Overview of the NIST Risk Management Framework (RMF)

1. RISK Management Framework
Risk Management Framework
Description
Phase 1: Certification
Step 1: Categorize Information System
Categorize Information System
Categorize the impact rating of the information system using FIPS 199.
Determine the high water mark impact rating for information types
processed by the information system as specified in NIST SP 800-60 Rev. 1.
Initial Risk Determination
Determine whether selected security controls reduce risk to an acceptable
level based on known vulnerabilities and potential threats.
Review SSP Security Categorization
Conduct an independent review of the SSP security categorization.
Confirm that a contingency plan exists or is in the process of being created.
System Security Plan (SSP) Update
Update the SSP with any findings from independent reviews.
Threat Identification
Confirm that the Threat Statement identifies potential threats for the
system boundary and also accounts for interconnections between other
systems.
Risk Assessment (RA)
Confirm that the Risk Assessment (RA) identifies risks to the information
system.
Privacy Impact Assessment (PIA)
Confirm that the Privacy Impact Assessment (PIA) identifies risks to the
information system.
Step 2: Select Security Controls
Risk Approval Letter
Verify the existence of a Risk Approval Letter.
SSP Analysis
Perform an SSP Analysis to determine the effectiveness of implemented or
planned security controls in reducing risk to an acceptable level.
System Security Plan
Develop the SSP in accordance with NIST Guidance, OMB Memoranda and
Circulars, FISMA Law, and Presidential Directives and Executive Orders.
Ensure that the SSP adheres to Agency policies, the PCSP and the Program
Security Plan if applicable.
Step 3: Implement Security Controls
Security Control
Implementation Status Report
Generate a Security Control Implementation Status Report to analyze
security control effectiveness.
SSP Document Maintenance
Ensure that the SSP reflects information system changes.
Step 4: Assess Security Controls
Deviation Risk Assessment Report
Issue a Deviation Risk Assessment Report that lists ST&E security control
failures such as poorly implemented security controls or omissions.
Findings & Recommendations
Recommend corrective actions to reduce or eliminate vulnerabilities
mentioned in the SAR.
Identify Deviations in an Updated
Risk Assessment
Update the Risk Assessment to include any proposed or approved
deviations. Deviations include waivers, exceptions and variances. The
deviation process is typically described in the PCSP.
Prepared by Jim W. DeRienzo
Cloudburst Security, LLC

2. RISK Management Framework
Risk Management Framework
Plan of Actions and Milestones
(POA&M)
Description
Update the POA&M Report to reflect progress in applying countermeasures
that address weaknesses mentioned in the SAR.
Project Plan
Define the level of effort and resource requirements for conducting the
ST&E:
1)Identify scope of effort (e.g., # of physical and virtual servers; Operating
systems involved; # of applications; Geographic location of IT assets;
Geographic location of security control staff).
2) Schedule demands (e.g., Reauthorization deadlines; POA&M deadlines).
3)Personnel/skills availability (e.g., Who is the Security Authorization
Agent? Is an independent testing team available?).
4)Security Control Assessment (e.g., Evaluate security controls to verify that
the controls are implemented correctly, operating as intended, and meeting
the requirements of the SSP).
Rules of Engagement
Remain independent of system development and operations teams, as well
as those responsible for correcting security deficiencies.
Security Assessment Plan
Conduct a comprehensive assessment of the management, operational and
technical security controls for each General Support System (GSS) and
Major Application (MA).
Conduct technical assessments using a combination of automated tools and
manual checks (e.g. vulnerability scans, packet analysis, pen tests and social
engineering).
Security Assessment Report (SAR)
Using the approved ST&E test case procedures, assess each control and
prepare the Security Assessment Report (SAR).
A SAR is less than 10 pages and shows residual risk such as major issues or
red flags to the system owner (i.e., % of management, operational and
technical controls passed)
ST&E Procedures
Select or develop ST&E test cases to perform an assessment of each security
control.
Ensure that the DAA approves all selected ST&E test case procedures.
ST&E Report
Using the approved ST&E test case procedures, assess each control and
prepare the ST&E Report. An ST&E Report is hundreds of pages based on
individual test cases and artifacts (i.e., Contingency Plan).
Prepared by Jim W. DeRienzo
Cloudburst Security, LLC

3. RISK Management Framework
Risk Management Framework
Submit Security Authorization (SA)
Package to DAA
Description
Assemble the final SA Package and submit to the DAA. The SA Package
contains:
Security Risk Assessment (RA)
Approves System Security Plan (SSP)
Completed Privacy Impact Assessments (PIA)
Configuration Management Plan (CMP)
Contingency Plan (CP)
Security Test & Evaluation Report (ST&E Rpt.)
Plan of Action and Milestones (POA&M)
Security Assessment Report (SAR)
Accreditation Decision letter (ATO)
Interconnection Security Agreement (ISA)
Memorandum of Understanding (MOU) / Memorandum of Agreement
(MOA)
Update Security Authorization
Package
Determine that the DAA has authorized any deviation from the baseline
image prior to forwarding the Security Authorization Package to the DAA.
Update the SSP and Risk Assessment based on the SAR.
Vulnerability Assessment
Provide an Executive Summary Report and a Technical Summary Report
that shows vulnerabilities by IP Address, Open TCP/UDP Port and Common
Vulnerability Enumeration (CVE).
Include network devices, hosting providers, ISA partners, and local host
checks for systems, applications and database servers. Local host checks
must include credentialed scan results.
Provide a Compliance Failure Report for USGCB, CIS, STIG, CAG 4.0, OWASP
Top 10 or PII.
Software code reviews are available upon request.
Phase 2: Accreditation
Step 5: Authorize Information System
Accreditation Decision Letter
Verify that the DAA has issued an Approval to Operate (ATO) based on the
residual risks identified in the RA, and that the ATO includes any special
conditions that apply.
Accreditation Documentation
Authority to Operate (ATO) - The system is authorized to operate under
conditions outlined in the ATO letter.
Interim Authority to Operate (IATO) - The system may operate, but has
deficiencies that must be corrected within a specified time period.
Denial/Revocation - The DAA denies or removes authorization to operate.
Briefing materials
Provide briefing materials to justify the risk decision.
Recommendation Report
Provide recommendations to correct, eliminate or reduce any deficiencies
or vulnerabilities specified in the SAR.
Prepared by Jim W. DeRienzo
Cloudburst Security, LLC

4. RISK Management Framework
Phase 3: Continuous Monitoring
Step 6: Monitor Security Controls
Configuration Management and
Control
Document Information System Changes - Determine that information
system changes are documented.
Security Impact Analysis - Analyze the security impact of proposed and
actual system changes.
Security Control Monitoring
Security Control Selection - Selects controls for continuous monitoring
assessment.
Example: MA-4 (Remote Maintenance), SC-7 (Boundary Protection), SI-3
(Malicious Code Protection)
Selected Security Control Assessment - Assess controls designated for
continuous monitoring. Example: check VPN/remote access logs daily;
check firewall rule set daily; update A/V daily.
Status Report and Documentation
Update System Security Plan - Periodically review and update the SSP
Update POA&Ms - Review and update the POA&Ms
Report Security Status to DAA - Report the security status of the
information system to the System Owner, who in turn reports to the DAA.
Prepared by Jim W. DeRienzo
Cloudburst Security, LLC