NIST Risk Management - Broken into Components

This blog breaks down the NIST Risk Management Framework into five (5) unique components and explains how each must work together in order to successfully limit risk across the Enterprise.

The National Institute of Standards and Technology (NIST)'s Risk Management Framework can be easily compiled into five (5) unique components. This components are depicted on the graphic below:


Each component noted above is attached to a set of roles that are tied to NIST guidance on both, the Risk Management and Cybersecurity Frameworks. The next few sections will provide an overview of each component and how they must work together for the frameworks to function.

Information Assurance (IA)/ Security Components

The components under IA/S address NIST RMF's Tiers 1 to 3 and may impact the organization as a whole or just an Information System. The tasks associated with each component under this area will vary greatly Failure to establish the components noted under this area will lead to a high number of unknown risk at the organizational level. They are essential for limiting the impact of a cyber attack across the organization and must be in place prior to incorporating the Cybersecurity components.

Governance/ Security Leadership

The first component is the most important of all components, because it will delineate the best approach for the organization to apply the Enterprise Level Risk Management process without impacting existing resources and/or going over-budget. It will also ensure that high level executives (i.e. C-Suite [CEO, CFO, Board of Directors]) are fully informed and aware of all organizational risks. In fact, this component is where the items noted on NIST's RMF Tier 1 take place. The decisions agreed upon by high level executives within this component will have an impact on all other components that follow. As part of this component, the following takes place:

  • The organizations Risk Management approach is clearly delineated.

  • The organization's Risk Appetite and Acceptable Levels are approved and enforced.
  • The business objectives and budget restrictions are clearly identified.
  • Existing Resources are analyzed, and new resource requirements are identified.
  • Organizational Target Sectors are clearly identified along with the security standards impacting each sector.
  • Enterprise Level Policies and Procedures required are identified.
  • Program Management (PM) Controls

All items noted above will then delineate the path for prioritizing the IT Security Program across the enterprise and help delineate the budget and resources required to execute the next step.


Within this component, the key roles are Enterprise Level Risk Assessor/Auditor, Chief Information Officer (CIO), Chief Technology Officer (CTO), Enterprise Privacy Officer (EPO)

Information Assurance (IA)

The second component can be broken into two (2) unique areas that are essential, as they target Tier 2 and Tier 3. This areas are depicted on the graphic below:


Area Description
Management The management component incorporates personnel responsible for delineating Tier 2 tasks. They are responsible for developing enterprise level policies and procedures related to the implementation of the Risk Management Framework identified as part of Tier 1.

They work closely with Tier 1 personnel to ensure the policies, procedures, and methodologies identified as part of Tier 2 go hand-in-hand with the items agreed upon as part of Tier 1 and work closely with the Liaisons, who are responsible for Tier 3 level implementation of the requirements agreed upon by Tier 1 & Tier 2 teams.

Liaison The Liaison component incorporates personnel responsible for ensuring that the guidance provided by Tier 1 & 2 is applied correctly at Tier 3. Their main goal is to ensure that the systems under their purview comply with the requirements set by the MGMT team and coordinating with the technical teams (i.e., Network Administrators, Developers, IT Teams) to gather the necessary information to develop the security documentation required as part of the Certification process.

The task of a liaison will be determine by the SDLC phase the system is in. Most systems are COTS and/or existing, and therefore personnel with more in-depth task at the early stages of development have additional responsibilities.

Defense In-depth

This component is composed of Security Auditors/Assessors responsible for either validating the content generated by the Liaison component under IA and/or for testing and developing security baselines for all software and hardware being introduced into the environment.

They are responsible for identifying deficiencies with the systems both operational and technical and developing the final documentation to be included as part of the certification in order for the certifier to make a determination on whether or not the system should be operational and/or hold until the risk identified are mitigated before going through the certification process if they fail to meet the organization's agreed upon risk appetite/acceptance level.

Personnel at this level must be highly technical and have the necessary knowledge to understand the architecture and engineering areas of a system. Technical testing leverages a mix of tools and hands-on techniques.

In an ideal scenario, the liaison's will do their own risk assessment and ensure defense in-depth is applied across their systems, but that's not viable because 80% of those in the role noted are non-technical and have minimal understanding of how the system should be secured from a technical side outside of the general guidance made available to them by MGMT.

Cybersecurity Components

The Cybersecurity components are activated as soon as the system has been accredited and approved to operate. The components are key in order to ensure that the system's risks are kept to an acceptable level and to ensure the security program methodologies work as intended.

Defensive Security

The teams under this component have a number of responsibilities geared towards protecting the network from within the organization. Each team in this section works together to enforce defensive mechanisms and ensure the appropriate plans are activated. They are summarized on the table below.

Team Description
Privilege Users aka Administrators The team members with privilege level responsibilities for each individual layer (i.e., OS, App, DB, NetDevice, etc.) are responsible for ensuring the software, hardware, and firmware are up-to-date on patches. This must be done by following the organization's Configuration Management Process and in conjunction with the IA team.
Security Operations Center (SOC) The team is responsible for monitoring all systems for anomalies and unauthorized access. Once anomalies and/or unauthorized access is identified, they initiate an investigation to determine the validity of the anomaly identified. If valid, they initiate the incident response process and notified the parties for the systems impacted. For organization's without a SOC team, the tasks falls upon the Network Administrators.
Incident Response This team is responsible for executing the incident response plan in conjunction with the cybersecurity identification process. They work closely with the IA and Network teams to delineate the steps required to address the incident.
Forensic Team This team is responsible for gathering the necessary data after a breach is deemed valid to serve as evidence in court. This includes extracting images of the system(s) for preservation and further in-depth examination. In smaller organizations, this can be performed by the incident response team. .
Blue Team This team is a group of assessors/auditors that perform ad-hoc penetration testing on internal applications to test their security posture. The ad-hoc systems are selected by upper management for a more in-depth test, with an emphasis on systems deemed mission critical.

The key focus is identifying internal level threats and vulnerabilities. Unlike the Defense In-depth teams, they target systems identified by MGMT with minimal notification to those responsible for the system (i.e., ISSM, ISSO, System Owner).

Offensive Security

This component leverages 3rd Party Service providers to assess the organization's security posture. The teams selected have no hands-on knowledge of the systems to be tested and must not have had an involvement on the architecture or engineering process. They are meant to provide a non-bias assessment of the organization's security program and their mission critical systems. The teams under this component are noted on the table below.

Team Description
Red Team This team is responsible for testing the systems clearly delineated and approved by MGMT to undergo an in-depth test. The main focus is to identify vulnerabilities from an external point of view.

The tools, methods, and actions to be taken are fully documented and will serve as a "FREE OUT OF JAIL" ticket. The team also includes possible impact as part of the test and ensures the client has the appropriate mechanisms in place to restore their systems in the event testing leads to an inadvertent impact.

Purple Team This team is responsible for reviewing the outcome from the Blue and Red teams and delineating a viable plan to address the issues identified internally and externally based on the organization's mission and business objectives.

Which areas are covered by CyberAdeptness?

The emphasis for the current services provided by CyberAdeptness focus on helping organizations implement the IA components in the correct manner to limit risk to what matters and lower cost and the Engineering side associated with the Defensive Security component of Cybersecurity.

However, unlike most cybersecurity companies, we prefer to do an Enterprise Assessment to determine the most cost effective approach for tackling the implementation, those ensuring that cost is kept to a minimum and the key essential areas are prioritized in order to meet the organization's mission and business objectives. Since the mission and business objectives of each organization is unique in nature, the services required will differ.

An Enterprise Assessment will provide a clear view for management to determine the path that will lead them to meet specific business objective within the timeframe set and comply with the target sector requirements, which tend to be unique in nature..

Interested on learning more? Contact US via our site form at 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Sunday, September 16 2018 21:37

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL :

This post's comments feed