Risk Management Framework (RMF)

Overview and Background

The Risk Management Framework (RMF) provides a common information security framework for the Federal Government including the Department of Defense (DoD) and the Intelligence Community (IC). It is based on publications by the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). The RMF is integral to the implementation of the Federal Information Security Modernization Act (2014).
The RMF, which is explained in NIST SP 800-37, Rev. 2, provides a structured approach to integrate risk management and information security into the System Development Lifecycle (SDLC) process. The seven steps of the RMF include preparation, security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of continuous monitoring processes; provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions; and integrates information security into the enterprise architecture and system development life cycle.

RMF Tasks

DCS provides the knowledge, skills, abilities, staff support, and other related resources necessary to conduct the following RMF related services:

  • Prepare
  • Categorize Information Systems
  • Select Security Controls
  • Implement Security Controls
  • Assess Security Controls
  • Authorize Information System
  • Monitor Security Controls
  • Other RMF Related Services

Prepare

DCS provides consulting to carry out activities at the organization, mission, business process, and information system levels of the enterprise to help prepare our clients to manage their security and privacy risks using the RMF. During the Prepare step DCS will assist in the following activities:

  • Determine and assign roles to risk management resources
  • Develop a risk management strategy for the organization that includes a determination and expression of organizational risk tolerance
  • Perform an organization-wide risk assessment
  • Establish and document organizationally-tailored control baselines
  • Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems
  • Develop and implement an organization-wide strategy for continuously monitoring control effectiveness
  • Identify and document assets that require protection
  • Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis
  • Define and document the security and privacy requirements for the system and the environment of operation
  • Determine the placement of the system within the enterprise architecture

Categorize Information Systems

DCS provides consulting in Categorizing information Systems into low, moderate, or high potential security impact, using FIPS 199 as a guide. The DCS process also use NIST 800-60 Volume 2 to determine the security categorization of systems based on the organization’s requirements. The results of the security categorization are documented in the security plan. During the Categorize Information Systems step DCS will assist in the following activities:

  • Security Categorization
  • Information System Description
  • Information System Registration

Select Security Controls

DCS provides consulting in selecting security controls using FIPS 200 and/or NIST 800-53B (rev.5). FIPS 200 is a guide which specifies the minimum-security requirements for federal information systems, NIST SP 800-53b (rev. 5) provides guideline to establish a minimum/baseline controls set based on the security level determination of the information system. The selected controls are documented in the security control section of the System Security Plan. During the Select Security Controls step DCS will assist in the following activities:

  • Common Control Identification
  • Security Control Selection
  • Monitoring Strategy
  • Security Plan Approval

Implement Security Controls

DCS will assist in the implementation of security controls specified in the Security Plan. As appropriate, document the security control implementation and contingency plan in the System Security Plan, providing a functional description of the control implementation. Ensure that mandatory configuration settings are established and implemented on information technology products in accordance with federal and organizational policies. During the Implement Security Controls step DCS will assist in the following activities:

  • Security Control Implementation
  • Security Control Documentation

Assess Security Controls

DCS will create the Security Assessment Plan (SAP) to document the assessment schedule, tools, and personnel. A Rules of Engagement (ROE) document will be developed where vulnerability scanning or penetration testing procedures are included in the assessment process. A final report of the assessment findings should be documented in the Security Assessment Report (SAR).
During Assess Security Controls step DCS will assist in the following activities:

  • Assessment Preparation
  • Security Control Assessment
  • SAR
  • Remediation Actions

Authorize Information System

The system Authorizing Official signs the system Authorization to Operate (ATO) based on the risk level of the system reported in the SAR, as well as the POA&M, created to correct audit findings and the completion of the Assessment and Authorization (A&A) Package. During Authorize Information System step DCS will assist in the following activities:

  • POA&M
  • Security Authorization Package
  • Risk Determination
  • Risk Acceptance

Monitor Security Controls

DCS provides consulting to implement continuously monitor is accordance with NIST 800-137 and provide support to test a portion of the applicable security controls annually. In addition to annual controls evaluation DCS will provide support to perform periodic scanning and security impact analysis of changes.

During Monitor Security Controls step DCS will assist in the following activities:

  • Information System and Environment Changes
  • Ongoing Security Control Assessment
  • Ongoing Remediation Actions
  • Key Updates
  • Security Status Reporting
  • Ongoing Risk Determination and Acceptance

Other RMF Related Services

Any task performed and documented to supplement the RMF in order for the organization’s system to attain an ATO would be considered other RMF related services. These services are implemented contingent upon the security requirements of the system being assessed.
Regarding Other RMF Related Services DCS will assist in the following activities:

  • Memorandums of Understanding (MOU) and Interconnection Security Agreements (ISA)
  • Information System Removal and Decommissioning
  • Incident Response Plan and Procedure
  • Updated Risk Assessment