Risk Management Framework (RMF)
The Kingsmen Security Group understands that NIST's risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. We employ the following six steps related to managing organizational risk (also known as the Risk Management Framework) as required by FISMA guidance. KSG recognizes the FMF is paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:
Read below to get more detailed information on the six steps of the RMF and see how KSG can assist your organization in the proper navigation, preperation, documentation and execution of each.
Step 1: Categorize
Tasks:
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Guidance Utilized:
-
FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
-
SP 800-60 - Guide for Mapping Types of Information and Information Systems to Security Categories
-
SP 800-18 - Guide for Developing Security Plans for Federal Information Systems
-
OMB A-11/Agency - Budget Guidance
Deliverables:
-
FIPS 199 System Categorization
-
Initial System Security Plan
Step 3: Implement
Tasks:
Implement the security controls and document how the controls are deployed within the information system and environment of operation.See appropriate NIST publication in the publications section.
Guidance Utilized:
-
SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
Deliverables:
-
A completed security control set for the IT system
Step 5: Authorize
Tasks:
Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the nation resulting from the operation of the information system and the decision that this risk is acceptable.
Guidance Utilized:
-
SP 800-37 - Guide for Applying the Risk Management
-
SA&A produced artifacts
Deliverables:
-
Plan of Action and Milestones (POAMS)
Step 2: Select
Tasks:
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.
Guidance Utilized:
-
FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems
-
SP 800-18 - Guide for Developing Security Plans for Federal Information Systems
-
SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
-
SP 800-37 - Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
Deliverables:
-
Further developed SSP
-
Baseline security control set
-
Continuous Monitoring strategy
-
Privacy Impact Analysis (PIA)
Step 4: Assess
Tasks:
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Guidance Utilized:
-
SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
Deliverables:
-
Security Assessment Report (both draft, final and all components therein)​
Step 6: Monitor
Tasks:
Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.
Guidance Utilized:
-
SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
-
SP 800-37 - Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
-
SP 800-115 Technical Guide to Information Security Testing and Assessment
-
SP 800-88 - Guidelines for Media Sanitization (In cases of system disposal)
Deliverables:
-
ISCM Plan
-
SSP Security Impact Analysis (SIA)
-
SSP SAR POAMS