HomeGuidesAPI ReferenceChangelog
Log In
Guides

Risk Management Framework (RMF)

Risk Management Framework (RMF) Feature

This page contains information to assist our customers with utilizing the RMF feature in RegScale. It describes what it is, why you would use it, the benefits, and provides instructions on getting started.

What is it?

The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

Why would you use it?

The RMF feature is used to fully align compliance controls/requirements with the risks that are present for a given system. There are many reasons to leverage RMF which include:

  • Tailoring controls to balance risk and cost
  • Analyzing risk to quantify business impacts and allow mitigations to be applied
  • Aligning control implementations to the business risks they mitigate

What are the benefits?

A strong RMF program results in multiple benefits for an organization; to include:

  • Lowering the cost of compliance by factoring in risk
  • Visualizing the traceability between investments in security controls and their quantitative impact to risk
  • Tailoring security plans based on the organizations' unique operational constraints and risk tolerance

How do I use it?

Full RMF features are only available for our Enterprise Edition (EE) customers. To leverage these features, you can do the following:

  • Tailor security controls based on risk by using our Profile module to create a template for security plans, policies, projects, or supply chain (contracts).
    • Go to Modules -> Security Profiles to create a new profile.
    • In the subsystem, go to Profile Mapping -> Map Controls to Profile to manually select the controls to include in this profile.
    • NOTE: Each control auto-saves to the profile as it is selected.
    • Leverage the builders and wizards to create new security plans, policies, projects, or supply chain (contracts) based on the profile template.
  • Once a security plan is created, you can align the control implementations to the risks they mitigate.
    • Open any relevant security control implementation
    • Click the "Risk Mitigation" tab to assign this control to the one or more risks it mitigates
    • Select the Security plan containing the risk(s) you want to mitigate
    • NOTE: It will default to the current parent security plan
    • Select the appropriate risk from the list
    • Describe how it is mitigated and save the new mitigation record