The document outlines a structured approach for conducting a minimum security baseline assessment within the context of the system development life cycle (SDLC) as per NIST guidelines. It details phases such as initiation, planning, implementation, and maintenance, highlighting tasks like risk assessments, vulnerability scans, security control assessments, and the preparation of certification packages. Emphasis is placed on integrating security throughout all phases of the SDLC to maintain compliance with federal regulations and ensure effective overall security management.

3. Conduct Minimum
Security Baseline
Assessment
•Minimum Security
Baseline Report
Assess Risks
•Risk Assessment
Report
Perform Vulnerability
Scanning
•Vulnerability Scan
Results
Develop Security Plan
•Draft System Security
Plan
Perform
Certification Testing
•Certification Test
Plan
Prepare Certification
Package
•Certification Test
Results
•Updated System
Security Plan
•Certification
Statement
Submit Certification
Package
•Transmittal
Accredit System
•Accreditation
Statement

4. System Owner
Authorizing Official
Certification Agent
Prepare
Documentation
Initiation Phase 1
1. Describe the System
2. Categorize its C.I.A.
3. Identify Threats to it
4. Identify its Vulnerabilities
5. Identify In-Place and
Planned Security Controls
6. Determine its Initial Risks
Initiation
Notify Officials &
Identify
Resources
Planning Phase 3
1. Notify Program Officials
2. Identify Resources Needed
and Plan execution of
Activities
Initiation
Report & Document
Status
O&M Phase 9
1. Update Security Plan
2. Update Plan of Action
& Milestones
3. Report Status
Monitoring
Monitor Security
Controls
O&M Phase 9
1. Select In-Place Security
Controls
2. Assess Selected
Security Controls
Monitoring
Manage & Control
Configuration
O&M Phase 9
1. Document System
Changes
2. Analyze Security
Impacts
Monitoring
Analyze, Update
& Accept System
Security Plan
Multiple Phases 4-6
1. Review Security C.I.A.
Categorizations
2. Analyze Security Plan
3. Update Security Plan
4. Obtain Authorizing
Official Acceptance of
Security Plan
Initiation
Assess & Evaluate
Security Controls
Integration & Test
Phase 7
1. Prepare Documentation &
Supporting Materials
2. Review Methods and
Test Procedures
3. Assess & Evaluate In-
Place Security Controls
4. Report Security
Assessment Results
Certification
Document Security
Accreditation
Integration & Test
Phase 7
1. Transmit Security
Accreditation Package
2. Update Security Plan
Accreditation
Document Security
Certification
Integration & Test
Phase 7
1. Provide Findings and
Recommendations
2. Update Security Plan
3. Prepare Plan of Action &
Milestones
4. Assemble Accreditation
Package
Certification
Make Security
Accreditation
Decision
Integration & Test
Phase 7
1. Determine Final Risk
Levels
2. Accept Residual Risk
Accreditation
System Owner
Phase 1 – Task 1
Phase 3 – Task 6
Phase 1 – Task 2 Phase 1 – Task 3 Phase 2 – Task 4 Phase 2 – Task 5
Phase 3 – Task 7 Phase 4 – Task 8 Phase 4 – Task 9 Phase 4 – Task 10
Primary Responsibility
SDLC
NIST 800-37

7. Categorize
Select
Implement
Assess
Authorize
Monitor

8. Categorize
Select
Implement
Assess
Authorize
Monitor

9. Categorize
Select
Implement
Assess
Authorize
Monitor

10. Categorize
Select
Implement
Assess
Authorize
Monitor

11. the controls are
implemented correctly, operating as intended, and producing the
desired outcome
Categorize
Select
Implement
Assess
Authorize
Monitor

12. Categorize
Select
Implement
Assess
Authorize
Monitor

13. Categorize
Select
Implement
Assess
Authorize
Monitor

15. Document Remember
NIST SP 800-37 C & A program, overall process, guidelines
FIPS 199 Standard to define criticality / sensitivity
NIST SP 800-60 Guideline to define criticality / sensitivity
FIPS 200 Standard to select controls
NIST SP 800-53 Guidelines to selecting controls, control catalog
NIST SP 800-53A Guidelines for assessing controls, audit
NIST SP 800-30 Risk Assessment guidelines
NIST SP 800-18 Guidelines for System Security Plans
NIST SP 800-64 Guidelines for Security and SDLC
NIST SP 800-70 Security Configuration Checklist Program
NIST SP 800-47 Guideline for System Interconnections (MOU/MOA)
NIST SP 800-34 Contingency Planning Guide
NIST SP 800-61 Computer Security Incident Handling Guide

17. Methodology Phase 1 Phase 2 Phase 3 Phase 4
NIST SP
800-37
Initiation Security
Certification
Security
Accreditation
Continuous
Monitoring
NIACAP Definition Verification Validation Postaccreditation
DITSCAP Definition Verification Validation Postaccreditation
DIACAP Definition Verification Validation Postaccreditation
(ISC)2 CAP Preparation Execution Maintenance
Preparation Execution Maintenance
RMF Step
1
RMF Step
2
RMF Step
3
RMF Step
4
RMF Step 5 RMF Step 6
Categorize Select Implement Assess Authorize Monitor

25. This instruction applies to: (2) All DoD IT that receive, process, store,
display, or transmit DoD information. These technologies are
broadly grouped as DoD IS, platform IT (PIT), IT services, and IT
products. This includes IT supporting research, development, test
and evaluation (T&E), and DoD-controlled IT operated by a
contractor or other entity on behalf of the DoD. - DoDI 8510.01,
para 2a

26. Initiate and
Plan
Implement and
Validate
Decision to
Authorize
Maintain
Authorization
Decommission
Categorize Select Implement Assess Authorize Monitor

29. Security is most useful and cost-effective when such integration begins with
a system development or integration project initiation, and is continued
throughout the SDLC through system disposal. A number of federal laws
and directives require integrating security into the SDLC, including the
Federal Information Security Management Act (FISMA) and Office of
Management and Budget (OMB) Circular A-130, Appendix III.
National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-64 Rev. 1, Security Considerations in the Information System
Development Life Cycle, presents a framework for incorporating security into
all phases of the SDLC,

31. All information technology (IT) projects have a starting point, what is commonly
referred to as the initiation phase. During the initiation phase, the organization
establishes the need for a particular system and documents its purpose. The
information to be processed, transmitted, or stored is typically evaluated, as well as who
is required access to such information and how (in high-level terms). In addition, it is
often determined whether the project will be an independent information system or a
component of an already-defined system. A preliminary risk assessment is typically
conducted in this phase, and security planning documents are initiated (system security
plan). NIST SP 800-100

33. During this phase, the system is designed, purchased, programmed, developed, or
otherwise constructed. This phase often consists of other defined cycles, such as
the system development cycle or the acquisition cycle.
During the first part of the development/acquisition phase, the organization
should simultaneously define the system’s security and functional requirements.
These requirements can be expressed as technical features (e.g., access control),
assurances (e.g., background checks for system developers), or operational
practices (e.g., awareness and training). During the last part of this phase, the
organization should perform developmental testing of the technical and security
features/functions to ensure that they perform as intended prior to launching the
implementation and integration phase.
NIST SP 800-100

35. In the implementation phase, the organization configures
and enables system security features, tests the functionality
of these features, installs or implements the system, and
finally, obtains a formal authorization to operate the
system. Design reviews and system tests should be
performed before placing the system into operation to
ensure that it meets all required security specifications.
NIST SP 800-100

37. An effective security program demands comprehensive and
continuous understanding of program and system weaknesses. In the
operation and maintenance phase, systems and products are in place
and operating, enhancements and/or modifications to the system are
developed and tested, and hardware and/or software is added or
replaced. During this phase, the organization should continuously
monitor performance of the system to ensure that it is consistent with
preestablished user and security requirements, and needed system
modifications are incorporated. NIST SP 800-100

39. The disposal phase of the system life cycle refers to the process of
preserving (if applicable) and discarding system information, hardware,
and software. This step is extremely important because during this phase,
information, hardware, and software are moved to another system,
archived, discarded, or destroyed. If performed improperly, the disposal
phase can result in the unauthorized disclosure of sensitive data.
NIST SP 800-100

41. should be risk-based

42. Methodology Phase 1 Phase 2 Phase 3 Phase 4
NIST SP
800-37
Initiation Security
Certification
Security
Accreditation
Continuous
Monitoring
NIACAP Definition Verification Validation Postaccreditation
DITSCAP Definition Verification Validation Postaccreditation
DIACAP Definition Verification Validation Postaccreditation
(ISC)2 CAP* Preparation Execution Maintenance
Preparation Execution Maintenance
RMF Step
1
RMF Step
2
RMF Step
3
RMF Step
4
RMF Step 5 RMF Step 6
Categorize Select Implement Assess Authorize Monitor
Risk Management Framework (RMF) NIST SP 800-37 Rev
1

43. Initiation
(Definition)
Certification
(Verification)
Accreditation
(Validation)
Continuous Monitoring
(Postaccreditation)

44. Categorize
Select
Implement
Assess
Authorize
Monitor