Rmf Steps And Tasks

P-1: Risk Management Roles P-2: Risk Management Strategy P-3: Risk Assessment - Organization P-4: Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles (Optional) P-5: Common Control Identification P-6: Impact-Level Prioritization (Optional) P-7: Continuous Monitoring Strategy - Organization

P-8: Mission or Business Focus P-9: System Stakeholders P-10: Asset Identification P-11: Authorization Boundary P-12: Information Types P-13: Information Life Cycle P-14: Risk Assessment - System P-15: Requirements Definition P-16: Enterprise Architecture P-17: Requirements Allocation P-18: System Registration

C-1: System Description C-2: Security Categorization C-3: Security Categorization Review and Approval

S-1: Control Selection S-2: Control Tailoring S-3: Control Allocation S-4: Documentation of Planned Control Implementations S-5: Continuous Monitoring Strategy - System S-6: Plan Review and Approval

I-1: Control Implementation I-2: Update Control Implementation Information

A-1: Assessor Selection A-2: Assessment Plan A-3: Control Assessments A-4: Assessment Reports A-5: Remediation Actions A-6: Plan of Action and Milestones

R-1: Authorization Package R-2: Risk Analysis and Determination R-3: Risk Response R-4: Authorization Decision R-5: Authorization Reporting

M-1: System and Environment Changes M-2: Ongoing Assessments M-3: Ongoing Risk Response M-4: Authorization Package Updates M-5: Security and Privacy Reporting M-6: Ongoing Authorization M-7: System Disposal

Individuals are identified and assigned key roles for executing the Risk Management Framework.

A risk management strategy for the organization that includes a determination and expression of organizational risk tolerance is established.

An organization-wide risk assessment is completed or an existing risk assessment is updated.

Organizationally-tailored control baselines and/or Cybersecurity Framework Profiles are established and made available.

Common controls that are available for inheritance by organizational systems are identified, documented, and published.

A prioritization of organizational systems with the same impact level is conducted.

An organization-wide strategy for monitoring control effectiveness is developed and implemented.

Missions, business functions, and mission/business processes that the system is intended to support are identified.

The stakeholders having an interest in the system are identified.

Stakeholder assets are identified and prioritized.

The authorization boundary (i.e., system) is determined.

The types of information processed, stored, and transmitted by the system are identified.

All stages of the information life cycle are identified and understood for each information type processed, stored, or transmitted by the system.

A system-level risk assessment is completed or an existing risk assessment is updated.

Security and privacy requirements are defined and prioritized.

The placement of the system within the enterprise architecture is determined.

Security and privacy requirements are allocated to the system and to the environment in which the system operates.

The system is registered for purposes of management, accountability, coordination, and oversight.

The characteristics of the system are described and documented.

- A security categorization of the system, including the information processed by the system represented by the organization-identified information types, is completed. - Security categorization results are documented in the security, privacy, and SCRM plans. - Security categorization results are consistent with the enterprise architecture and commitment to protecting the organizational missions, business functions, and mission/business processes. - Security categorization results reflect the organization's risk management strategy.

The security categorization results are reviewed and the categorization decision is approved by senior leaders in the organization.

Control baselines necessary to protect the system commensurate with risk are selected.

Controls are tailored producing tailored control baselines.

- Controls are designated as system-specific, hybrid, or common controls. - Controls are allocated to the specific system elements (i.e., machine, physical, or human elements).

Controls and associated tailoring actions are documented in security and privacy plans or equivalent documents.

A continuous monitoring strategy for the system that reflects the organizational risk management strategy is developed.

Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.

- Controls specified in the security and privacy plans are implemented. - Systems security and privacy engineering methodologies are used to implement the controls in the system security and privacy plans.

- Changes to the planned implementation of controls are documented. - The security and privacy plans are updated based on information obtained during the implementation of the controls.

- An assessor or assessment team is selected to conduct the control assessments. - The appropriate level of independence is achieved for the assessor or assessment team selected.

- Documentation needed to conduct the assessments is provided to the assessor or assessment team. - Security and privacy assessment plans are developed and documented. - Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required.

- Control assessments are conducted in accordance with the security and privacy assessment plans - Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered. - Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments.

Security and privacy assessment reports that provide findings and recommendations are completed.

- Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken. - Security and privacy plans are updated to reflect control implementation changes made based on the assessments and subsequent remediation actions.

A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment reports is developed.

An authorizing package is developed for submission to the authorizing official.

A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance, is rendered.

Risk responses for determined risks are provided.

The authorization for the system or the common controls is approved or denied.

Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials.

The information system and environment of operation are monitored in accordance with the continuous monitoring strategy.

Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy.

The output of continuous monitoring activities is analyzed and responded to appropriately.

Risk management documents are updated based on continuous monitoring activities.

A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.

Authorizing officials conduct ongoing authorizations using the results of continuous monitoring activities and communicate changes in risk determination and acceptance decisions.

A system disposal strategy is developed and implemented, as needed.