RMF Training Materials — Secure In Security

Secure In Security — RMF Training Materials Cybersecurity & Information Security

Organizational

Risk Management &
Framework (RMF)

Cybersecurity & Information Security Training Program · 2026

Introduction to Risk Management

What Is a Risk Management Framework?

A Risk Management Framework (RMF) is a structured, repeatable process for identifying, assessing, responding to, and monitoring risks to an organization’s information assets, systems, and operations. In the cybersecurity and information security context, an RMF provides the systematic approach needed to protect the confidentiality, integrity, and availability (CIA) of data and systems while enabling informed, risk-based business decisions.

Why It Matters

Organizations without a formal RMF are 3× more likely to suffer a material data breach and face significantly higher regulatory penalties. A mature RMF transforms security from a reactive cost center into a strategic business enabler by making risk visible and manageable.

The CIA Triad — Foundation of Information Security Risk

Every information security risk ultimately threatens one or more elements of the CIA Triad. All risk assessments must evaluate impact across all three dimensions:

Principle	Definition	Example Threat	Example Impact
Confidentiality	Only authorized parties can access information	Data breach, credential theft, insider exfiltration	Regulatory fines, reputational damage, loss of competitive advantage
Integrity	Information is accurate and unaltered by unauthorized parties	Ransomware, database tampering, man-in-the-middle	Corrupted financial records, fraudulent transactions, loss of trust
Availability	Systems and data are accessible when needed by authorized users	DDoS, ransomware, hardware failure, misconfiguration	Operational shutdown, SLA breach, revenue loss

Core Risk Terminology

Term	Definition
Asset	Anything of value to the organization: data, systems, people, processes, reputation
Threat	A potential event or actor capable of causing harm to an asset (e.g., ransomware gang, disgruntled employee, natural disaster)
Vulnerability	A weakness that can be exploited by a threat (e.g., unpatched software, misconfigured firewall, lack of MFA)
Risk	The potential for harm resulting from a threat exploiting a vulnerability: Risk = Threat × Vulnerability × Impact
Likelihood	The probability that a threat will materialize and successfully exploit a vulnerability
Impact	The magnitude of harm if a risk event occurs (financial, operational, regulatory, reputational)
Control	A safeguard or countermeasure that reduces the likelihood or impact of a risk
Residual Risk	The risk remaining after controls have been applied
Risk Appetite	The level and type of risk the organization is willing to accept in pursuit of its objectives
Risk Tolerance	The acceptable variation in outcomes relative to the risk appetite (operational boundaries)
Risk Register	A centralized repository documenting all identified risks, their ratings, owners, and treatment status

Risk vs. Threat vs. Vulnerability — The Relationship

Understanding the distinction between these three concepts is critical for accurate risk assessment:

Example: Ransomware Scenario

Threat: A ransomware operator targeting organizations in your industry sector

Vulnerability: Unpatched Remote Desktop Protocol (RDP) exposed to the internet without MFA

Risk: High probability of successful encryption of critical systems, causing operational shutdown and ransom demand

Control: Disable RDP where possible; enforce MFA; deploy EDR; maintain tested offline backups

Established RMF Standards & Frameworks

Multiple globally recognized frameworks exist to guide cybersecurity and information security risk management. Organizations typically adopt one primary framework and align supplementary standards to it.

NIST Risk Management Framework (SP 800-37 Rev 2)

The NIST RMF is the most widely adopted cybersecurity risk management framework, particularly in U.S. federal, defense, and critical infrastructure sectors. It provides a 7-step lifecycle approach for managing security and privacy risk.

Step	Phase	Purpose	Key Activities
1	PREPARE	Establish context and priorities	Define risk management roles; establish organizational risk strategy; identify common controls; develop organization-wide risk assessment
2	CATEGORIZE	Classify systems by impact level	Categorize information systems using FIPS 199; document system boundaries, data flows, and interconnections
3	SELECT	Choose security controls	Select control baselines from NIST SP 800-53; tailor controls to organizational context; document in System Security Plan (SSP)
4	IMPLEMENT	Deploy selected controls	Implement controls in accordance with SSP; document implementation evidence; configure systems to baseline standards
5	ASSESS	Verify control effectiveness	Conduct security assessments; test controls against stated objectives; identify deficiencies and plan remediation
6	AUTHORIZE	Accept residual risk formally	Authorizing Official (AO) reviews assessment results; issues Authorization to Operate (ATO) or denial; documents risk acceptance
7	MONITOR	Continuously track risk posture	Ongoing assessment of control effectiveness; change management; incident response; periodic reauthorization

Key Concept

The NIST RMF is not a one-time event — it is a continuous cycle. The MONITOR step feeds back into PREPARE, ensuring that changes to the threat landscape, system configuration, or organizational priorities trigger re-evaluation of risk and controls.

NIST Cybersecurity Framework (CSF) 2.0

The NIST CSF provides a complementary, outcomes-based framework organized around six core functions. While the RMF is a process, the CSF is a set of desired cybersecurity outcomes. The two are designed to work together.

Function	Abbreviation	Risk Management Purpose
GOVERN	GV	Establish and monitor risk strategy, expectations, and policy — the foundational layer added in CSF 2.0
IDENTIFY	ID	Understand organizational assets, threats, vulnerabilities, and risk context
PROTECT	PR	Implement safeguards to limit the likelihood and impact of a cyber event
DETECT	DE	Develop capabilities to identify cybersecurity events in a timely manner
RESPOND	RS	Take appropriate actions when a cybersecurity event is detected
RECOVER	RC	Restore capabilities and services impaired by a cybersecurity incident

ISO 31000 — Risk Management Principles

ISO 31000:2018 provides universally applicable principles and guidelines for enterprise risk management. In the cybersecurity context, it establishes the overarching management system within which information security risks are governed.

ISO 31000 Core Principles (Cybersecurity Relevance)

IntegratedCyber risk management must be embedded in all organizational processes, not siloed in IT
Structured & ComprehensiveConsistent, comparable risk assessments across all systems and business units
CustomizedControls and risk appetite must be tailored to organizational context, not generic templates
InclusiveRisk identification must include perspectives from business, operations, and security teams
DynamicRisk management must adapt as threats, systems, and the business environment evolve
Best Available InformationDecisions must be based on current threat intelligence, not outdated assumptions
Human & Cultural FactorsInsider threat, social engineering, and security culture must be explicitly considered

ISO/IEC 27005 — Information Security Risk Management

ISO 27005 provides specific guidance for information security risk management within the context of an ISO 27001 ISMS. It aligns directly with ISO 31000 principles while providing information-security-specific guidance.

ISO 27005 Process	Description
Context Establishment	Define scope, boundaries, and criteria for evaluating information security risk (risk acceptance criteria, scale definitions)
Risk Identification	Identify assets, threats, existing controls, vulnerabilities, consequences; document all risk scenarios
Risk Analysis	Assess likelihood and impact; calculate risk level using selected methodology (qualitative, quantitative, or hybrid)
Risk Evaluation	Compare risk levels against acceptance criteria; prioritize risks for treatment
Risk Treatment	Select and implement treatment options: modify, retain, avoid, or share the risk
Risk Acceptance	Obtain formal management approval for residual risk; document rationale
Communication & Consultation	Ongoing stakeholder engagement throughout the risk management process
Monitoring & Review	Track risk indicators, control effectiveness, and changes to the threat landscape

Framework Comparison at a Glance

Dimension	NIST RMF	NIST CSF 2.0	ISO 31000	ISO 27005
Primary Focus	IT system authorization	Cybersecurity outcomes	Enterprise risk management	InfoSec risk management
Scope	Federal/defense systems; broadly adopted	All sectors and sizes	All risk types in any organization	Information security specifically
Approach	Process-driven (7 steps)	Outcomes-driven (6 functions)	Principles-based	Process-driven (aligned to ISO 31000)
Mandatory?	Federal agencies (FedRAMP)	Voluntary (widely adopted)	Voluntary	Voluntary (required for ISO 27001)
Best Used For	Authorizing IT systems	Benchmarking cyber posture	Board-level risk governance	ISMS risk assessment process

The Risk Assessment Process

A cybersecurity risk assessment is the systematic identification and analysis of risks to organizational information assets. It is the cornerstone activity of any RMF and must be performed before controls can be meaningfully selected or prioritized.

Step-by-Step Risk Assessment Methodology

Define Scope & ObjectivesDetermine what systems, data, and processes are in scope; align with organizational risk appetite
Asset Inventory & ClassificationCatalog all information assets; classify by sensitivity and criticality
Threat IdentificationEnumerate plausible threat actors, threat events, and attack vectors relevant to each asset
Vulnerability IdentificationAssess weaknesses through scans, audits, interviews, and review of past incidents
Control InventoryDocument existing controls and assess their effectiveness against identified threats
Likelihood AssessmentRate the probability of each threat-vulnerability pair being realized
Impact AssessmentEvaluate the business consequences if the risk event occurs (CIA dimensions)
Risk Rating & PrioritizationCalculate risk scores; rank by priority for treatment
Risk Treatment PlanningSelect treatment options and assign owners with deadlines
Document & ReportPopulate the Risk Register; report to stakeholders; obtain management sign-off

Asset Classification

Effective risk management begins with knowing what you are protecting. All information assets must be classified according to sensitivity and business criticality:

Classification	Description	Examples	Handling Requirements
TOP SECRET / CRITICAL	Highest sensitivity; catastrophic impact if disclosed	Encryption keys, authentication secrets, M&A data, regulated PII/PHI	Need-to-know only; encrypted at rest and in transit; access logged and reviewed monthly
CONFIDENTIAL	Significant business or regulatory impact if disclosed	Financial forecasts, HR records, customer PII, IP, contracts	Role-based access; encrypted in transit; classified document controls
INTERNAL	Low external harm but internal confidentiality expected	Internal policies, project plans, meeting notes, org charts	Authenticated access only; not for public distribution
PUBLIC	No harm from public disclosure; intended for external audiences	Marketing materials, press releases, published reports	No restrictions; verify accuracy before publication

Threat Modeling — STRIDE

Threat modeling is a structured technique for identifying, enumerating, and prioritizing threats relevant to a specific system or asset. The STRIDE model provides a comprehensive taxonomy of cybersecurity threats:

Letter	Threat Category	Description	Example Attack
S	Spoofing	Impersonating a user, system, or component to gain unauthorized access	Phishing email impersonating CEO; ARP spoofing; forged authentication tokens
T	Tampering	Unauthorized modification of data or system configuration	Database record alteration; man-in-the-middle injection; firmware modification
R	Repudiation	Denying having performed an action, often to evade accountability	Disabling audit logs; deleting transaction records; exploiting weak non-repudiation controls
I	Information Disclosure	Unauthorized exposure of sensitive information	SQL injection data dump; misconfigured S3 bucket; unencrypted data in transit
D	Denial of Service	Disrupting availability of systems or data for legitimate users	DDoS attack; ransomware encryption; resource exhaustion exploit
E	Elevation of Privilege	Gaining access rights beyond what was authorized	Local privilege escalation exploit; token hijacking; misconfigured sudo permissions

Risk Scoring Methodologies

Qualitative Risk Assessment

Qualitative assessment uses descriptive scales (High/Medium/Low) to rate likelihood and impact. It is faster, accessible to non-technical stakeholders, and appropriate for initial assessments or when quantitative data is unavailable.

RISK MATRIX	Impact: LOW	Impact: MEDIUM	Impact: HIGH	Impact: CRITICAL
Likelihood: VERY HIGH	MEDIUM	HIGH	CRITICAL	CRITICAL
Likelihood: HIGH	LOW	MEDIUM	HIGH	CRITICAL
Likelihood: MEDIUM	LOW	LOW	MEDIUM	HIGH
Likelihood: LOW	LOW	LOW	LOW	MEDIUM

Quantitative Risk Assessment — FAIR Model

Factor Analysis of Information Risk (FAIR) provides a quantitative approach that translates cyber risk into financial terms, enabling direct comparison with other business risks and informing investment decisions.

FAIR Factor	Description & Calculation
Loss Event Frequency (LEF)	How often a loss event is expected to occur per year = Threat Event Frequency × Vulnerability
Threat Event Frequency (TEF)	How often a threat agent acts against an asset (e.g., 2 ransomware campaigns targeting your sector per year)
Vulnerability (Vuln)	Probability that a threat event results in a loss (e.g., 0.4 = 40% chance attacker succeeds given current controls)
Loss Magnitude (LM)	Financial impact per loss event: Primary losses (direct costs) + Secondary losses (fines, litigation, reputation)
Risk (Annualized Loss Exposure)	LEF × LM = Expected annual financial loss from this risk scenario (e.g., 0.8 events/year × $2.5M = $2M ALE)

Treating Cyber Risk

Once risks are identified and rated, the organization must formally decide how to respond to each. Risk treatment is not a one-size-fits-all decision — it requires balancing cost, feasibility, business impact, and organizational risk appetite.

Risk Treatment Options

Option	Also Known As	Description	When to Use
AVOID	Risk Elimination	Discontinue the activity or system that creates the risk	When the cost or impact of treatment exceeds the benefit of the business activity
MODIFY	Risk Mitigation / Reduction	Implement controls to reduce likelihood, impact, or both	Most common option; use when controls are cost-effective relative to risk reduction
SHARE	Risk Transfer / Sharing	Transfer financial impact via insurance or contract; share via third-party service	Use when residual risk remains high and insurance/contractual protection is available
RETAIN	Risk Acceptance	Consciously accept the risk without additional control investment	Use when residual risk falls within risk tolerance and treatment cost exceeds benefit

Important

Risk Acceptance is a formal management decision — it must be explicitly documented, signed by an accountable executive, time-bounded, and reviewed on a defined schedule. Undocumented risk acceptance is not a risk management strategy; it is negligence.

Security Controls Framework — NIST SP 800-53

NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls organized into 20 control families. Controls are categorized as Preventive, Detective, or Corrective, and as Technical, Operational, or Management.

Control Family	Category	Type	Risk Management Purpose
Access Control (AC)	Technical	Preventive	Enforce least privilege; prevent unauthorized access to systems and data
Audit & Accountability (AU)	Technical	Detective	Create audit trails; detect anomalous activity; support forensic investigation
Configuration Management (CM)	Technical	Preventive	Maintain secure baselines; prevent unauthorized changes; reduce attack surface
Contingency Planning (CP)	Operational	Corrective	Ensure recovery capabilities; aligned with BC/DR program
Identification & Authentication (IA)	Technical	Preventive	Verify identity of users, devices, and processes; enforce MFA
Incident Response (IR)	Operational	Corrective	Detect, contain, and recover from security incidents
Risk Assessment (RA)	Management	Preventive	Systematic identification and evaluation of organizational risk
System & Comm. Protection (SC)	Technical	Preventive	Network segmentation; encryption; boundary protection controls
Security Assessment (CA)	Management	Detective	Ongoing evaluation of control effectiveness; third-party assessments
Supply Chain Risk Mgmt (SR)	Management	Preventive	Manage risk from vendors, suppliers, and third-party software

Control Implementation Tiers

The NIST RMF defines four implementation tiers that describe the rigor and sophistication of an organization’s risk management practices:

Tier	Name	Characteristics & Expectations
1	Partial	Risk management practices are informal, reactive, and not organization-wide. Limited awareness of cyber risk at management levels. No formal risk management process.
2	Risk Informed	Risk management practices are approved by management but may not be enterprise-wide. Awareness of cybersecurity risk exists but is not consistently applied across the organization.
3	Repeatable	Formally approved risk management practices are expressed as policy and implemented consistently. Organization-wide approach with regular updates based on threat intelligence.
4	Adaptive	Organization adapts cybersecurity practices based on lessons learned and predictive threat intelligence. Risk management is fully integrated into organizational culture and business strategy.

Third-Party & Supply Chain Risk

Third-party vendors, cloud providers, and software supply chains represent one of the fastest-growing risk vectors. Organizations must extend their RMF to cover all entities with access to organizational systems or data.

Third-Party Risk Management (TPRM) Requirements

Conduct risk-based due diligence before onboarding any vendor with access to sensitive data or critical systems
Require SOC 2 Type II, ISO 27001 certification, or equivalent assurance for critical vendors annually
Include security and breach notification requirements in all vendor contracts (SLAs, data processing agreements)
Maintain an active vendor inventory with criticality ratings and last-assessed dates
Conduct annual questionnaire-based assessments for all Tier 1 vendors; onsite assessments for critical infrastructure vendors
Establish vendor offboarding procedures: revoke access, recover data, obtain data destruction certification
Monitor for vendor breaches via threat intelligence feeds and dark web monitoring services

Risk Register & Governance Structure

The Risk Register

The Risk Register is the authoritative record of all identified cybersecurity risks. It is a living document that must be actively maintained, reviewed regularly, and used to drive prioritization of security investments and remediation activities.

Risk Register — Required Fields

Field	Description & Purpose
Risk ID	Unique identifier for tracking and cross-referencing (e.g., RISK-2025-042)
Risk Title	Concise name describing the risk scenario
Description	Detailed narrative of the threat, vulnerability, and potential business impact
Asset(s) Affected	Systems, data, or processes exposed to this risk
Threat Source	Internal, external, or environmental threat actor or event
Inherent Risk Rating	Risk level before any controls are applied (Likelihood × Impact)
Current Controls	Existing controls that reduce this risk; include control effectiveness rating
Residual Risk Rating	Risk level after existing controls are applied
Treatment Option	Avoid / Modify / Share / Retain — with justification
Treatment Actions	Specific remediation steps, responsible owner, and target completion date
Target Risk Rating	Desired risk level after treatment actions are completed
Risk Owner	Named individual accountable for managing and monitoring this risk
Review Date	Date of last review and next scheduled review
Status	Open / In Treatment / Accepted / Closed

Sample Risk Register Entry

Field	Value
Risk ID	RISK-2025-017
Risk Title	Ransomware Encryption via Exposed RDP
Description	Threat actors are actively scanning for RDP endpoints exposed to the internet. Successful exploitation enables ransomware deployment, encrypting critical finance systems with potential full operational shutdown.
Asset(s) Affected	Finance ERP System, Accounts Payable Server, Shared Drive (Finance)
Threat Source	External — organized cybercriminal ransomware operators
Inherent Risk Rating	CRITICAL (Likelihood: High │ Impact: Critical)
Current Controls	Firewall blocking RDP externally (partial); AV on endpoints; daily backups
Residual Risk Rating	HIGH (controls partially effective; backups not tested; no MFA on RDP)
Treatment Option	MODIFY — Implement additional technical controls
Treatment Actions	1) Disable external RDP by [DATE]; 2) Deploy MFA on all remote access; 3) Implement EDR on all finance endpoints; 4) Test backup restoration by [DATE]
Target Risk Rating	LOW (after all treatment actions completed)
Risk Owner	IT Security Manager
Review Date	Quarterly until treatment complete; then annually
Status	In Treatment — 2 of 4 actions completed

Risk Governance Structure

Effective risk governance requires clear ownership and accountability from the board level through to operational teams. The Three Lines of Defense model provides the industry-standard governance structure:

Line	Role	Responsibility	Example in Cyber Risk
First Line	Business Operations	Owns and manages risk day-to-day; implements controls	System owners, IT operations, application teams managing their security controls
Second Line	Risk & Compliance Functions	Oversees risk management; provides frameworks and monitoring	CISO, Risk Management team, Compliance/Legal — set policy, assess control effectiveness
Third Line	Internal Audit / External Audit	Provides independent assurance on risk and control effectiveness	Internal audit testing of security controls; external penetration testing; regulatory exams

Risk Reporting & Escalation

Risk information must flow efficiently to the right stakeholders at the right level of detail. A tiered reporting structure ensures leadership can make informed decisions without being overwhelmed with technical detail:

Report	Audience	Frequency	Content Focus
Board Cyber Risk Report	Board of Directors / Audit Committee	Quarterly	Risk posture trends; top 5 risks; regulatory exposure; major incidents; cyber insurance adequacy
Executive Risk Dashboard	C-Suite (CEO, CFO, COO, CTO)	Monthly	Risk register summary; control effectiveness KPIs; critical open vulnerabilities; compliance status
CISO Risk Report	CISO / IT Leadership	Bi-Weekly	Detailed risk register; vulnerability metrics; incident summary; remediation progress; threat intelligence highlights
Operational Risk Bulletin	IT Teams / System Owners	Weekly	Active threats; patch status; open audit findings; upcoming assessments and deadlines

Board Reporting Tip

Board members are not cybersecurity experts — translate risk into business language. Instead of “We have 47 critical CVEs,” say “Three of our revenue-generating systems have unpatched vulnerabilities that threat actors are actively exploiting; remediation is estimated at $80K and will take 6 weeks.”

Continuous Monitoring

Risk management is not a point-in-time activity. Continuous monitoring ensures that the organization maintains situational awareness of its risk posture as threats evolve, systems change, and new vulnerabilities emerge.

Continuous Monitoring Program Requirements

Define and document a monitoring strategy aligned to system risk categorization
Establish key risk indicators (KRIs) and key performance indicators (KPIs) for all critical controls
Automate monitoring where possible — manual processes introduce gaps and latency
Define frequency of monitoring activities based on asset criticality (real-time for critical systems)
Integrate monitoring outputs into the Risk Register — findings must update risk ratings
Conduct formal risk posture reviews at defined intervals (minimum quarterly for critical systems)
Document and track all changes to systems, configurations, and personnel with security implications

Key Risk Indicators (KRIs) — Cybersecurity

Key Risk Indicator	Measurement	Target Threshold	Escalate If
% Critical/High Vulnerabilities Patched within SLA	Count patched / Count identified	≥ 95% within 30 days	< 85% or any critical CVE > 15 days unpatched
Mean Time to Detect (MTTD) Incidents	Avg days from compromise to detection	< 24 hours	MTTD > 72 hours on any P1/P2 incident
Mean Time to Remediate (MTTR) Vulnerabilities	Avg days from discovery to closure	Critical ≤ 7d; High ≤ 30d	Any critical vuln open > 14 days
Phishing Simulation Click Rate	% of staff clicking simulated phish	< 5% click rate	> 10% click rate or any credential submission
MFA Coverage Rate	% of accounts with MFA enabled	100% for privileged; ≥ 98% all users	Any privileged account without MFA
Third-Party Risk Assessment Coverage	% of critical vendors assessed in last 12 months	100% of Tier 1 vendors	Any Tier 1 vendor assessment overdue > 90 days
Security Training Completion Rate	% of staff with annual training current	≥ 95% of all staff	< 85% or any high-risk role employee overdue
Open Risk Register Items (High+)	Count of High/Critical risks with overdue treatment	0 items past treatment deadline	Any Critical risk item past deadline

Vulnerability Management Lifecycle

Vulnerability management is the operational backbone of continuous monitoring. It must be a structured, repeatable process — not ad hoc patching:

DISCOVERAutomated scanning of all in-scope assets (authenticated scans weekly for critical; monthly for all)
PRIORITIZEApply CVSS score plus organizational context (asset criticality, exploitability, exposure) to rank vulnerabilities
REMEDIATEPatch, configure, or isolate affected systems per defined SLAs based on severity rating
VERIFYRescan after remediation to confirm vulnerability is resolved; do not rely on vendor confirmation alone
REPORTPublish vulnerability metrics to stakeholders; update Risk Register for high/critical findings

CVSS vs. EPSS

CVSS rates the theoretical severity of a vulnerability. EPSS rates the probability it will be actively exploited in the wild. Use EPSS alongside CVSS to prioritize patching — a CVSS 7.5 vulnerability with 60% EPSS is a higher real-world priority than a CVSS 9.0 with 2% EPSS.

Risk Posture Trend Analysis

Monthly risk posture trend analysis tracks whether the organization’s overall risk exposure is improving, stable, or deteriorating. Key trend indicators include:

Direction of average residual risk ratings in the Risk Register over the past 12 months
Ratio of new risks identified vs. risks closed/remediated (net risk accumulation rate)
Control maturity scores over time — are implemented controls becoming more effective?
Threat landscape evolution — are new threat vectors emerging that increase inherent risk?
Security investment effectiveness — are resources being allocated to the highest-risk areas?

Compliance & Regulatory Risk

Compliance requirements do not define your complete risk posture — they represent a minimum floor. An organization can be fully compliant and still suffer a major breach. However, non-compliance itself represents a significant regulatory and financial risk that must be managed within the RMF.

Regulatory Requirements Mapped to RMF Activities

Regulation	Sector	RMF Requirement	Key Risk Management Obligation
HIPAA Security Rule	Healthcare	Risk Analysis Mandatory (§164.308(a)(1))	Annual risk analysis of PHI systems; documented risk management plan; sanction policy for noncompliance
GDPR	All (EU Data)	Art. 35 — DPIA Required	Data Protection Impact Assessment for high-risk processing; Privacy by Design; DPO role for high-risk organizations
PCI DSS v4.0	Payment Cards	Req. 12 — Risk Assessment	Annual risk assessment; targeted risk analysis for each control requirement; organizational security policy
NIST CSF (CISA)	Critical Infrastructure	Voluntary; regulatory alignment	Sector-specific profiles required by CISA for 16 critical infrastructure sectors; ICS/OT-specific guidance
NY DFS 23 NYCRR 500	Financial Services (NY)	§500.09 — Risk Assessment	Annual cybersecurity risk assessment; program must address identified risks; CISO must report to board annually
SEC Cybersecurity Rules	Public Companies	Material Risk Disclosure	Disclosure of material cybersecurity risks in annual filings; incident disclosure within 4 business days
CMMC 2.0	Defense Contractors	Level 2: NIST 800-171	110 security requirements; third-party assessment required for Level 2/3; POA&M accepted for some gaps

Integrating Compliance into the Risk Register

Compliance gaps must be treated as risks in the organizational Risk Register. Each unmet regulatory requirement should generate a risk entry with:

Specific regulation, requirement reference, and gap description as the risk scenario
Regulatory penalty exposure as the primary financial impact driver
Reputational and operational impact as secondary impact factors
A remediation plan with owner, timeline, and budget allocation
Formal risk acceptance if the gap cannot be immediately remediated, signed by the appropriate executive

Privacy Risk — A Distinct Risk Dimension

Privacy risk is related to, but distinct from, cybersecurity risk. Organizations processing personal data must integrate privacy risk assessment into their RMF:

Privacy Risk Category	Description	RMF Integration
Data Minimization Risk	Collecting more data than necessary increases breach impact and regulatory exposure	Asset inventory must include data sensitivity classification; excess data collection is a risk to treat
Consent & Lawful Basis Risk	Processing personal data without a valid legal basis creates regulatory liability	Legal basis must be documented for each processing activity in a Records of Processing Activities (RoPA)
Data Subject Rights Risk	Inability to fulfill access, deletion, or portability requests creates regulatory breach	Assess operational capability to fulfill DSRs within statutory timeframes (30 days under GDPR)
Cross-Border Transfer Risk	Transferring personal data across jurisdictions without adequate safeguards	Data flow mapping required; transfer mechanisms (SCCs, BCRs) must be documented and maintained

Quick Reference — RMF Key Terms

Term	Definition
RMF	Risk Management Framework — structured, repeatable process for identifying, assessing, treating, and monitoring risk
CIA Triad	Confidentiality, Integrity, Availability — the three foundational pillars of information security
Asset	Anything of value to the organization that requires protection
Threat	A potential event or actor capable of causing harm
Vulnerability	A weakness that can be exploited by a threat
Risk	Potential for harm = Threat × Vulnerability × Impact
Risk Appetite	The level of risk the organization is willing to accept in pursuit of objectives
Risk Register	Centralized record of all identified risks, ratings, owners, and treatment status
NIST CSF	NIST Cybersecurity Framework — outcomes-based framework with 6 functions: Govern, Identify, Protect, Detect, Respond, Recover
NIST RMF	NIST Risk Management Framework — 7-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
ISO 27005	International standard for information security risk management within an ISMS
STRIDE	Threat modeling taxonomy: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
FAIR	Factor Analysis of Information Risk — quantitative model translating cyber risk into financial terms
ATO	Authorization to Operate — formal approval issued in NIST RMF Step 6 to operate a system within accepted risk levels
KRI	Key Risk Indicator — metric that signals increasing risk exposure before a loss event occurs
TPRM	Third-Party Risk Management — program to identify and manage risk from vendors, suppliers, and partners
CVSS	Common Vulnerability Scoring System — industry standard for rating the severity of software vulnerabilities
EPSS	Exploit Prediction Scoring System — probability score indicating likelihood a vulnerability will be exploited in the wild
Three Lines of Defense	Risk governance model: 1st (Operations), 2nd (Risk/Compliance), 3rd (Audit)

Appendix A: Risk Assessment Checklist

Use this checklist to ensure completeness of each risk assessment cycle. Document completion dates and responsible parties.

✓	Task	Owner
☐	Define scope, objectives, and assessment boundaries	Risk/Security Lead
☐	Update asset inventory — confirm all in-scope assets are documented and classified	IT / Asset Owner
☐	Review threat intelligence for new or emerging threats relevant to the organization	Security Team
☐	Identify new vulnerabilities since last assessment (scan results, CVE feeds, vendor advisories)	IT Security
☐	Review effectiveness of existing controls — any controls degraded or bypassed?	Security Team
☐	Conduct threat modeling for any new or significantly changed systems	Security Architect
☐	Rate likelihood and impact for all identified risks using defined methodology	Risk Lead
☐	Calculate risk scores and prioritize for treatment	Risk Lead
☐	Update Risk Register — add new risks; update ratings on existing risks; close remediated risks	Risk Lead
☐	Assign risk owners to all unowned risks; confirm existing owners are still valid	CISO
☐	Develop/update treatment plans for all High and Critical risks	Risk Owners
☐	Obtain management sign-off on risk acceptance decisions	Executive Sponsor
☐	Distribute risk assessment report to stakeholders per reporting matrix	Risk Lead
☐	Schedule next assessment cycle based on risk ratings and regulatory requirements	CISO

Appendix B: Risk Appetite Statement Template

The following template should be customized and formally approved by the Board of Directors or equivalent governance body:

Organizational Risk Appetite Statement

[Organization Name] has a LOW risk appetite for cybersecurity and information security risks that could compromise the confidentiality of customer or employee data, disrupt business-critical operations, or result in regulatory non-compliance.

Specifically:

Confidentiality: We will not accept risks that create a significant probability of unauthorized exposure of regulated personal data (PII, PHI, financial data).
Integrity: We will not accept risks that could result in undetected corruption of financial records or customer data.
Availability: We will not accept risks that create a >4-hour unplanned outage probability for Tier 1 business systems.
Compliance: We will not knowingly operate in material non-compliance with applicable regulations. Compliance gaps identified must be risk-registered and treated within 90 days.

Residual risks rated CRITICAL require Board or CEO-level acceptance. Risks rated HIGH require CISO and VP-level acceptance. This statement is reviewed annually by the Audit Committee.

Appendix C: Recommended Resources

NIST SP 800-37 Rev 2 — Risk Management Framework for Information Systems and Organizations
NIST SP 800-53 Rev 5 — Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-30 Rev 1 — Guide for Conducting Risk Assessments
NIST Cybersecurity Framework 2.0 — csrc.nist.gov/projects/cybersecurity-framework
ISO/IEC 27005:2022 — Information Security Risk Management
ISO 31000:2018 — Risk Management Guidelines
The FAIR Institute — fairinstitute.org — Quantitative cyber risk analysis guidance
CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog
MITRE ATT&CK Framework — attack.mitre.org — Adversary tactics and techniques knowledge base
OWASP Top 10 — owasp.org — Application security risk awareness