Keep the NIST Risk Management Framework Simple

This scenario is a simple example of me purchasing a new computer for my parents to demonstrate the practical application and simplicity of the Risk Management Framework (RMF). The aim is to explain RMF in a non-technical manner.

Whether we are planning the security for a network that supports a multi-million dollar corporation or deciding how to secure the new home we just purchased, the fundamental security concepts and principles are very similar. Even though our home example is typically not as structured (unless you are really meticulous) as a business model, the fundamental approach to security has not changed since the first caveman discovered the value of a wooden club and another caveman wanted it!

Throughout the scenario, we will cover the concepts of Risk Management as well as each of the six RMF Steps:

1. Categorize the risks associated with the information and the system.

2. Select the appropriate security controls to mitigate risks to an acceptable level.

3. Implement the selected controls.

4. Assess the implemented controls.

5. Authorize the system for use.

6. Continuously monitor the controls to ensure they effectively mitigate risks.

So, forget anything you may have already learned about RMF, NIST 800-53, and most of the other technical jargon, and join me in this adventure of buying a new computer for my parents!