Information Technology

Risk Management Framework (RMF)

The NIST Risk Management Framework (RMF) describes the process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information Systems (IS) and Platform Information Technology (PIT) systems.

RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible, and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP).

Risk Management

Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is used as the foundation of the Risk Management Framework (RMF). The approach is an organized methodology for continuously:

Risk Management Framework (RMF) Stated Goals

The goals of the Risk Management Framework as stated by the Defense Security Service (DSS) are:

  • Improve information security
  • Strengthen risk management processes
  • Encourage reciprocity among federal agencies

Manual: Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM)

Main Publication: NIST Special Publication 800-37 RMF for Information Systems and Organizations

Website: Defense Security Service RMF

Risk Management Framework (RMF) Objectives

The objectives of the RMF process include: [1]

  • Incorporating cybersecurity early and robustly in the acquisition and system development life cycle.
  • Implementing a three-tiered approach to risk management that addresses risk-related concerns at the enterprise level, the mission and business process level, and the information system level.
  • Providing a risk management methodology that gives organizations a true picture of vulnerabilities caused by non-compliant controls as it relates to other risk factors (e.g. likelihood, threat, and impact).
  • Codifying system authorization reciprocity enables organizations to accept approvals by other organizations for interconnection or reuse of IT without retesting.
  • Emphasizing information security continuous monitoring and timely correction of deficiencies, including active management of vulnerabilities and incidents.

Risk Management Framework (RMF) Tutorial

7 Steps of the Risk Management Framework (RMF)

Risk Management Framework (RMF) Steps

The RMF process parallels the defense acquisition process from initiation and consists of seven (7) steps: [1]

  • Step 1: Prepare: Carry out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks.
  • Step 2: Categorize System: Information Systems (IS) will be categorized based on the impact due to a loss of Confidentiality, Integrity, and Availability (CIA) of the information system (IS). Security impact levels are defined as Low, Moderate, or High.  The impact values will be documented in the Security System Plan (SSP) along with the research, key decisions, approvals, and supporting rationale.
  • Step 3: Select Security Controls: Identify the security controls that are provided by the organization as common controls for all or multiple IS under the organization’s control and document the controls in the SSP. Control implementation can be characterized as:
    • System Specific: Security controls specific to an IS and the responsibility of the security officer.
    • Common: Security controls that are inheritable by one or more organizational IS and are typically provided by the organization or the infrastructure (Examples: Physical and
      environmental security controls, Network boundary defense security controls, Organization policies or procedures, etc.).
    • Hybrid: Security controls that are implemented in an IS in part as a common control and in part as a system-specific control. If any of the IS components need system-specific infrastructure protections, in addition to common controls that apply to the IS, the control is implemented as a hybrid control.
  • Step 4: Implement Security Controls: Implement the controls in the security and privacy plans for the system and organization. Document all the processes and procedures you need.
  • Step 5: Assess Security Controls: Determine if the controls are implemented correctly and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
  • Step 6: Authorize System: Provide formal authorization if everything is working as intended.
  • Step 7: Monitor Security Controls: A continuous strategy of monitoring is required to determine if the security controls are working. Continuous monitoring activities support the concept of near real-time risk management through ongoing security assessments and risk analysis, and recording results in IS security documentation.

Risk Management Framework (RMF) Levels

Risk Management Framework (RMF) Organizational Levels
Risk Management Framework (RMF) Organizational Levels

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management.

  • Tier 1 Strategic Level: Addresses risk management at the DoD enterprise level.  At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT.  The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).
  • Tier 2 Mission / Business Processes Level: At this level, the Component CIO is responsible for the administration of the RMF within the DoD Component cybersecurity program.
  • Tier 3 IS and PIT Systems Level: The DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

Risk Management Framework (RMF) Roles and Responsibilities

There are various roles and responsibilities for the development and execution of the risk management framework in any program. These roles and responsibilities are detailed in the RMF Roles and Responsibilities Crosswalk.

Presentation: NIST RMF Roles and Responsibilities Crosswalk

Utilize the Risk Reporting Matrix

The risk management plan should detail how to use the Risk Reporting Matrix to determine the level of risks identified within a program. This is a great tool for understanding the importance of which risks you should focus on to mitigate. The level of risk for each root cause is reported as low (green)moderate (yellow), or high (red)Risk Matrix Plot


AcqLinks and References:

Updated: 6/24/2022

Rank: G44.9

Leave a Reply