Skip to content

Risk Management Framework

Security_icon-01-300x248

A structured, six-step approach used to oversee and manage risks to organizational operations (mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system.

  • 1. Categorize System

    Describe system authorization boundaries; assess system confidentiality, integrity & availability by low, moderate, or high-risk impact; define privacy requirements; initiate security plan.

  • 2. Select Controls

    Identify controls by category; tailor & supplement controls as appropriate; segregate common controls and hybrid from program responsible controls; define continuous monitoring approach.

  • 3. Implement Controls

    Document security controls & inheritance in eMASS, CSAM, etc.; assemble ATO package; program SMEs conduct pre-assessment scans & tests; ensure controls are incorporated into new requirements.

  • 4. Assess Controls

    Authorizing Official or delegate approves assessment plan; program coordinates plan execution support; assessor determines security control effectiveness.

  • 5. Authorize System

    Prepare POA&M addressing vulnerabilities; assemble & submit the security authorization package; receive ATO or conditional ATO IATT / IATO if testing or contingent approval.

  • 6. Continuously Monitor

    Continuously monitor security controls; analyze & document impact of all system changes; update POA&M; report changes to officials

Risk-Management-Steps
Security_icon-01-300x248

RMF Steps 1 to 3 – Implement Security

Step 1 - Categorize System

Step 1.1

Categorize the information system and document the results of the security categorization in the security plan.

Step 1.2

Describe the information system (including system boundary) and document the description in the security plan.

Step 1.3

Register the information system with appropriate organizational program/management offices.

Step 2 - Select Controls

Step 2.1

Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan.

Step 2.2

Select the security controls for the information system and document the controls in the security plan.

Step 2.3

Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Step 2-4

Review and approve the security plan.

Step 3 - Implement Controls

Step 3.1

Implement the security controls specified in the security plan.

Step 3.2

Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation.

Risk-Management-Steps
Security_icon-01-300x248

RMF Steps 4 & 5 – Assess & Authorize

Step 4 - Assess Controls

Step 1.1

Categorize the information system and document the results of the security categorization in the security plan.

Step 1.2

Describe the information system (including system boundary) and document the description in the security plan.

Step 1.3

Register the information system with appropriate organizational program/management offices.

Step 5 - Authorize System

Step 2.1

Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan.

Step 2.2

Select the security controls for the information system and document the controls in the security plan.

Step 2.3

Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Step 2-4

Review and approve the security plan.

Step 6 - Continuous Monitoring

Step 6.1

Determine the security impact of proposed or actual changes to the information system and its environment of operation.

Step 6.2

Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy.

Step 6.3

Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Step 6.4

Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Step 6.5

Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.

Risk-Management-Steps

(703) 539-0304

© Paragone Solutions, Inc 2019

Scroll To Top