Risk Management Framework Engineering Support

RMF Overview

Paragone provides a full range of RMF support services. We assist in the implementation of the Information System Security Plan (I. Implement Security), we facilitate the system accreditation (II. System Accreditation), and we provide continuous monitoring support (III. Monitor Compliance). We use custom-developed software and database application to automate routine RMF tasks significantly decreasing time and costs.

A structured, six-step approach used to oversee and manage risks to organizational operations (mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system.

0.    Prepare

The Prepare step carries out essential activities at the organization, mission and business process, and information system levels to help prepare the organization to manage its security and privacy risks using the RMF.

1.    Categorize System

Describe system authorization boundaries; assess system confidentiality, integrity & availability by low, moderate, or high-risk impact; define privacy requirements; initiate security plan.

2.    Select Controls

Identify controls by category; tailor & supplement controls as appropriate; segregate common controls and hybrid from program responsible controls; define continuous monitoring approach.

3.    Implement Controls

Document security controls & inheritance in eMASS, CSAM, etc.; assemble ATO package; program SMEs conduct pre-assessment scans & tests; ensure controls are incorporated into new requirements.

4.    Assess Controls

Authorizing Official or delegate approves assessment plan; program coordinates plan execution support; assessor determines security control effectiveness.

5.    Authorize System

Prepare POA&M addressing vulnerabilities; assemble & submit the security authorization package; receive ATO or conditional ATO IATT / IATO if testing or contingent approval.

6.    Continuously Monitor

Continuously monitor security controls; analyze & document impact of all system changes; update POA&M; report changes to officials.

RMF Step 0 - Prepare

The 1982 Federal Information Security Management Act (FISMA) requires federal agencies “to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.”  Supporting FISMA compliance, The National Institute of Standards and Technology (NIST) has defined Federal Information Processing Standards (FIPS) must be implemented in order to achieve compliance. The following steps are a component of a FISMA compliant organization.

RMF Steps 4 & 5 – Assess & Authorize

Comprehensive SA&A Assessments – A complete Security Assessment and Authorization (SA&A) effort in support of FISMA compliance includes several core deliverables, any of which can prove very challenging for a large organization:

  • System Categorization. The system is categorized which includes defining: 1) hosts and devices, 2) ports, protocols, and services, 3) system interfaces, 4) roles and responsibilities including development and support personnel must be documented, 5) etc. Guidance is found in provided in FIPS 199and NIST SP 800-60.
  • Security Controls. Security controls are defined, documented, and assessed based on guidance provided in FIPS 200and NIST Special Publication 800-53.
  • System Security Plan. Using the guidance provided in NIST SP-800-18, a system security plan must be developed.  This is a living document, which includes plans of actions and milestones (POA&Ms) for any assessed risks.
  • Compliance Evidence.Evidence of control implementation must be documented and aggregated. Evidence is used throughout an assessment.
  • Risk Assessment. Based on the output of the required security control assessment, system risks are assessed by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls.  All risks must ultimately be accepted or mitigated. Reference: NIST SP 800-30
  • Penetration and/or Static Code Testing.Penetration tests are conducted based on defined rules of engagement against identified threat models documented in the penetration test plan. Test types include: web applications & APIs, mobile applications, networks, social engineering, and simulated attack vectors. Security control CA-8 guides penetration testing. Additionally, static code scans for know vulnerabilities must also be conducted.
  • Certification and Accreditation. Once all required artifacts have been created and the is compliant with the guidance provided in NIST SP 800-37a security authorization package and accreditation memorandum (Authorization to Operate) is presented to the authorizing official.
  • Continuous Monitoring. Accredited systems are continuous monitored in alignment with NIST SP 800-137to ensure ongoing compliance with identified security controls and baselines.

RMF Step 6 – Continuous Monitoring

An Information security continuous monitoring (ISCM) program is established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Organizational officials collect and analyze the data regularly and as often as needed to manage risk as appropriate for each organizational tier. This process involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing, implementing, and operating individual systems in support of the organization’s core missions and business processes. Subsequently, determinations are made from an organizational perspective on whether to conduct mitigation activities or to reject, transfer, or accept risk.

RMF References

CNSSP 22 (Risk Management Policy for NSS) –www.cdse.edu/documents/cdse/DoDI_8500_01_Cybersecurity.pdf
CNSSI 1253 (Security Categorization and Control Selection for NSS) –www.dss.mil/documents/CNSSI_No1253.pdf

ICD 503 (Risk Management, Certification and Accreditation)

RMF Step Completion Checklist

The following are checklists to be used at the completion of RMF steps to determine readiness to move to the next step.

  • Has the organization completed a security categorization of the information system including the information to be processed, stored, and transmitted by the system?
  • Are the results of the security categorization process for the information system consistent with the organization’s enterprise architecture and commitment to protecting organizational mission/business processes?
  • Do the results of the security categorization process reflect the organization’s risk management strategy?
  • Has the organization adequately described the characteristics of the information system?
  • Has the organization registered the information system for purposes of management, accountability, coordination, and oversight?


  • Has the organization allocated all security controls to the information system as system-specific, hybrid, or common controls?
  • Has the organization used its risk assessment (either formal or informal) to inform and guide the security control selection process?
  • Has the organization identified authorizing officials for the information system and all common controls inherited by the system?
  • Has the organization tailored and supplemented the baseline security controls to ensure that the controls, if implemented, adequately mitigate risks to organizational operations and assets, individuals, other organizations, and the Nation?
  • Has the organization addressed minimum assurance requirements for the security controls employed within and inherited by the information system?
  • Has the organization consulted information system owners when identifying common controls to ensure that the security capability provided by the inherited controls is sufficient to deliver adequate protection?
  • Has the organization supplemented the common controls with system-specific or hybrid controls when the security control baselines of the common controls are less than those of the information system inheriting the controls?
  • Has the organization documented the common controls inherited from external providers?
  • Has the organization developed a continuous monitoring strategy for the information system (including monitoring of security control effectiveness for system-specific, hybrid, and common controls) that reflects the organizational risk management strategy and organizational commitment to protecting critical missions and business functions?
  • Have appropriate organizational officials approved security plans containing system-specific, hybrid, and common controls?
  • Has the organization allocated security controls as system-specific, hybrid, or common controls consistent with the enterprise architecture and information security architecture?
  • Has the organization demonstrated the use of sound information system and security engineering methodologies in integrating information technology products into the information system and in implementing the security controls contained in the security plan?
  • Has the organization documented how common controls inherited by organizational information systems have been implemented?
  • Has the organization documented how system-specific and hybrid security controls have been implemented within the information system taking into account specific technologies and platform dependencies?
  • Has the organization taken into account the minimum assurance requirements when implementing security controls?
  • Has the organization developed a comprehensive plan to assess the security controls employed within or inherited by the information system?
  • Was the assessment plan reviewed and approved by appropriate organizational officials?
  • Has the organization considered the appropriate level of assessor independence for the security control assessment?
  • Has the organization provided all of the essential supporting assessment-related materials needed by the assessor(s) to conduct an effective security control assessment?
  • Has the organization examined opportunities for reusing assessment results from previous assessments or from other sources?
  • Did the assessor(s) complete the security control assessment in accordance with the stated assessment plan?
  • Did the organization receive the completed security assessment report with appropriate findings and recommendations from the assessor(s)?
  • Did the organization take the necessary remediation actions to address the most important weaknesses and deficiencies in the information system and its environment of operation based on the findings and recommendations in the security assessment report?
  • Did the organization update appropriate security plans based on the findings and recommendations in the security assessment report and any subsequent changes to the information system and its environment of operation?


  • Did the organization develop a plan of action and milestones reflecting organizational priorities for addressing the remaining weaknesses and deficiencies in the information system and its environment of operation?
  • Did the organization develop an appropriate authorization package with all key documents including the security plan, security assessment report, and plan of action and milestones (if applicable)?
  • Did the final risk determination and risk acceptance by the authorizing official reflect the risk management strategy developed by the organization and conveyed by the risk executive (function)?
  • Was the authorization decision conveyed to appropriate organizational personnel including information system owners and common control providers?
  • Is the organization effectively monitoring changes to the information system and its environment of operation including the effectiveness of deployed security controls in accordance with the continuous monitoring strategy?
  • Is the organization effectively analyzing the security impacts of identified changes to the information system and its environment of operation?
  • Is the organization conducting ongoing assessments of security controls in accordance with the monitoring strategy?
  • Is the organization taking the necessary remediation actions on an ongoing basis to address identified weaknesses and deficiencies in the information system and its environment of operation?
  • Does the organization have an effective process in place to report the security status of the information system and its environment of operation to the authorizing officials and other designated senior leaders within the organization on an ongoing basis?
  • Is the organization updating critical risk management documents based on ongoing monitoring activities?
  • Are authorizing officials conducting ongoing security authorizations by employing effective continuous monitoring activities and communicating updated risk determination and acceptance decisions to information system owners and common control providers?

RMF Templates

To better support our customers, Paragone maintains the following RMF templates: