RMF Step 5: Authorize Flashcards
RMF Task 5-1
Prepare the POA&Ms based on findings and recommendations of SAR
RMF Task 5-2
Assemble security authorization package and submit the package to AO
RMF Task 5-3
Determine risk to operations
RMF Task 5-4
Determine if risk is acceptable
Guidance
SP 800-37 - RMF
Security Authorization Package includes
SSP
SAR
POA&M
Risk Assessment
A risk assessment involves the systematic identification and prioritization of risks to resources
Assess Risk - Analysis includes …
1) identification of threats
2) assessment of vulnerabilities in controls
3) Calculation of risks
Guidance
NIST 800-30 rev 1: guide for conducting risk assessments
NIST 800-30: Guide for conducting risks STEPS
1) Prepare for assessment
2) Conduct the assessment
* Identify threat
* Identify vulnerability
* determine likelihood of occurrence
* determine impact
* determine risk
3) communication results
4) maintain assessment
* monitor AORs
2 FACTORS FOR DETERMINING RISK
LEVEL OF IMPACT AND LIKELIHOOD
Types of responses to risks
1) Accept & continue operatin
2) Transfer/Share to 3rd party
3) Mitigate - change assets
4) avoid - eliminate assets
Authorization Decisions
1) ATO (up to 3 years)
2) Denial of ATO
3) Interim ATO (iATO)
INPUTS AND OUTPUTS OF RMF STEP 5: AUTHORIZE
INPUTS
- Security Authorization Package (SSP, POA&M, SAR)
- input from risk executive
- other artifacts
OUTPUTS
*AO Decision Document
