National Institute of Standards and Technology (NIST)

What is NIST?

NIST is the National Institute of Standards and Technology within the U.S. Department of Commerce. It is a non-regulatory agency of the United States government tasked with promoting innovation, security, and industrial competitiveness.

Security, privacy, and compliance guidance from NIST is provided to both federal agencies and private industry through various policies and frameworks. The Center for Medicare and Medicaid Services (CMS) regularly uses security guidance and frameworks provided by NIST to keep systems and information safe and secure.

NIST Risk Management Framework (RMF)

The Risk Management Framework (RMF) from NIST provides a structured yet flexible process for managing risk throughout a system’s life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.

The RMF lays the foundation for the federal government’s movement away from static, compliance-focused activities and toward a more dynamic approach to risk management. At CMS and many federal agencies, the goal is to effectively manage security risks to information systems in diverse environments of complex cyber threats, evolving system vulnerabilities, and rapidly changing missions. The RMF supports this goal by helping organizations to:

• Build information security capabilities into federal systems by applying security controls at the operational, technical, and management levels
• Use enhanced monitoring processes to maintain continuous awareness of the security state of information systems
• Provide essential information to senior leaders so they can make informed decisions about mitigating or accepting risk related to information systems in their organizations

The steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a system’s life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy. 

The RMF steps are listed below.

Step 1: Prepare

Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:

• Key risk management roles identified
• Organizational risk management strategy established, risk tolerance determined
• Organization-wide risk assessment
• Organization-wide strategy for continuous monitoring developed and implemented
• Common controls identified

Step 2: Categorize

Inform organizational risk management processes and tasks by determining the adverse impact  with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:

• System characteristics documented
• Security categorization of the system and information completed
• Categorization decision reviewed/approved by authorizing official

Step 3: Select

Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes: 

• Control baselines selected and tailored
• Controls designated as system-specific, hybrid, or common
• Controls allocated to specific system components
• System-level continuous monitoring strategy developed
• Security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Step 4: Implement

Implement the controls in the security and privacy plans for the system and organization. Outcomes: 

• Controls specified in security and privacy plans implemented
• Security and privacy plans updated to reflect controls as implemented

Step 5: Assess

Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes: 

• Assessment team selected
• Security and privacy assessment plans developed
• Assessment plans are reviewed and approved
• Control assessments conducted in accordance with assessment plans
• Security and privacy assessment reports developed
• Remediation actions to address deficiencies in controls are taken
• Security and privacy plans are updated to reflect control implemented

Step 6: Authorize

Provide  accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes: 

• Authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
• Risk determination rendered
• Risk responses provided
• Authorization for the system or common controls is approved or denied

Step 7: Monitor

Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes: 

• System and environment of operation monitored in accordance with continuous monitoring strategy
• Ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
• Output of continuous monitoring activities analyzed and responded to
• Process in place to report security and privacy posture to management
• Ongoing authorizations conducted using results of continuous monitoring activities

CMS Risk Management Framework

CMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.

The CMS Risk Management Framework refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.

The CMS Risk Management Framework (based on the NIST RMF):

• Integrates information security and privacy protections into the Enterprise Architecture and Target Life Cycle (TLC)
• Provides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems
• Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)
• Establishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)

NIST Cybersecurity Framework (CSF)

One of the most notable NIST guidelines is the NIST Cybersecurity Framework (CSF). It delivers fundamental protocols for organizations to ensure their systems, applications, and networks remain secure through systematic practices that support proactive risk management. Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies.

The NIST CSF is considered the gold standard for building cybersecurity programs. It covers 23 categories and 108 security controls, organizing cybersecurity capabilities into 5 core functions (listed below). These functions are woven throughout cybersecurity practices and policies at CMS.

Identify

Assess and uncover cybersecurity risks to systems, assets, data, and capabilities. This includes categories such as asset management, business environment, risk assessment, and supply chain risk management.

Protect

Develop and implement safeguards and controls to ensure delivery of critical infrastructure services. This includes categories such as identity management, authentication and access control, and data security.

Detect

Develop activities and controls to monitor and detect cybersecurity events. This includes categories such as anomalies and events, security continuous monitoring, and detection processes.

Respond

Develop techniques to control and mitigate cybersecurity incidents. This includes response planning, communications, analysis, mitigation, and improvements.

Recover

Develop and implement processes to restore capabilities. This includes response planning, improvements, and communications.

NIST 800-series of Special Publications

NIST Special Publications in the 800 series (NIST SP 800) represent the best security practices currently available, and are utilized throughout the federal government. The NIST SP 800 serve as the foundation for CMS security policies and procedures – however, it’s important to know that CMS has tailored NIST guidance for application within the agency. While NIST can always be used as a source of general guidance and best practices, you should always reference CMS-specific guidance for the authorization and compliance of CMS systems.

Two of the NIST SP 800 that are most commonly used by cybersecurity professionals at CMS are:

• NIST SP 800-53: Recommended Security Controls for Federal Information Systems
• NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems

These contain detailed explanations of information security controls and the test cases used to assess them – and they form the basis for the CMS Acceptable Risk Safeguards (ARS).

Additionally, the recent federal mandates for Zero Trust Architecture have prompted NIST to release a publication about it: NIST SP 800-35: Implementing a Zero Trust Architecture.

The whole series of NIST Special Publications (800 and beyond) are available at https://csrc.nist.gov/publications/sp.