Sunday, March 22, 2015

The RMF Steps

Before I launch into the main thrust of my blog, I wanted to provide some background as to how the security controls are determined in regards to the Risk Management Framework.  There are many great sources that explain the listed steps, but this link to the RISK MANAGEMENT FRAMEWORK (RMF) --- FREQUENTLY ASKED QUESTIONS (FAQ'S), ROLES AND RESPONSIBILITIES & QUICK START GUIDES (QSG'S) is quick and intuitive.  These are the RMF six steps:

Step 1. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2. Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

Step 3. Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

Step 4. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Step 5. Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6. Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

These six steps cover from system design and development throughout it entire lifecycle.  My main concern in this blog deals with Step 4 and Step 5 and assessing the controls that are selected in step 2 and implemented in step 3.

Security and privacy assessments can be effectively carried out at various stages in the system development life cycle to increase the grounds for confidence that the security and privacy controls employed within or inherited by an information system are effective in their application. 
NIST SP 800-53A Revision 4

My next post will be to dive into SP 800-53A.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)