RMF implementation and Assessment
NIST developed the Risk Management Framework (RMF) to provide a more flexible, dynamic, approach for effective management of information system-related security risk in highly diverse environments and throughout the system development life cycle. The RMF identifies six steps that provide a disciplined and structured process for managing mission/business risk associated with the operation and use of federal information systems.
The six RMF steps include:
- 1. Categorize: The information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Purpose:Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems.
Outcomes:
- System characteristics documented
- Security categorization of the system and information completed
- Categorization decision reviewed/approved by authorizing official
2. Select: An initial set of baseline security controls for the information system based on the security categorization, tailoring, and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk.
Outcomes:
- control baselines selected and tailored
- controls designated as system-specific, hybrid, or common
- controls allocated to specific system componentsn
- system-level continuous monitoring strategy developed
- security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved
3. ImplementThe security controls and describe how the controls are employed within the information system and its environment of operation.
Purpose: Implement the controls in the security and privacy plans for the system and organization
Outcomes:
- controls specified in security and privacy plans implemented
- security and privacy plans updated to reflect controls as implemented
4. Assess The security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and meeting the security requirements as described in the system security plan.
Purpose: Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
Outcomes:
- assessor/assessment team selected
- security and privacy assessment plans developed
- assessment plans are reviewed and approved
- control assessments conducted in accordance with assessment plans
- security and privacy assessment reports developed
- remediation actions to address deficiencies in controls are taken
- security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
- plan of action and milestones developed
5. Authorize Information system operation based on a determination of the risk resulting from the operation of the information system, and the decision that this risk is acceptable.
Purpose: Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
Outcomes:
- authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
- risk determination rendered
- risk responses provided
- authorization for the system or common controls is approved or denied
6. Monitor The security controls in the information system on an ongoing basis, including assessing control effectiveness, documenting changes to the system (or its operating environment), conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.
Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
Outcomes:
- system and environment of operation monitored in accordance with continuous monitoring strategy
- ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
- output of continuous monitoring activities analyzed and responded to
- process in place to report security and privacy posture to management
- ongoing authorizations conducted using results of continuous monitoring activities