Resources

The first step is to prepare all areas of the organization to embed the Risk Management Framework (RMF). This includes performing initial risk management tasks to contextualize the organization and its security risks and notifying all levels of the organization of their roles and responsibilities.

The preparation phase is focused on both the system and the organization. Reviewing existing controls and system security risks helps organizations understand the system-wide standards of security. This helps stakeholders identify and define common controls on an organization-wide level.

Tasks to complete during the preparation phase include:

• Communication with all levels of the organization about RMF compliance and responsibilities
• Establishing roles and responsibilities for the integration of the risk management system
• Mapping system and network boundaries and creating an inventory of assets and devices
• Identifying and recording baselines for common controls across systems and the entire organization
• Preparing the allocation of resources to protect high-value systems and assets.

In this step, organizations will categorize different systems in line with the type of information being processed and the level of risk of a cybersecurity incident. Documenting system characteristics and categorizing the security needs of each system component is an important step towards embedding the Risk Management Framework. Organizations can then understand the level of security controls, or the volume of resources required for each system. Categorization also means all system elements are within the same descriptive framework.

The process explores the potential impact an incident may have on areas of the system. Some systems may handle more sensitive information or are critical to the ongoing performance of the organization. These systems are deemed high risk as they pose the biggest potential impact to the organization if adversely targeted.

Tasks to complete during the categorization phase include:

• Categorize information systems by type and the potential adverse impact from cybersecurity incidents
• Provide each system with a risk value of low, moderate, or high, for different security objectives
• Outline an overall risk level for individual systems that considers information types, security objects, and potential risks.

NIST SP 800-53 is a collection of security and privacy controls developed to safeguard government and non-federal information systems. It was developed by the National Institute of Standards and Technology (NIST) as part of its FISMA requirements. The controls aim to protect the integrity of systems and any user data they may contain. NIST 800-53 compliance is a requirement for federal and government agencies, but also contractors who operate on federal networks and systems.

Organizations must select and embed relevant controls from the publication to safeguard user privacy and system security. The controls focus on strengthening the integrity, confidentiality, and availability of federal systems. Controls and requirements are selected in line with the risk assessment in the categorization step. The selected controls will inform privacy and security plans. Required controls will be outlined in the contractual agreement with DoD contractors.

Tasks to complete during this phase of control selection include:

• Selecting and tailoring security and privacy controls based on the needs and risks of individual system areas or environments. This is based on the information collected during the categorization step.
• Identifying enhanced controls for high-risk system elements or unique organizational requirements.
• Documenting controls to evidence compliance with any privacy and security requirements.

In this step, organizations will determine whether the controls implemented in the previous phase are functioning correctly. Organizations will need to assess whether these controls are operating as expected and meeting system and organization security requirements.

This phase requires the initial steps of selecting an assessment team and developing an assessment plan. Once the plan is approved, each control can then be reviewed and assessed.

Reports on the outcome of assessment for each control should be reviewed, with further steps taken to resolve any found issues. Organizations can leverage automated system audit tools, such as Titania Nipper, to assess each control efficiently. A plan of action with milestones (POAM) should be deployed for any controls that are not functioning correctly.

Tasks to complete during the assessment phase include:

• Developing an assessment plan for both security and privacy controls
• Assigning an assessment team to carry out the assessment plan and review of controls
• Assessing each control and producing reports to document compliance or issues
• Updating security plans if controls are changed because of the assessment
• Producing a POAM to address any unresolved issues with controls.

The final step is the ongoing monitoring and maintenance of system security and information privacy. Systems will need to be continuously monitored in line with an established strategy and process. Security controls should be regularly assessed as part of this strategy. Activity logs will also be reviewed, and the ongoing risk assessment reports provided to senior management.

Ongoing monitoring is a key element of a successful Risk Management Framework. Controls and policies can be adapted to meet emerging threats, and the ongoing effectiveness of controls can be assessed and maintained.

The tasks to complete during this final step include:

• Deploying a program to continuously monitor systems and controls over time
• Adapting systems when required to meet emerging threats, new vulnerabilities, and updated technology
• Improving the efficiency of monitoring through automated auditing tools to provide real-time insights into risk management.