4. RMF Flashcards
6 Steps in RMF
CSIAAM
Categorize information systems Select controls Implement controls Assess controls Authorize information systems Monitor
RMF Step 1 - Categorize
Step 1-1
Categorize the information system, document the results in the security plan
Responsibility
IS Owner, Information Owner/Steward
SDLC Phase
Initiation
References
FIPS 199, NIST 800-30, 39, 59, 60, CNSSI-1253
RMF Step 1 - Categorize
Step 1-2
Describe the information system including the boundary and document in the security plan. This is recorded in the system identification section of the security plan
Responsibility
IS Owner
SDLC Phase
Initiation
Many things can be included here including; unique identifiers, types of information processed, applicable laws, hardware devices, applications, information flows
RMF Step 1 - Categorize
Step 1-3
Register information system with organizational program/management offices
Responsibility
IS Owner
SDLC Phase
Initiation
Registration uses information from the system identification from the categorize-description step to inform the parent organization of the existences of the system, the key characteristics of the system, security implications.
Registration provides an effective management/tracking tool
RMF Step 2 - Select Security Controls
Step 2-1
Identify security controls provided by the organization as common controls and document controls in a security plan or equivalent
Responsibility
CIO or Sr. Infosec Officer, Infosec Architect, Common Control Provider
SDLC Phase
Initiation
RMF Step 2 - Select Security Controls
Step 2-2
Select security controls and document in a security plan
Responsibility
InfoSec Architect, Information System Owner
SDLC Phase
Initiation
Select controls based on security categorization of the information system. Process includes:
- choose a baseline of controls
- tailoring baseline
- supplementing tailored baseline
- specifying minimum assurance requirements
RMF Step 2 - Select Security Controls
Step 2-3
Develop strategy for continuous monitoring of security control effectiveness and proposed or actual changes to the system and environment
Responsibility
Information System Owner, Common Control Provider
SDLC Phase
Initiation
Critical aspect of risk management is ongoing monitoring of security controls. Robust monitoring allows organization to understand the security state of a system over time
RMF Step 2 - Select Security Controls
Step 2-4
Review and Approve Security Plan
Responsibility
AO or AODR
SDLC Phase
Development
Independent review of security plan by the AO or AODR helps determine if plan is complete, consistent and satisfies stated security requirements for the information system.
Also helps determine if the plan correctly and effectively identifies the potential risk to the organization
RMF Step 3 - Implement Security Controls
Step 3-1
Implement controls specified in the security plan
Responsibility
Information System Owner or Common Control Provider
SDLC Phase
Development / Acquisition, Implementation
Implementation is consistent with enterprise architecture and information security architecture. Infosec architecture serves as a resource to allocate controls.
RMF Step 3 - Implement Security Controls
Step 3-2
Document security control implementation in the security plan
Responsibility
Information System Owner or Common Control Provider
SDLC Phase
Development / Acquisition, Implementation
Control documentation describes how controls are implemented. Documentation formalizes plans and expectations regarding overall functionality. Functional description includes planned inputs, expected behavior, expected outputs
RMF Step 4 - Assess Security Controls
Step 4-1
Develop, review, approve plan to assess the security controls
Responsibility
Security Control Assessor
SDLC Phase
Development / Acquisition, Implementation
Security Assessment Plan provides objectives for the security control assessment. Assessment plan reflects the type of assessment the organization is doing (developmental, verification, authorization etc). Conducting security control assessments in parallel with development/acquisition and implementation phases permits the early identification of weaknesses and cost effective mitigations
RMF Step 4 - Assess Security Controls
Step 4-2
Assess security controls according to procedures defined in the plan from step 4-1
Responsibility
Security Control Assessor
SDLC Phase
Development / Acquisition Implementation
Assessments determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome.
Assessments occur as early as practicable in the SDLC, ideally during development
RMF Step 4 - Assess Security Controls
Step 4-3
Prepare Security Assessment Report documenting issues, findings, recommendations from the security control assessment
Responsibility
Security Control Assessor
SDLC Phase
Development / Acquisition, Implementation
Result of the assessment including recommendations are documented in the Security Assessment Report. This is one of 3 key documents in the Security Authorization Package developed for the AO.
Assessment Report includes information necessary to determine effectiveness of the controls used. It’s an important factor in the AO’s determination of risk
RMF Step 4 - Assess Security Controls
Step 4-4
Conduct initial remediation on security controls based on the findings and recommendations of the security assessment report. Reassess remediated controls as appropriate
Responsibility
Information System Owner, Common Control Provider, Assessor
SDLC Phase
Development / Acquisition, Implementation
Security Assessment Report describes specific weaknesses and deficiencies in the security controls used by the information system, that couldn’t be resolved during development. Findings generated facilitate a structured approach to mitigating risks.
RMF Step 5 - Authorize Information System
Step 5-1
3 key documents:
Security Plan
Security Assessment Report
Plan of Action & Milestones
Prepare the Plan of Action & Milestones (POAM) based on findings and recommendations of the security assessment report, excluding remediation actions already done.
Responsibility
Information System Owner, Common Control Provider
SDLC Phase
Implementation
The POAM, prepared for the AO by the Information System Owner is one of 3 key documents in the Security Authorization Package. It’s used by the AO to monitor progress in correcting issues identified during the assessment
It describes specific tasks to:
- Correct weaknesses or deficiencies in controls noted during the assessment
- Address residual vulnerabilities in the information system
The POAM identifies:
- tasks to be accomplished and recommendations for completion before or after implementation
- resources required for tasks
- milestones in meeting tasks
- scheduled completion dates for milestones
RMF Step 5 - Authorize Information System
Step 5-2
Assemble security authorization package and submit to the AO
Responsibility
Information System Owner or Common Control Provider
SDLC Phase
Implementation
The Security Authorization Package contains 3 things:
- security plan
- security assessment report
- POAM
It’s used by the AO to make risk-based authorization decisions
RMF Step 5 - Authorize Information System
Step 5-3
Determine the risks to organizational operations, assets, personnel, other organizations, the Nation
Responsibility
AO or AODR
SDLC Phase
Implementation
The AO or AODR assesses information provided by the the information system owner about the security state of the system. Risk assessments are optionally employed to provide extra information.
RMF Step 5 - Authorize Information System
Step 5-4
Determine if risk to organizational operations, assets, personnel, other organizations or the Nation is acceptable.
Responsibility
AO
SDLC Phase
Implementation
The AO, with the senior Information Security Officer assess information provided by the information system owner about the security state of the system.
RM5 Step 6 - Monitor Security Controls
Step 6-1
Determine security impact of proposed or actual changes to the information system and its environment
Responsibility
Information System Owner or Common Control Provider
SDLC Phase
Operation / Maintenance
A disciplined, structured approach to managing, controlling and documenting changes to an information system is essential to effective security control monitoring
RM5 Step 6 - Monitor Security Controls
Step 6-2
Assess a selected subset of employed controls in accordance with the monitoring strategy
Responsibility
Security Control Assessor
SDLC Phase
Operation / Maintenance
After authorization, the organization assesses a subset of controls in an ongoing basis continuous monitoring strategy developed by the information system owner and approved by the AO
RM5 Step 6 - Monitor Security Controls
Step 6-3
Conduct remediation actions based on results of ongoing monitoring activities, assessment of risk and outstanding items in the POAM
Responsibility
Information System Owner, common control provider
SDLC Phase
Operation / Maintenance
Assessment information produced by an assessor during monitoring is provided to the information system owner in an updated Security Assessment Report. The information system owner initiates remediation actions listed in the POAM
RM5 Step 6 - Monitor Security Controls
Step 6-4
Update security plan, security assessment report, POAM based on results of continuous monitoring
Responsibility
Information System Owner, common control provider
SDLC Phase
Operation / Maintenance
To facilitate near real-time management of risk, the organization updates the security plan, assessment report and POAM on ongoing basis.
RM5 Step 6 - Monitor Security Controls
Step 6-5
Report security status of the information system including effectiveness of controls to the AO on ongoing basis in accordance with the monitoring strategy
Responsibility
Information System Owner, Common Control Provider
SDLC Phase
Operation / Maintenance
Results of monitoring activities are recorded and reported to the AO on ongoing basis in accordance with the monitoring strategy. Security status reports provide the AO information about the security state of the system including effectiveness of deployed controls.
Security Status reporting can be:
- event-driven
- time-driven
- both
RM5 Step 6 - Monitor Security Controls
Step 6-6
Review reported security status of the information system (including effectiveness of controls employed) on an ongoing basis in accordance with the the monitoring strategy to determine if the risk remains acceptable
Responsibility
AO
SDLC Phase
Operation / Maintenance
The AO or AODR reviews reported security status on an ongoing basis to determine current risk. The AO determines whether the current risk is acceptable and forwards appropriate direction to the information system owner or common control provider.
RM5 Step 6 - Monitor Security Controls
Step 6-7
Implement an information system decommissioning strategy when needed, which executes required actions when a system is removed from service
Responsibility
Information System Owner
SDLC Phase
Disposal
When a federal information system is removed from operations, a number of risk management related actions are reuired.
Organizations ensure all security controls addressing information system removal and decommissioning are implemented. Organizational tracking and management systems are updated to indicate specific components that are being removed
