Course 3 Module 1 - Risk Management Framework (RMF)

By the end of this module, you’ll know how to:

• describe and document the system for management and tracking;
• categorize the system, including the information processed by the system, represented by the organization’s identified information types, and understand the purpose of the system, and the data sensitivity;
• security categorization results will be reviewed and approved by senior leaders in the organization.

The sources listed here can be used as Guidance for Step 3: Selecting Security Controls.

NIST SP 800-53 R5: Security and Privacy Controls for Information Systems and Organizations

NIST SP 800-53B: Control Baselines for Information Systems and Organizations

NIST SP 800-37 is the Guide for Applying RMF to Federal Information Systems

https://csrc.nist.gov/publications/sp800

Welcome to the Risk Management Framework, or RMF, Implement Step. This course focuses on the Implement Step, and by the end of the course, you will be able to define the Implement Step in the RMF.

The purpose of the Implement Step is to implement the controls in the Security and Privacy Plans for the system and the organization and to document in a baseline configuration, the specific details of the Control Implementation.

Objectives

Before you begin, consider the following course learning objectives.

• Identify Policies and guidelines for the Implement Step in the RMF

• Identify the two tasks and associated inputs, outputs, roles, and responsibilities in the Implement Step.

Lessons:

The course is divided into two lessons:

Lesson 1: Policies and Guidelines

Lesson 2: Tasks, Potential Inputs & Expected Outputs, Roles and Responsibilities

Risk Management Framework

Welcome to Risk Management Framework –RMF Step 5: Assessing Security Controls. Once the security controls are implemented, they must be assessed, the results documented in the Security Assessment Report, and remediation efforts completed.

Objectives

By the end of this lesson, you should be able to:

• Select an Assessor
• Develop and approve a security assessment plan,
• Assess security controls based on the plan,
• Document security assessment results,
• Conduct remediation activities.
•  Start with the development of a Plan Of Action and Milestones

Sources

The authoritative sources listed here are to be used for Security Control Assessment Guidance:

• NIST Special Publication 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations
• NIST Special Publication 800-37 R2 is the Guide for Applying RMF to Federal Information Systems

Purpose

The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome concerning meeting the security and privacy requirements for the system and the organization.

Purpose

The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.

By the end of this lesson, it is expected that:

• An authorization package is developed for submission to the authorizing official.
• A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance, is rendered.
• Risk responses for determined risks are provided.
• The authorization for the system or the common controls is approved or denied.
• Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials.

Purpose

The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.

At the end of this lesson, it is expected that:

• The information system and environment of operation are monitored in accordance with the continuous monitoring strategy.
• Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy.
• The output of continuous monitoring activities is analyzed and responded to appropriately.
• Risk management documents are updated based on continuous monitoring activities.
• A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.
• Authorizing officials conduct ongoing authorizations using the results of continuous monitoring activities and communicate changes in risk determination and acceptance decisions.
• A system disposal strategy is developed and implemented, as needed.