This is a quick introduction to Step 2 of the Risk Management Framework NIST 800-37 process. Step 2 involves selection of NIST Special Publication 800-53 security controls. There are (3) main tasks that you must do in this step:

1) Select the applicable baseline controls. Selection of baseline controls is based on system categorization.

2) Tailor the Security Controls to the system. Not all security controls can be used because they may break your system. And in some cases they are simply not applicable. There are also Common Controls, Hybrid controls, and system specific controls.

3) Document the Security Controls. You must document the selected security controls in a system security plan and have the security controls reviewed.

Tags : diarmf selectrisk management frameworkrmfselect
Bruce Brown

The author Bruce Brown

I have done a lot of work with Risk Management Framework for DoD IT (formerly DIACAP,DITSCAP). I noticed there was not a lot of information for security engineers on the nuts and bolts of it, so i started writing it down. security is just a hobby. my real job is to help humanity out of poverty (information & financial poverty). I am sure we can do it together maybe rmf will help humanity. ;p the internet maybe our greatest hope, we should keep it safe.

Leave a Response