RMF Steps

Question 1

Prepare

Answer 1

Purpose: Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

Outcomes:

key risk management roles identified
organizational risk management strategy established, risk tolerance determined
organization-wide risk assessment
organization-wide strategy for continuous monitoring developed and implemented
common controls identified

Question 2

Categorize

Answer 2

Purpose: Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

Outcomes:

system characteristics documented
security categorization of the system and information completed
categorization decision reviewed/approved by authorizing official

Question 3

Select

Answer 3

Purpose: Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk

Outcomes:

control baselines selected and tailored
controls designated as system-specific, hybrid, or common
controls allocated to specific system components
system-level continuous monitoring strategy developed
security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved

Question 4

Implement

Answer 4

Purpose: Implement the controls in the security and privacy plans for the system and organization

Outcomes:

controls specified in security and privacy plans implemented
security and privacy plans updated to reflect controls as implemented

Question 5

Assess

Answer 5

Purpose: Determine if the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting the security and privacy requirements for the system and the organization.

Outcomes:

assessor/assessment team selected
security and privacy assessment plans developed
assessment plans are reviewed and approved
control assessments conducted in accordance with assessment plans
security and privacy assessment reports developed
remediation actions to address deficiencies in controls are taken
security and privacy plans are updated to reflect control implementation changes based on assessments and remediation actions
plan of action and milestones developed

Question 6

Authorize

Answer 6

Purpose: Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.

Outcomes:

authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
risk determination rendered
risk responses provided
authorization for the system or common controls is approved or denied

Question 7

Monitor

Answer 7

Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Outcomes:

system and environment of operation monitored in accordance with continuous monitoring strategy
ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
output of continuous monitoring activities analyzed and responded to
process in place to report security and privacy posture to management
ongoing authorizations conducted using results of continuous monitoring activities