NIST Risk Management Framework (RMF) Process NISP Workflow ...
DSS CI/IO GCA Stakeholders
NIST Risk Management Framework (RMF) Process
Categorization & Coordination Control Discussion with GCA
Coordinate with ISR/CISA
NISP Workflow
ISSM/ISSO
Start
STEP 1: CATEGORIZE
Initial SSP, RAR
SSP and Supporting Artifacts
Threat Profile
Initial SSP w/ identified controls,
RAR
STEP 2: SELECT
Controls Submit Initial / Revise Package
SSP with tailored
controls
Final SSP, Certification Statement, RAR, POA&M, and SSP Supporting Artifacts
STEP 4: ASSESS
Test / ISSM Certify System
Updated SSP w/ functional description of security control implementation, POA&M (if applicable)
STEP 3: IMPLEMENT
ISSM Builds System / Update Configuration
Return to
Step 3
Updated POA&M, Updated SSP, Status Reports,
Decommissioning Strategy (as necessary) and Continuous Monitoring Strategy
Repeat
STEP 6: MONITOR
JULY 2017
Monitoring Phase: ISSM is responsible for ensuring the security posture is
maintained. Assess impact of changes to the system upon the environment. Review selected controls annually
Authorization Official (AO)
ISSP/SCA Assigned?
YES
NO
TL Assigns an ISSP/SCA
Final SSP, SSP Supporting Artifacts, POA&M (if applicable), SAR, and Authorization Letter
STEP 5: AUTHORIZE
AO Deny System
YES
NO
Concur?
STEP 2: SELECT
Validate Categorization and Controls Selection
Initial SSP w/ identified
controls, RAR
Final SSP, Certification Statement, RAR, POA&M, and SSP Supporting
Artifacts
STEP 4: ASSESS
Test ISSM Certify System
Schedule / Conduct On-Site Visit
NO
Existing Active Authorization?
Use Systems Return
YES
vice Denial
ISSP Return SSP with Rationale to Industry
ISSP Update OBMS Vulnerability Table & Security Assessment
Report
NO
Authorization
Recommendation? YES
Start Security Assessment Report and complete OBMS
inputs
STEP 5: AUTHORIZE
AO Approves System
Final SSP, SSP Supporting Artifacts,
POA&M (if applicable), SAR, and Authorization Letter
STEP 6: MONITOR
ISSP continually assesses system
posture
Updated POA&M, Updated SSP, Status Reports,
Decommissioning Strategy (as necessary) and Continuous Monitoring Strategy
ATO Letter Update OBMS Include Artifacts Forward to AO
Complete SAR Authorization
Letter
INTERNAL PROCESS START PROCESS
DOCUMENT MANUAL
STORAGE
KEY
EXTERNAL PROCESS EXTERNAL CONTROL DECISION PROCESS VARIABLE STOP ASSOCIATION RETURN
ISSP
TEAM LEAD (TL)
DSS Risk Management Framework (RMF) Process ? Step 1 (Categorize)
Homepage
Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18
Start
Collect Key Documents (Contract, DD 254, RAR, SCG, etc.)
Determine System s Authorization Boundary
Current RAR On
Record?
Higher Yes Impact Levels
Justified?
Determine Final Categorization of No IS & Information
There-in (Default=M-L-L)
Update SSP (Description, Auth Boundary, System
Type, etc.)
Goto RMF Step-2
No
Prepare Risk Assessment Report (RAR)
Yes
Obtain GCA / Stakeholder
Approval (SSP Artifact)
ISSM
DSS IO/CI
Coordinate with Company s
Assigned DSS ISR/ CISA
Provide Program Risk Assessment/
Threat Data Information
GCA / Stakeholder Approval Memo
GCA/ Stakeholders
ISSP/ SCA
AO
DSS Risk Management Framework (RMF) Process ? Step 2 (Select Security Controls)
Homepage
Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18
ISSM
From RMF Step-1
Identify Baseline Security Controls
For IS Categorization
DAAPM
DSS Overlay
Update SSP with Baseline Security
Controls
Tailor Security Controls As Needed
REF: RAR, SCG, Contract, etc.
Update SSP with Tailored Security
Controls & Justification
NIST SP 80053v4
CNSSI 1253 Overlay(s)
DSS Overlay
Tailored SecCtrl Approval
(DD 254, SOW, RAL)
Develop CONMON Strategy
Tailored-Out SecCtrls?
Submit SSP, RAR, CONMON
Yes Strategy, & Artifacts into OBMS
UNCLAS Docs Only
Email ISSP of DSS RMF Step 1/2
OBMS Submission
No
GCA/ Stakeholders
ISSP/SCA
To RMF Step-3
Email ISSM of DSS RMF Step 1/2
OBMS Submission
Return OBMS Record back to Submitter (ISSM)
Upload Categorization & Implementation Concurrence Form
into OBMS
Complete Categorization & Implementation Concurrence Form
Complete Categorization & Implementation Non-Concurrence
Form
Notify ISSM of RAL
Requirement
No No
AO
Yes
Requires
RAL?
Yes
Concur w/Cat & SecCtrl
Selection?
Yes
SecCtrl Justification Included?
No
Coordinate Tailored SecCtrls with ISSP-TL / AO
Review RMF Pkg Submission
To Step 4 Part (B)
Proceed w/ DATO Action
Severe Yes Issues w/
RMF Pkg
No
Validate Tailored-Out
SecCtrls Justification (DD 254, SOW)
ISSP-TL / AO
DSS Risk Management Framework (RMF) Process ? Step 3 (Implement Security Controls)
Homepage
Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18
ISSM
From RMF Step-2
Implementation Tools
DAAPM
STIG Viewer
Tailored SSP
NAO Group Policy Config
Tool
SCAP Compliance Checker (SCC)
Tool
Manual Configuration
Implement Technical Security
Controls on System(s)
Develop Applicable Non-Technical Documentation
Updated SSP (UNCLAS Docs Only)
Update SSP with Security Control Implementation
Status
Various Applicable Policies
Continuity of Operations (COOP)
Plan
Disaster Recovery Plan (DRP)
Configuration Management (CM)
Plan
Incident Response Plan (IRP)
Security Awareness Training Plan
Start POA&M As Applicable
To RMF Step-4
MOU/MOAs
Other Applicable Artifacts
ISSP/SCA
AO
GCA
DSS Risk Management Framework (RMF) Process ? Step 4 (Assess Security Controls) ? Part (A)
Homepage
Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18
From RMF Step-3
Conduct Initial Assessment to Ensure Security Controls Operating
as Intended
Update SSP with Actual Security Control State
Information
Develop/Update POA&M with Residual Vulnerabilities
Download Validation Tools and Install on System for SCA OSV (STIG Viewer, SCC,
etc.)
Submit Final RMF Authorization
Package via OBMS (UNCLAS Docs Only)
Email ISSP of
OBMS Submission
To RMF Step-4B
ISSM
Assessment Tools DAAPM
Updated SSP
Tailored SSP Parameters
NIST Security Controls
SCAP Compliance Checker (SCC)
STIG Viewer Tool
POA&M
ISSM Appointment Letter
(Required)
Certification Statement (Required)
SSP (Required)
RAR (Required)
COOP, DRP, etc.
POA&M (Required)
CM Plan CCB Charter
Contract Info
(DD 254, SOW, RFP)
MOU/MOA/ISA
IRP
Security Awareness &
Training Plan
RAL(s)
All Other Relevant Artifacts (Policy)
ISSP/ SCA
AO
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- the risk management framework and cyber resiliency
- ai risk management framework concept paper
- nist risk management framework overview
- risk management framework process map
- risk management framework rmf v2
- nist risk management framework rmf process nisp workflow
- automated nist risk management framework kdm analytics
- servicenow continuous authorization and monitoring
- nist risk management framework quick start guide roles and
- integrating the risk management framework rmf with devops
Related searches
- nist risk management guide
- nist risk management framework pdf
- nist risk management process
- nist risk management framework 2019
- enterprise risk management framework coso
- enterprise risk management framework template
- enterprise risk management framework examples
- risk management framework template
- enterprise risk management framework models
- enterprise risk management framework pdf
- enterprise risk management framework ppt
- coso risk management framework pdf