Information Technology

Risk Management Framework (RMF)

The DoD Risk Management Framework (RMF) describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible, and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP).

Manual: Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM) – 4 Jun 2018

Website: Defense Security Service RMF

The objectives of the RMF process include: [1]

  • Incorporating cybersecurity early and robustly in the acquisition and system development life cycle.
  • Implementing a three-tiered approach to risk management that addresses risk-related concerns at the enterprise level, the mission and business process level, and the information system level.
  • Providing a risk management methodology that gives organizations a true picture of vulnerabilities caused by non-compliant controls as it relates to other risk factors (e.g. likelihood, threat, and impact).
  • Codifying system authorization reciprocity enables organizations to accept approvals by other organizations for interconnection or reuse of IT without retesting.
  • Emphasizing information security continuous monitoring and timely correction of deficiencies, including active management of vulnerabilities and incidents.

The RMF process parallels the defense acquisition process from initiation and consists of six (6) steps: [1]

  • Step 1: Categorize System: ISs will be categorized based on the impact due to a loss of CIA of the information system (IS). Security impact levels are defined as Low, Moderate, or High for each of the three IS security objectives: Confidentiality, Integrity, and Availability (CIA). For example, an IS may have a Confidentiality impact level of Moderate, an Integrity impact level of Moderate, and an Availability impact level of Low. The DSS baseline identifies security control specifications needed to safeguard classified information that is stored, processed, or transmitted and adopts a minimum baseline of Moderate-Low-Low (M-L-L). The impact values will be documented in the Security System Plan (SSP) along with the research, key decisions, approvals, and supporting rationale. The following paragraphs provide guidance in defining impact levels for all ISs:
    • Task 1.1: Categorize the IS and document the results in the SSP.
    • Task 1.2: Establish IS boundaries
    • Task 1.3: The IS is categorized based on the impact due to a loss of confidentiality (moderate/high), integrity (low/moderate/high), and availability (low/moderate/high) of the information according to information provided by the IO.
    • Task 1.4: Assign qualified personnel to RMF roles and document team member assignments in the SSP.
    • Task 1.5: Document the system description, including the system/IS boundary, in the initial SSP.
    • Quick Guide: NIST RMF Categorize Step FAQs
  • Step 2: Select Security Controls:
    • Task 2.1: Identify the security controls that are provided by the organization as common controls for all or multiple IS under the organization’s control and document the controls in the SSP. Control implementation can be characterized as:
      • System Specific – Security controls specific to an IS and the responsibility of the security officer.
      • Common – Security controls that are inheritable by one or more organizational IS and are typically provided by the organization or the infrastructure (Examples: Physical and
        environmental security controls, Network boundary defense security controls, Organization policies or procedures, etc.). 
      • Hybrid – Security controls that are implemented in an IS in part as a common control and in part as a system-specific control. If any of the IS components need system-specific infrastructure protections, in addition to common controls that apply to the IS, the control is implemented as a hybrid control.
    • Task 2.2: Select the security controls for the IS and document the controls in the SSP. The selection is based upon the results of the categorization (Security Impact Levels determined during RMF Step 1).
    • Task 2.3: Tailor the initial security control.
    • Task 2.4: Develop a strategy for continuous monitoring of security control effectiveness.
    • Quick Guide: NIST RMF Select Step-FAQs
  • Step 3: Implement Security Controls: Implement the controls in the security and privacy plans for the system and organization
    • Task 3.1: Implementing the security controls specified in the SSP. The security officer will assess the security controls as documented in the SSP.
    • Task 3.2: Documenting the security control implementation in the SSP and providing a functional description of the control implementation (including planned inputs, expected
      behavior, and expected outputs). The documentation will include any additional information necessary to describe how the security capability is achieved at the level of detail sufficient to support control assessment.
    • Quick Guide: NIST RMF Implement Step-FAQs
  • Step 4: Assess Security Controls: Determine if the controls are implemented correctly and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
    • Task 4.1: ISSM will conduct an assessment of the security controls in accordance with the security procedures defined in the SSP. This process is conducted to ensure the security controls are implemented correctly, operating as intended, and meet the security requirements for the IS.
    • Task 4.2: The ISSM will review applicable SCG and verify classification level of all SSP artifacts.
    • Task 4.3: The ISSP receives and reviews the final SSP, Certification Statement, RAR, POA&M (if applicable), and supporting artifacts via OBMS.
    • Task 4.4: The ISSP conducts an on-site assessment.
    • Task 4.5: Develop/Update POA&M based on findings and recommendations from the SAR.
    • Quick Guide: NIST RMF Assess Step-FAQs
  • Step 5: Authorize System: Provide formal authorization
    • Task 5.1: The ISSP assembles and submits the security authorization package to the AO.
    • Task 5.2: The explicit acceptance of risk is the responsibility of the AO. The AO will issue an authorization decision for the IS and the common controls inherited by the system after
      reviewing all of the relevant information, and where appropriate, consulting with other organizational officials.
    • Quick Guide: NIST RMF Authorize Step-FAQs
  • Step 6: Monitor Security Controls: The Continuous Monitoring Strategy is required to determine if the set of deployed security controls continue to be effective. Continuous monitoring activities support the concept of near real-time risk management through ongoing security assessments and risk analysis, and
    recording results in IS security documentation.

    • Task 6.1: The ISSM, along with assistance from the ISO, FSO and other IS stakeholders, will assess all technical, management, and operational security controls employed within and
      inherited by ISs in accordance with the organization’s Continuous Monitoring Strategy
    • Task 6.2: Conduct mitigation activities
    • Task 6.3: Ensure security documentation is updated
    • Task 6.4: Report monitoring activity
    • Task 6.5: Implement an IS decommissioning strategy
    • Task 6.6: Review and report security status
    • Quick Guide: NIST RMF Monitor Step-FAQs

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management.

  • Tier 1 Strategic Level: Addresses risk management at the DoD enterprise level.  At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT.  The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).
  • Tier 2 Mission / Business Processes Level: At this level, the Component CIO is responsible for the administration of the RMF within the DoD Component cybersecurity program.
  • Tier 3 IS and PIT Systems Level: The DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

AcqLinks and References:

Updated: 5/06/2021

Rank: 13.6

Print Friendly, PDF & Email
Ezoicreport this ad

Leave a Reply

Scroll to Top