Analecta Cyber Company Blog: Are you Managing the Risk Management Process?


Are you Managing the Risk Management Process?

NIST risk management framework graphic Cyber Risk management strategy - Analecta LLC banner On December 20, 2018, the National Institute of Standards and Technology (NIST) released the final version of its NIST Special Publication 800-37 Revision 2, a Risk Management Framework (RMF) addressing both security and privacy concerns in IT risk management. This update connects the RMF with NIST’s well-known Cybersecurity Framework (CSF), highlighting relationships that exist between the two documents.

“Until now, federal agencies had been using the RMF and CSF separately… The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

Ron Ross, co-author NIST SP 800-37 Revision 2

Risk Management Framework (RMF) steps

The RMF is a disciplined and structured process that blends information security and risk management functions into the system development life cycle. Since your company needs to perform these tasks at every phase of the system development life cycle, it makes sense to incorporate them into the framework.

As with other risk management models, the RMF is a cyclical model. Its steps include:
  • Prepare to execute the RMF from both organization and system-level perspectives. This involves establishing a context for managing security and privacy risk and setting clear priorities.
  • Categorize the information system and the information processed, stored and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system and customize the controls as required to reduce risk to an acceptable level based on the risk assessment.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls to determine if they are implemented correctly, performing as intended and producing the desired outcome of satisfying security and privacy requirements.
  • Authorize the system or common controls based on a determination that the remaining level of risk (to organizational operations and assets, individuals, other organizations or the Nation) is acceptable.
  • Monitor the security and associated controls on an ongoing basis including assessing control effectiveness, documenting changes to the system and/or its environment of operation, conducting additional risk assessments and impact analyses, and reporting the security and privacy posture of the system to designated organizational officials. 
NIST risk management framework graphic
Image courtesy of NIST Special Publication 800-37 Revision 2

RMF’s relation to CSF

The direct correlation between RMF steps and applicable CSF constructs are clearly laid out in the documentation, and will be one of the most useful components of the RMF update.

RMFs relation to CSF graphic
Image courtesy of NIST Special Publication 800-37 Revision 2

As an example, the table above shows what tasks are a part of the Categorize step of the RMF and links each task to single or multiple components of the CSF. You can then examine the RMF for further clarification of the task or examine the subcategories of the CSF, for example ID.AM-1: Physical devices and systems within the organization are inventoried. Within the CSF documentation, you have additional informative resources listed for each subcategory available for ideas about controls or standards.

But what about that risk assessment?

Analecta has devised a 96-point Cyber Risk Assessment that asks tough, realistic questions that can identify the most critical next steps in your firm’s cybersecurity program to maximize protection. The Cyber Risk Assessment is designed to enable small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. For more information about the Cyber Risk Assessment and other ways to protect your business, email us at or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives. 

Further Resources


  1. Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.accounting firms in dubai

  3. Despite the fact that there perhaps different motivations to procure the PMP declaration, having better compensation prospect can be a rousing element.ExcelR PMP Certification

  4. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security System Provider

  5. I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people.
    ExcelR pmp certification

  6. Attend The Data Analytics Courses From ExcelR. Practical Data Analytics Courses Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analytics Courses.
    ExcelR Data Analytics Courses
    Data Science Interview Questions

  7. I and my friends were going through the nice, helpful tips from the blog then the sudden came up with an awful suspicion I never expressed respect to the website owner for those secrets.
    Business Management Software

  8. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites!

    data science course

  9. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.

    Simple Linear Regression

    Correlation vs Covariance

  10. Cyber Consequences Unit indicates that the destruction from a single wave of cyber attacks on critical infrastructure could exceed $700 billion, which might be equivalent to 50 major hurricanes hitting the U.S. soil at once. cyber security course in hyderabad

  11. This is truly a great read for me. I am looking forward to reading new articles. Keep up the good work!
    360DigiTMG pmp certification in hyderabad

  12. This post is very simple to read and appreciate without leaving any details out. Great work!
    machine learning course training in Guwahti

  13. The assessment of the test is that on the off chance that you impart to an artificial intelligence and along the procedure you neglect to recall that it is really a figuring framework and not an individual, at that point the framework finishes the assessment.cyber security training in hyderabad

  14. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Correlation vs Covariance
    Simple linear regression
    data science interview questions

  15. Recently I came across a hackers web site which provides instructions on how to trick a person into going to their phony Facebook site. How to hire a cybersecurity expert

  16. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.

    Simple Linear Regression

    Correlation vs covariance

    KNN Algorithm

    Logistic Regression explained