Defense Security Service

Risk Management Framework

(RMF)

August 2016

1
What is Risk Management Framework (RMF)

• It is a unified information security framework for the

entire federal government that replaces legacy
Certification and Accreditation (C&A) Processes
applied to information systems

• RMF is a key component of an organization’s

information security program used in the overall
management of organizational risk

-2-
RMF Policy References

-3-
 RMF Process Stakeholders: New Terminology
Many RMF stakeholder titles have been revised in the transition from C&A. The following table outlines
former terms in the C&A process as well as the corresponding new terms in the RMF process. You may
continue hearing both sets of terms during the transition to RMF.

Old Term in the C&A Process New Term in the RMF Process

Designated Approving Authority (DAA) Authorizing Official (AO)

Regional Designated Approving Authority (RDAA) Regional Authorizing Official (RAO)

Office of the Designated Approving Authority (ODAA) NISP Authorization Office

Information System Security Professional (ISSP) Security Control Assessor (SCA)

Customer, Government Contracting Activity (GCA) Information Owner (IO)

Contractor Information System Owner (ISO)

Information System Security Manager (ISSM) ISSM

Information System Security Officer (ISSO) ISSO

*Titles will remain the same in RMF .

-4-
Connecting the Dots Old and New

Process C&A RMF

ODAA Business Management System (OBMS) same same
SSP Template same same
Categorization Basic, Med, High Low, Mod, High
PLs Accessibility

Certification Statement same same

Risk Acknowledgement/Tailoring-out Risk Tailored-Out/Risk
Acknowledged Acknowledgement

MOU/Enhancements MOU MOU/ISA

Standing-Up Like System Self- Type
Certification Authorization

Controls NISPOM Refs NIST Controls

Approval to Process Accreditation Authorization

-5-
 Connecting the Dots Cont.

Process C&A RMF

Submission Validation SSP SSP

within OBMS Certification Statement Certification Statement
Profile POAM
Risk Assessment Report

Assessment Comments Comments Form Security Assessment Report

on issues (SAR)

-6-
Key Factors Driving the Transition to RMF

Effective and Efficient

Risk Management
Common Foundation
Shift from a static,
“check-the-box” mentality for Information Security
to a flexible, dynamic Implement a common
approach to assess and foundation for information
manage risk more security that aligns to
effectively and efficiently. federal government
standards for DSS and
cleared contractors for a
more uniform and
DSS is implementing consistent approach to
the RMF process to manage risk associated
assess and authorize with the operation of a
Information Systems classified IS.
(IS).
Trust Across the
Federal Government
Build reciprocity with
other federal agencies to
Streamline DSS
develop trust across the
processes
federal government
through a more holistic, Streamline DSS
processes to support the
flexible, and strategic
authorization of a cleared
process for the risk contractor’s IS processing
management of IT classified information as
systems. part of the NISP.

-7-
Roles and Responsibilities in the RMF Process
Role Responsibilities
Authorizing Official (AO)
(formerly the DAA) and • Formally assumes responsibility for operating an IS at an
Designated Authorizing acceptable level of risk to organizational operations, organizational
Official (DAO) (formerly the assets, individuals, other organizations, and national security
RDAA)
• Performs oversight of a contractor’s IS processing classified
information
• Conducts a comprehensive assessment of the management,
operational, and technical security controls employed within or
Security Control Assessor inherited by an IS to determine the overall effectiveness of the
(SCA) (formerly the ISSP) controls
• Provides an assessment of the severity of weaknesses or
deficiencies discovered in the IS and its environment of operation
and recommends corrective actions
• Provides an authorization decision recommendation to the DAO

Common Control Provider

• Assumes responsibility for the development, implementation,
(CCP) (formerly the Host assessment, and monitoring of common security controls
“Node”)

• Holds statutory, management, or operational authority for specific

information to establish the policies and procedures governing its
Information Owner generation, collection, processing, dissemination, and disposal
(IO)/Government Contracting • Establishes the rules for appropriate use and protection of the
Activity (GCA) (a.k.a. the subject information and retains that responsibility when the
Customer) information is shared with or provided to other organizations
• Provides input to the Information System Owners (ISOs) regarding
data

-8-
Roles and Responsibilities in the RMF Process

Role Responsibilities
Information System Owner
(ISO) (a.k.a. GCA for • Holds responsibility for the procurement, development, integration,
modification, operation, maintenance, and disposal of an IS
government systems and • Addresses the operational interests of the user community and
ISSM for contractor-owned ensures compliance with information security requirements
systems)
• Serves as a principal advisor on all matters, technical and
otherwise, involving the security of an IS under her/his purview
• Ensures physical and environmental protection, personnel security,
incident handling, and security training and awareness
Information System Security • Monitors a system and its environment of operation to include
developing and updating the System Security Plan (SSP),
Manager (ISSM) managing and controlling changes to the system, and assessing
the security impact of those changes
• Must be trained to the level commensurate with the complexity of
the contractor’s IS or have a local ISSO who is trained.

• Supports the ISSM in their efforts to implement security

requirements for classified information systems
Facility Security Officer • Ensures physical and environmental protection, personnel security,
incident handling, and security training and awareness
Information System Security • If appointed, supports the ISSM in their efforts to implement
Officer (ISSO) security requirements as mandated by NISPOM and DAAPM.
• Configures and manage the IS configuration

-9-
RMF Process Walk Through: Introduction
RMF is a six step process designed to build information security capabilities into Information Systems (IS)
throughout the NISP through the application of community best practices for IS management, operational, and
technical security controls. The RMF process is explained in further detail in the ISOM and the DAAPM.

1. Categorize the
Information System

6. Monitor the
Information System 2. Select Security
Controls

Risk
Management
Framework
3. Implement Security
Controls
5. Authorize the
Information System

4. Assess Security
Controls

- 10 -
RMF Process Walk Through
Step 1: Categorize the IS
 The ISSM/ISSO categorizes the IS based on the impact due to a loss of confidentiality (moderate/high), integrity
(low/moderate/high), and availability (low/moderate/high) of the information or IS according to information provided by
the IO.
 Industry should perform a Risk/Threat Assessment for specific concerns for their Facility/Program.
 Absent any other requirements Industry may use the DSS baseline of moderate/low/low.
 The ISSM then documents the description, including the system/authorization boundary in the System Security Plan
(SSP)
 ISSM assign qualified personnel to RMF roles and document team member assignments in the Security Plan

This step will result in the following:

• Artifact(s): Risk Assessment and start initial SSP describing the IS Risk(s)
• See NIST SP 800-30 (Risk Assessment) for additional guidance.

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize
the Information
System 3. Implement
Security Controls
4. Assess
Security
Controls
- 11 -
Risk Assessment Report (RAR)

- 12 -
RMF Process Walk Through
Step 2: Select Security Controls
 The ISSM (and ISSO, as appropriate) selects the security control baseline applicable to the IS based upon the results
of the categorization and tailors the controls as needed by supplementing, modifying, or tailoring out controls to
effectively manage risk for any unique system conditions.
 The ISSM (and ISSO, as appropriate) develops a strategy for continuous monitoring of security control effectiveness.
 The ISSM then documents the results of selecting the security controls in the SSP via the OBMS.
 The assigned ISSP/SCA reviews the SSP to ensure it meets the necessary security requirements and effectively
identifies potential risks to the IS. The ISSP/SCA also reviews the ISSM-recommended deltas from the standard
baseline.
 The ISSP/SCA then notifies the ISSM of concurrence with selected security controls.
This step will result in the following:
• Outcome: Agreed upon security control set.
• Artifact(s): Continuous monitoring strategy and updated SSP with controls identified.

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 13 -
Security Controls - Overlays

- 14 -
SSP Controls

- 15 -
RMF Process Walk Through
Step 3: Implement Security Controls
 The ISSM and ISSO implement security controls for the IS and may conduct an initial assessment to facilitate early
identification of weaknesses and deficiencies.
 The ISSM then documents the security control implementation in the Security Controls Traceability Matrix (SCTM)
portion of the SSP via the OBMS.
This step will result in the following:
• Outcome: Implemented security requirements.
• Artifact(s): Updated SSP with a functional description of security control implementation.

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 16 -
RMF Process Walk Through
Step 4: Assess Security Controls - Part One
 The ISSM, with the ISSO, develops a Security Assessment Plan (SAP) that addresses objectives for the assessment,
methods for verifying security control compliance, the schedule for the initial control assessment, and actual
assessment procedures. (Cleared Industry can leverage assessment procedures in the DAAPM).
 The ISSM then conducts the initial assessment of the effectiveness of the security controls and documents the issues,
findings, and recommendations in a Security Assessment Report (SAR).
 The ISSM, after the initial assessment, conducts remediation actions based on the findings and recommendations in
the Plan of Action and Milestones (POA&M), signs a Certification Statement, and submits the SSP (using the OBMS) to
DSS.

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 17 -
RMF Process Walk Through
Step 4: Assess Security Controls - Part Two
 The ISSP/SCA receives the SSP, performs an SSP review, and conducts an on-site validation/assessment.
 The ISSP/SCA informs the ISSM of any additional deficiencies or weaknesses discovered and identifies necessary
remediation actions in a POA&M.
 The ISSP/SCA schedules a revalidation visit if necessary and makes final updates to the SAR.
This step will result in the following:
• Outcome: Tested, evaluated, and remediated security controls.
• Artifact(s): SAR, and final SSP.
Additional guidance for assessing controls: NIST SP 800-53A

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 18 -
RMF Process Walk Through
Step 5: Authorize the IS
 The ISSP/SCA reviews and submits the security authorization package to the DAO.
 The DAO assesses the security authorization package and issues an authorization decision for the IS—either
Authorization to Operate (ATO) or Denied Authorization to Operate (DATO)—which includes any terms and conditions
of operation as well as the authorization termination date (ATD).
This step will result in the following:
• Outcome: Risk determination and acceptance decision by the DAO.
• Artifact(s): Complete security authorization determination to include the POA&M.

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 19 -
RMF Process Walk Through
Step 6: Monitor the IS
 The ISSM determines the security impact of proposed or actual changes to the IS and its operating environment and
informs the ISSP/SCA as necessary.
 The ISSM assesses a selected subset of the security controls, based on the approved continuous monitoring strategy,
and informs the ISSP/SCA of the results.
 The ISSM updates SSP documentation and works to satisfy POA&M requirements, and provides regular status reports
to their ISSP/SCA per the continuous monitoring strategy.
 The ISSM conducts any necessary remediation actions based on findings discovered during continuous monitoring.
 The ISSM ensures IS security documentation is updated and maintained and reviews the reported security status of the
IS.
 As necessary, the ISSM develops and implements an IS decommissioning strategy.
This step will result in the following:
• Outcome: Continued evaluation and remediation of the authorized IS.
• Artifact(s): Updated POA&M, updated SSP, and decommissioning strategy (as necessary).

1. Categorize
the Information
System

6. Monitor the 2. Select

Information Security
System Controls

Risk Management
Framework
5. Authorize 3. Implement
the Information Security
System Controls

4. Assess
Security
Controls
- 20 -
 Security Controls and Continuous Monitoring
The RMF process will manage risk more effectively through the introduction of security controls and
continuous monitoring of those controls.
Purpose of Security Controls and Continuous Monitoring Benefits of Security Controls and Continuous Monitoring

Assess security control effectiveness for an IS Facilitate more efficient enterprise management of
Document changes to the IS or its environment of cybersecurity
operation Increase security in the system development and
Conduct security impact analyses of associated acquisition processes
changes Ensure compliance with national standards and
Report the security status of an IS reporting requirements

National Industrial Security Program Operating Manual (NISPOM)

NIST SP 800-37: Guide for Applying the Risk Management Framework to

Federal Information Systems
Resources to assist in
the RMF Process NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for
Federal Information Systems and Organizations
Many additional
resources can be found
NIST SP 800-53: Security and Privacy Controls for Federal Information
on the NIST website ( Systems and Organizations
www.nist.gov)
NIST SP 800-53A: Assessing Security and Privacy Controls in Federal
Information Systems and Organizations: Building Effective Assessment Plans

Committee on National Security Systems Instruction (CNSSI) 1253: Security

Categorization and Control Selection for National Security Systems

- 21 -
 Transition Timeline
System Accreditation Status Transition Timeline / Instructions
System Accreditation Status
Transition Timeline / Instructions
 
System Security Plan /Master Continue using current C&A process with the latest version of the
Local Area Network, Wide Area Network or Interconnected System between August 1, 2016 – 28 February 2017
System
 
Security Plan (MSSP) ODAA Process Manual. The ATO will last no greater than 18 months
submitted
  prior to October 3, starting October 3, 2016. Within six months of authorization, develop a
2016.
   Plan of Action and Milestones (POA&M) for transition to RMF.
 

SSPs/MSSPs after Execute RMF Assessment and Authorization through the DAAPM.
October 3, 2016.  
Standalones are no longer allowed to be self-certified under the C&A
process.
Local Area Network (LAN), Phase 1: Cleared contractors continue using the current C&A process
Wide Area Network (WAN) or with the latest version of the ODAA Process Manual. ATO will last no
Interconnected System after greater than 18 months starting October 3, 2016. Within six months of
October 3, 2016. authorization, develop a POA&M for transition to RMF.
 
Phase 2: Execute RMF Assessment and Authorization process through
the DAAPM. (Timeline TBD.)

- 22 -
Resources

CDSE Training courses

• Introduction to RMF (CS124.16)
• Continuous Monitoring (CS200.16)
• Categorization of the System (CS102.16)
• Selecting Security Controls (CS103.16)
• Implementing Security Controls (CS104.16)
• Assessing Security Controls (CS105.16)
• Authorizing Systems (CS106.16)
• Monitoring Security Controls (CS107.16)

• www.dss.mil/rmf

- 23 -