RMF Steps Flashcards
Prepare
Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF
Outcomes:
key risk management roles identified
organizational risk management strategy established, risk tolerance determined
organization-wide risk assessment
organization-wide strategy for continuous monitoring developed and implemented
common controls identified
Categorize
Purpose: Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems
Outcomes:
system characteristics documented
security categorization of the system and information completed
categorization decision reviewed/approved by authorizing official
Select
Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk
Outcomes:
control baselines selected and tailored
controls designated as system-specific, hybrid, or common
controls allocated to specific system components
system-level continuous monitoring strategy developed
security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved
Implement
Purpose: Implement the controls in the security and privacy plans for the system and organization
Outcomes:
controls specified in security and privacy plans implemented
security and privacy plans updated to reflect controls as implemented
Assess
Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.
Outcomes:
assessor/assessment team selected
security and privacy assessment plans developed
assessment plans are reviewed and approved
control assessments conducted in accordance with assessment plans
security and privacy assessment reports developed
remediation actions to address deficiencies in controls are taken
security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
plan of action and milestones developed
Authorize
Purpose: Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.
Outcomes:
authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
risk determination rendered
risk responses provided
authorization for the system or common controls is approved or denied
Monitor
Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
Outcomes:
system and environment of operation monitored in accordance with continuous monitoring strategy
ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
output of continuous monitoring activities analyzed and responded to
process in place to report security and privacy posture to management
ongoing authorizations conducted using results of continuous monitoring activities