Figure 1: Managing Enterprise Risk (The Framework)

The NIST framework for managing enterprise risk is an eight step repeating cycle for each information system that includes the following:

Step 1. Security Categorization is the start of the cycle and defines the category of the information systems according to the potential impact of a loss as defined in FIPS 199 standard and SP 800-60 guidance.

Step 2. Security Control Selection selects minimum-security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system using the FIPS 200 standard and SP 800-53 guidance.

Step 3. Security Control Refinement uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements using the FIPS 200 standard and SP 800-53 and SP 800-30 guidance.

Step 4. Security Control Documentation, in system security plan, provides an overview of the security requirements for the information system and documents the security controls planned or in place using SP 800-18 guidance.

Step 5. Security Control Implementation implements security controls in new or legacy information systems and implements security configuration checklists using SP 800 70 guidance.

Step 6. Security Control Assessment determines the extent to which the security controls are implemented correctly, operating as intended, and producing desired outcomes with respect to meeting security requirements using SP 800-53A, SP 800 26, and SP 800 37 guidance.

Step 7. System Authorization determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing using SP 800-37 guidance.

Step 8. Control Security Monitoring continuously tracks changes to the information system that may affect security controls and assesses control effectiveness using SP 800 37 guidance.