Navy Rmf

CATAGORIZE SYSTEM - Categorize the System IAW CNSSI 1253 - Initiate Security Plan - Register system with DoD Component cyber security program - Assign qualified personnel to RMF Roles

SELECT SECURITY CONTROLS - Common Control identification - Select security controls - Develop system level continuous monitoring strategy -Review and approve Security Plan and continuous monitoring strategy - Apply overlays and tailor

IMPLEMENT SECURITY CONTROLS - Implement control solutions consistent with DoD Component Cyber Security architectures - Document security control implementation in Security Plan

ASSESS SECURITY CONTROLS - Develop and approve Security Assessment Plan (SAP) - Assess security controls - SCA prepares Security Assessment Report (SAR) - Conduct initial remediation actions

AUTHORIZE SYSTEM - Prepare the POAM - Submit Security Authorization Package (Security Plan, SAR, and POAM) to AO - AO conducts final risk determination - AO makes authorization decisions

MONITOR SECURITY CONTROLS - Determine impact of changes to the system and environment - Assess selected controls annually - Conduct needed remediation - Update Security Plan, SAR, and POAM - Report Security status to AO - AO reviews reported status - Implement system decommissioning strategy

4.1 CATEGORIZE - Completed during initial development of system (if undergoing reauthorization or updates, correct categorization is still required) - PM/ISO identifies and assigns qualified personnel - ISSM registers the system in eMASS (during registration, select impact levels for CIA--DO NOT APPLY OVERLAYS) - Systems already with DIACAP eMASS record should not re-register----USE RMF transition tool 4.1.1. PERSONNEL REQUIRED - Categorization coordinated between PM/ISO, IO, ISSE, ISSM, PSO and AO CSA 4.1.2. TOOLS REQUIRED - Navy Categorization form is required to capture the categorization information (located on Navy RMF KS Portal) 4.1.3. INPUTS REQUIRED - RMF require access to system's Concept of Operations, information types and mission information - For SP: review the system design documentation/planned system architecture 4.1.4 OUTPUT - Output of step 1: Complete Navy System Categorization form, initial SP, system type designation , DITPR DON record, and beginning of eMASS record

4.1.7. IS SYSTEM A NATIONAL SECURITY SYSTEM (NSS) - PM/ISO and ISSE, using Navy System Categorization form, determine if system is a NSS via NIST 800-59 4.1.8.1. DOCUMENT INFORMATION TYPES PROCESSED/ Identify INFO TYES PROCESSED - ISSE and IO identify and document all types of info process, stored or transmitted - System function is determined prior to selecting info types (e.g. Management and Support and Mission Based Systems) 4.1.9 SELECT PROVISIONAL IMPACT VALUES - ISSE with support of IO, UR and ISSM uses the Navy Information Types Baseline List and the info gather in the operational review to determine info types' provisional security impact values (low, moderate, high) IRT CIA 4.1.10 DOCUMENT OPERATION IMPACT AND ADDITIONAL CONSIDERATIONS CIA -->low, moderate, and high 4.1.10.1 OPERATIONAL AND MISSION REQS Using System Categorization Form, PM/ISO provide explanation of operation req's of system to determine how those may change provisional impact levels -

4.1.10.2 ADDITIONAL CONSIDERATIONS -ISSE moves to additional considerations box in the System Categorization spreadsheet - Additional Considerations include: - Classification of System - Classification of information - Releasability of the Information e.g. (NATO has a higher classification req) - Additional required overlays - Considerations derived from application of other IA/TA standards such as defense in depth or forthcoming CYBERSAFE - MOA or MOU required to be in place with other system, network, or enclave owners and AOs - Interconnected Systems/External services that could elevate impact level - Executive orders or overarching policies define impact of data loss or breach - Breach or loss of multiple data sources could cause an aggregation condition that heightens impact value - Is the system under a joint authorization? Other system owners could required high impact values 4.1.11. RECOMMEND SYSTEM CATEGORIZATION - ISSE determines the security category for the information system and makes adjustments 4.1.11.1. DETERMINE SYSTEM SECURITY CATEGORIZATION **Final Task: Look at high water mark of impact values to identify overall system categorization* - ISSE determines and PM/ISO approves 4.1.11.2 RECOMEND SYSTEM CATEGORIZATION - ISSE documents the systems security category in SYS CATEGORIZATION FORM. - PSO reviews and concurs with above then submits to AO CSA for concurrence 4.1.12. RECIEVE CATEGORIZATION CONCURRENCE - AO CSA w/ PM, PSO provide concurrence via digitally signed concurrence form prior to moving to Security Control Selection - PM Submits a completed RMF STEP 1 Categorization Form to the PSO for signature - PSO Signs and forwards to AO CSA - AO CSA approves and sign then return to PSO PSO distributes form back to PM and ISSE for security control selection ISSE enters the sys. categorization info to generate intital baseline set of controls in step 2 4.1.13. REGISTER SYSTEM IN eMASS - ISSM registers system in eMASS

CATEGORIZATION PROCESS - Categorization accomplished using Navy Information Types Baseline List via Navy RMF KS Portal 1. Security Categorization (CNSSI 1253) 2. Identify all information types (NIST SP 800-60) 3. Map information type to security category and select provisional security impact values (FIPS 199 & NIST 800-60) 4. Review provisional impact levels ( adjusting --may go back to step 3) 5. Adjust/Finalize information impact levels (NIST SP 800-60) 6. Assign system security category (FIPS 199) 7. Document security category in system security plan (SSP) (CNSSI 1253)

Definition: Security controls are the management, operational, and technical safeguards or countermeasures to protect CIA and its info 1. Security Category 2. Baseline Controls (eMASS) 3. Add CNSSI 1253 NSS Controls (if applicable) 4. Apply Overlays 5. Tailor Security Controls 6. Identify Common Controls 7. Update Security Plan (SP) 8. Approval of Security Control Selection 9. Develop ISCM/Develop initial Security Assessment Plan

low, moderate, high

confidentiality, integrity and availability