliant withwhatever regulations I might besubject to." I can determine theeffectiveness of the risk response orthe controls that we've got in place,and I can look at risk-impactingchanges. So, as things change withinour business, the ecosystem that welive in changes-- I get new systems, Iget new people-- what are the newrisks associated with that? All of thathappens here in this section, the riskmonitoring section. And what you'retrying to do is maintain awareness ofthe risk you've got. You want to bePage 7 of 16

able to go back through other stepsin the risk management process andsay, "You know what? We need torelook at our controls. We need toredo our vulnerability assessment,because that seems to be out ofdate."And initiate process improvementactivities-- the idea that you're goingto do some type of gap analysis hereand see: "We have problems. Howdo we improve that? How do we fixthat?" All of that happens here in therisk monitoring.Page 8 of 16

NIST SP 800-39 : Risk ResponseNIST SP 800-39: Risk ResponseWhen organizations experience a breach/compromise to theirinformation systems or environments of operation that requirean immediate response to address the incident and reduceadditional risk that results from the eventThe risk response step can receive inputs from the riskframing step. When is the organization required to deploy new safeguards andcountermeasures in their information systems based on securityrequirements in new legislation or OMB policies Shapes the resource constraints associated with selecting anappropriate course of actionThe risk response step can receive inputs from the riskmonitoring step.Ref: NIST SP 800-39, Managing Information Security Risk27**027 With risk response, this iswhat you do when you actually havean issue, like a security breach. Yougo into incident response, orwhatever your processes might bethere.For risk response, generally you'regoing to be taking inputs from theother aspects, from the assessment,from the monitoring, and even fromthe framing step within thatparticular section. And because ofthat response-- you get inputs fromthe framing section or the framingprocess, risk framing process-- you'reable to better select the course ofPage 9 of 16

action that you want to do, pick out,"Here are the steps that we need totake in terms of risk response."NIST SP 800-37NIST SP 800-37Guide for Applying the Risk Management Framework toFederal Information Systems: A Security Life Cycle ApproachGuidelines developed to ensure that Managing information system security risks is consistent with theorganization’s objectives and overall risk strategy Information security requirements are integrated into theorganization’s enterprise architecture and SDLC28**028 800-37, another publication.This presents the security lifecycle, orhow do we address security withinour organization. It does give yousome guidance on making sure thatyour risks are consistent with yourrisk appetite or your organizationaldesire for managing risk. So it's kindof balancing risk and what ourbusiness actually wants. And itmakes sure that your requirements-so, as your-- or your requirementsare integrated into some type ofPage 10 of 16

lifecycle. Meaning, when you go outand you purchase a new system, oryou bring in a new application, whenshould you start thinking about thesecurity of that application orsystem? Before you buy it, afteryou've bought it, or after you'veimplemented it?Students: Before you buy it.Chris Evans: Before you buy it. Now,when do people usually get tothinking about security?Student: Once they have it inhouse.Chris Evans: Once they have it inhouse, once the lights are blinkingand everybody goes, "Ooh, that'sgreat., We like it." Okay, whatabout the security of it?So there was an example of anorganization who brought in a nicelittle Polycom system, one of thoseteleconference systems, and in thedocumentation for it, the Polycomsays, "You have to put this outsideyour firewall. And oh, by the way-warning, warning-- it opens you up toattacks," and yada, yada. I mean,it's all documented in there. So,good disclosure from themanufacturer on this device. Right?So somebody said, "Okay"-somebody within the business unitsaid, "I want the Polycom. I want ithere, because I need to do business,and oh, by the way, I needed ityesterday. So go buy it, put it in,Page 11 of 16

and we'll be all right." Threehundred thousand dollars later, thePolycom comes in, is sitting on thetable, and the people go, "Oh yeah,we need to talk to security aboutthis." So it's already up and running,it's already connected in, and thesecurity guys come over and go, "Oh.Well, this is going to introduce allsorts of problems." Now you havesecurity versus convenience. Right?"Well, I have to have the Polycom todo business, but the security guysare telling me this is a terrible thingto have because it opens up ournetwork to attack." Well, now whatdo we do? What do you think isgoing to happen? The organizationalready spent 300 grand on thePolycom device.Student: Risk assessment.Chris Evans: That's what hopefullyhappens, but usually what happens isthe Polycom stays there and thesecurity guys are left to figure outhow to deal with it and how tomitigate that.Page 12 of 16

Risk Management FrameworkRisk Management FrameworkStarting PointFIPS 199 / SP 800-60CATEGORIZEInformation SystemSP 800-37 / SP 800-53ADefine criticality/sensitivity ofinformation system according topotential worst-case, adverseimpact to mission/business.MONITORSecurity StateContinuously track changes to theinformation system that may affectsecurity controls and reassesscontrol effectiveness.Security Life CycleSP 800-37SP 800-39FIPS 200 / SP 800-53SELECTSecurity ControlsSelect baseline security controls;apply tailoring guidance andsupplement controls as neededbased on risk assessment.SP 800-70AUTHORIZEIMPLEMENTInformation SystemSecurity ControlsDetermine risk to organizationaloperations and assets, individuals,other organizations, and the Nation; ifacceptable, authorize operation.SP 800-53AASSESSSecurity ControlsImplement security controls withinenterprise architecture using soundsystems engineering practices; applysecurity configuration settings.Determine security control effectiveness(i.e., controls implemented correctly,operating as intended, meeting securityrequirements for information system).Ref: NIST SP 800-37, Guide for Applying the Risk, Management Framework to Federal Information Systems29**029 So, you look at the securitylifecycle that's presented here. Kindof in the-- this is the lifecycle thatcomes out of 800-37. Right in themiddle of this thing you have theoverall guidance. That comes out of800-39. You're going to start yourprocess up at the top of this chart.So, up at the top there, we havecategorizing information systems.So, we've talked a lot about riskmanagement. What's the first thingyou do? Identify your critical assets.Right? Systems, people, that sort ofthing. So you're categorizing yourinformation systems. You can getguidance on that out of FIPS 199 orPage 13 of 16

800-30. Both of those-- or, sorry,800-60. Both of those documentswill help you categorize yourinformation system.Once you do that, you're coming overhere, and you're going to look at thesecurity controls that you want to putin place to address the risks. Youcan look at FIPS 200 or Special Pub800-53. 800-53 is a thick documentand it lists hundreds of controls thatyou can put in place, separated bydifferent functional ar