6 Steps Of Rmf

Step 1. Governing documents used in this step: FIPS 199, NIST SP 800-60. Four sub-tasks in this step: 1. Categorize the system in accordance with the CNSSI. 2. Initiate the System Security Plan (SSP). 3. Register the system with DoD Component Cybersecurity Program. 4. Assign qualified personnel to RMF roles.

Step 2. Governing documents used in this step: FIPS 200, NIST SP 800-53. Five sub-tasks in this step: 1. Common Control Identification. 2. Select security controls. 3. Develop system-level continuous monitoring strategy. 4. Review and approve System Security Plan (SSP) and continuous monitoring strategy. 5. Apply overlays and tailor.

Step 3. Governing documents used in this step: NIST SP 800-70. Two sub-tasks in this step: 1. Implement control solutions consistent with DoD Component Cybersecurity architectures. 2. Document security control implementation in System Security Plan (SSP).

Step 4. Governing documents used in this step: NIST SP 800-53A. Four sub-tasks in this step: 1. Develop and approve Security Assessment Plan (SAP). 2. Assess security controls. 3. SCA prepares Security Assessment Report (SAR). 4. Conduct initial remediation actions.

Step 5. Governing documents used in this step: NIST SP 800-37. Four sub-tasks in this step: 1. Prepare the POA&M. 2. Submit Security Authorization Package (SSP, SAR, and POA&M) to the AO. 3. AO conducts final risk determination. 4. AO makes authorization decision.

Step 6. Governing documents used in this step: NIST SPs 800-37, 800-53A. Six sub-tasks in this step: 1. Determine impact of changes to the system and environment. 2. Assess selected controls annually and conduct needed remediation. 3. Update the SSP, SAR, and POA&M. 4. Report security status to the AO. 5. AO reviews reported status. 6. Implement system decommissioning strategy.