Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CAP Last Minute Review > 4. RMF > Flashcards

4. RMF Flashcards

1
Q

6 Steps in RMF

CSIAAM

A 
Categorize information systems
Select controls
Implement controls
Assess controls
Authorize information systems
Monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

RMF Step 1 - Categorize

Step 1-1

A

Categorize the information system, document the results in the security plan

Responsibility
IS Owner, Information Owner/Steward

SDLC Phase
Initiation

References
FIPS 199, NIST 800-30, 39, 59, 60, CNSSI-1253

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

RMF Step 1 - Categorize

Step 1-2

A

Describe the information system including the boundary and document in the security plan. This is recorded in the system identification section of the security plan

Responsibility
IS Owner

SDLC Phase
Initiation

Many things can be included here including; unique identifiers, types of information processed, applicable laws, hardware devices, applications, information flows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RMF Step 1 - Categorize

Step 1-3

A

Register information system with organizational program/management offices

Responsibility
IS Owner

SDLC Phase
Initiation

Registration uses information from the system identification from the categorize-description step to inform the parent organization of the existences of the system, the key characteristics of the system, security implications.

Registration provides an effective management/tracking tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

RMF Step 2 - Select Security Controls

Step 2-1

A

Identify security controls provided by the organization as common controls and document controls in a security plan or equivalent

Responsibility
CIO or Sr. Infosec Officer, Infosec Architect, Common Control Provider

SDLC Phase
Initiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

RMF Step 2 - Select Security Controls

Step 2-2

A

Select security controls and document in a security plan

Responsibility
InfoSec Architect, Information System Owner

SDLC Phase
Initiation

Select controls based on security categorization of the information system. Process includes:

  1. choose a baseline of controls
  2. tailoring baseline
  3. supplementing tailored baseline
  4. specifying minimum assurance requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

RMF Step 2 - Select Security Controls

Step 2-3

A

Develop strategy for continuous monitoring of security control effectiveness and proposed or actual changes to the system and environment

Responsibility
Information System Owner, Common Control Provider

SDLC Phase
Initiation

Critical aspect of risk management is ongoing monitoring of security controls. Robust monitoring allows organization to understand the security state of a system over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RMF Step 2 - Select Security Controls

Step 2-4

A

Review and Approve Security Plan

Responsibility
AO or AODR

SDLC Phase
Development

Independent review of security plan by the AO or AODR helps determine if plan is complete, consistent and satisfies stated security requirements for the information system.

Also helps determine if the plan correctly and effectively identifies the potential risk to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RMF Step 3 - Implement Security Controls

Step 3-1

A

Implement controls specified in the security plan

Responsibility
Information System Owner or Common Control Provider

SDLC Phase
Development / Acquisition, Implementation

Implementation is consistent with enterprise architecture and information security architecture. Infosec architecture serves as a resource to allocate controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RMF Step 3 - Implement Security Controls

Step 3-2

A

Document security control implementation in the security plan

Responsibility
Information System Owner or Common Control Provider

SDLC Phase
Development / Acquisition, Implementation

Control documentation describes how controls are implemented. Documentation formalizes plans and expectations regarding overall functionality. Functional description includes planned inputs, expected behavior, expected outputs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RMF Step 4 - Assess Security Controls

Step 4-1

A

Develop, review, approve plan to assess the security controls

Responsibility
Security Control Assessor

SDLC Phase
Development / Acquisition, Implementation

Security Assessment Plan provides objectives for the security control assessment. Assessment plan reflects the type of assessment the organization is doing (developmental, verification, authorization etc). Conducting security control assessments in parallel with development/acquisition and implementation phases permits the early identification of weaknesses and cost effective mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RMF Step 4 - Assess Security Controls

Step 4-2

A

Assess security controls according to procedures defined in the plan from step 4-1

Responsibility
Security Control Assessor

SDLC Phase
Development / Acquisition Implementation

Assessments determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome.

Assessments occur as early as practicable in the SDLC, ideally during development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RMF Step 4 - Assess Security Controls

Step 4-3

A

Prepare Security Assessment Report documenting issues, findings, recommendations from the security control assessment

Responsibility
Security Control Assessor

SDLC Phase
Development / Acquisition, Implementation

Result of the assessment including recommendations are documented in the Security Assessment Report. This is one of 3 key documents in the Security Authorization Package developed for the AO.

Assessment Report includes information necessary to determine effectiveness of the controls used. It’s an important factor in the AO’s determination of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RMF Step 4 - Assess Security Controls

Step 4-4

A

Conduct initial remediation on security controls based on the findings and recommendations of the security assessment report. Reassess remediated controls as appropriate

Responsibility
Information System Owner, Common Control Provider, Assessor

SDLC Phase
Development / Acquisition, Implementation

Security Assessment Report describes specific weaknesses and deficiencies in the security controls used by the information system, that couldn’t be resolved during development. Findings generated facilitate a structured approach to mitigating risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

RMF Step 5 - Authorize Information System

Step 5-1

3 key documents:
Security Plan
Security Assessment Report
Plan of Action & Milestones

A

Prepare the Plan of Action & Milestones (POAM) based on findings and recommendations of the security assessment report, excluding remediation actions already done.

Responsibility
Information System Owner, Common Control Provider

SDLC Phase
Implementation

The POAM, prepared for the AO by the Information System Owner is one of 3 key documents in the Security Authorization Package. It’s used by the AO to monitor progress in correcting issues identified during the assessment

It describes specific tasks to:

  1. Correct weaknesses or deficiencies in controls noted during the assessment
  2. Address residual vulnerabilities in the information system

The POAM identifies:

  1. tasks to be accomplished and recommendations for completion before or after implementation
  2. resources required for tasks
  3. milestones in meeting tasks
  4. scheduled completion dates for milestones
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

RMF Step 5 - Authorize Information System

Step 5-2

A

Assemble security authorization package and submit to the AO

Responsibility
Information System Owner or Common Control Provider

SDLC Phase
Implementation

The Security Authorization Package contains 3 things:

  1. security plan
  2. security assessment report
  3. POAM

It’s used by the AO to make risk-based authorization decisions

17
Q

RMF Step 5 - Authorize Information System

Step 5-3

A

Determine the risks to organizational operations, assets, personnel, other organizations, the Nation

Responsibility
AO or AODR

SDLC Phase
Implementation

The AO or AODR assesses information provided by the the information system owner about the security state of the system. Risk assessments are optionally employed to provide extra information.

18
Q

RMF Step 5 - Authorize Information System

Step 5-4

A

Determine if risk to organizational operations, assets, personnel, other organizations or the Nation is acceptable.

Responsibility
AO

SDLC Phase
Implementation

The AO, with the senior Information Security Officer assess information provided by the information system owner about the security state of the system.

19
Q

RM5 Step 6 - Monitor Security Controls

Step 6-1

A

Determine security impact of proposed or actual changes to the information system and its environment

Responsibility
Information System Owner or Common Control Provider

SDLC Phase
Operation / Maintenance

A disciplined, structured approach to managing, controlling and documenting changes to an information system is essential to effective security control monitoring

20
Q

RM5 Step 6 - Monitor Security Controls

Step 6-2

A

Assess a selected subset of employed controls in accordance with the monitoring strategy

Responsibility
Security Control Assessor

SDLC Phase
Operation / Maintenance

After authorization, the organization assesses a subset of controls in an ongoing basis continuous monitoring strategy developed by the information system owner and approved by the AO

21
Q

RM5 Step 6 - Monitor Security Controls

Step 6-3

A

Conduct remediation actions based on results of ongoing monitoring activities, assessment of risk and outstanding items in the POAM

Responsibility
Information System Owner, common control provider

SDLC Phase
Operation / Maintenance

Assessment information produced by an assessor during monitoring is provided to the information system owner in an updated Security Assessment Report. The information system owner initiates remediation actions listed in the POAM

22
Q

RM5 Step 6 - Monitor Security Controls

Step 6-4

A

Update security plan, security assessment report, POAM based on results of continuous monitoring

Responsibility
Information System Owner, common control provider

SDLC Phase
Operation / Maintenance

To facilitate near real-time management of risk, the organization updates the security plan, assessment report and POAM on ongoing basis.

23
Q

RM5 Step 6 - Monitor Security Controls

Step 6-5

A

Report security status of the information system including effectiveness of controls to the AO on ongoing basis in accordance with the monitoring strategy

Responsibility
Information System Owner, Common Control Provider

SDLC Phase
Operation / Maintenance

Results of monitoring activities are recorded and reported to the AO on ongoing basis in accordance with the monitoring strategy. Security status reports provide the AO information about the security state of the system including effectiveness of deployed controls.

Security Status reporting can be:

  1. event-driven
  2. time-driven
  3. both
24
Q

RM5 Step 6 - Monitor Security Controls

Step 6-6

A

Review reported security status of the information system (including effectiveness of controls employed) on an ongoing basis in accordance with the the monitoring strategy to determine if the risk remains acceptable

Responsibility
AO

SDLC Phase
Operation / Maintenance

The AO or AODR reviews reported security status on an ongoing basis to determine current risk. The AO determines whether the current risk is acceptable and forwards appropriate direction to the information system owner or common control provider.

25
Q

RM5 Step 6 - Monitor Security Controls

Step 6-7

A

Implement an information system decommissioning strategy when needed, which executes required actions when a system is removed from service

Responsibility
Information System Owner

SDLC Phase
Disposal

When a federal information system is removed from operations, a number of risk management related actions are reuired.

Organizations ensure all security controls addressing information system removal and decommissioning are implemented. Organizational tracking and management systems are updated to indicate specific components that are being removed

CAP Last Minute Review (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions