NIST Risk Management Framework (RMF) Process NISP WorkflowD

SS C

I/IO

GC

A S

take

ho

lder

sIS

SM/I

SSO

Au

tho

riza

tio

n

Off

icia

l (A

O)

ISSP

TEA

M L

EAD

(TL

)

Categorization & Coordination Control Discussion with GCA

Coordinate with ISR/CISA

STEP 1: CATEGORIZE

Start

STEP 2: SELECT Controls Submit

Initial / Revise Package

SSP with tailored

controls

ISSP/SCAAssigned?

STEP 2: SELECT Validate

Categorization and

Controls Selection

YES

TL Assigns anISSP/SCA

NO

Concur?

STEP 3: IMPLEMENT

ISSM Builds System / Update Configuration

YES

ThreatProfile

STEP 4: ASSESS Test / ISSM

Certify System

SSP and Supporting Artifacts

NO

STEP 4: ASSESS Test ISSM Certify

System

Schedule / ConductOn-Site Visit

Start Security Assessment Report

and complete OBMS inputs

AuthorizationRecommendation?

ATO Letter Update OBMS

Include ArtifactsForward to AO

YES

ISSP Update OBMS Vulnerability Table & Security Assessment

Report

NO

Existing ActiveAuthorization?

Complete SARAuthorization

Letter

Use Systems Return vice DenialYES

ISSP Return SSP with Rationale to Industry

Returnto

Step 3

STEP 5: AUTHORIZE

AO Deny System

NO

STEP 5: AUTHORIZE

AO Approves System

STEP 6: MONITOR

Monitoring Phase: ISSM is responsible for ensuring the security posture is

maintained. Assess impact of changes to the system upon the environment. Review selected controls annually

STEP 6: MONITORISSP continually assesses system

posture

KEYINTERNAL PROCESS EXTERNAL PROCESS

START

PROCESS

MANUAL

DOCUMENT

STORAGE

EXTERNAL CONTROL

DECISION

PROCESS VARIABLE

STOP

ASSOCIATION

RETURN

JULY 2017

Initial SSP, RAR

Initial SSP w/ identified controls,

RAR

Final SSP, Certification Statement, RAR, POA&M,

and SSP Supporting Artifacts

Updated SSP w/ functional description of security

control implementation, POA&M (if applicable)

Initial SSP w/ identified

controls, RAR

Final SSP, Certification

Statement, RAR, POA&M, and SSP

Supporting Artifacts

Final SSP, SSP Supporting Artifacts, POA&M (if applicable), SAR, and Authorization Letter

Final SSP, SSP Supporting Artifacts,

POA&M (if applicable), SAR, and Authorization Letter

Updated POA&M, Updated SSP, Status Reports,

Decommissioning Strategy (as necessary) and Continuous

Monitoring Strategy

Updated POA&M, Updated SSP, Status Reports,

Decommissioning Strategy (as necessary) and Continuous

Monitoring Strategy

Repeat

DSS Risk Management Framework (RMF) Process – Step 1 (Categorize) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SMD

SS IO

/CI

GC

A/

Stak

eho

lde

rsIS

SP/

SCA

AO

Provide Program Risk Assessment/

Threat Data Information

Coordinate with Company s

Assigned DSS ISR/CISA

Collect Key Documents

(Contract, DD 254, RAR, SCG, etc.)

Start

Prepare Risk Assessment

Report (RAR)

HigherImpact Levels

Justified?

No

No

Yes

GCA / Stakeholder Approval Memo

GotoRMF

Step-2

DetermineSystem s

Authorization Boundary

Obtain GCA / Stakeholder

Approval(SSP Artifact)

Determine Final Categorization of IS & Information

There-in(Default=M-L-L)

Update SSP(Description, Auth Boundary, System

Type, etc.)

Current RAROn

Record?Yes

DSS Risk Management Framework (RMF) Process – Step 2 (Select Security Controls) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SP/S

CAIS

SMG

CA

/St

akeh

old

ers

ISSP

-TL

/ A

O

Identify BaselineSecurity Controls

ForIS Categorization

FromRMF

Step-1

DevelopCONMONStrategy

Tailor Security Controls As

NeededREF: RAR, SCG, Contract, etc.

Submit SSP, RAR, CONMON

Strategy, & Artifacts into

OBMS

Email ISSP of DSS RMF Step 1/2

OBMS Submission

Concur w/Cat & SecCtrl

Selection?

Complete Categorization & Implementation

Non-Concurrence Form

ToRMF

Step-3

Complete Categorization & Implementation

Concurrence Form

Upload Categorization & Implementation

Concurrence Form into OBMS

DAAPM

Tailored SecCtrl Approval

(DD 254, SOW, RAL)

Return OBMS Record back to

Submitter (ISSM)

Tailored-Out SecCtrls?

CoordinateTailored SecCtrls with ISSP-TL / AO

AORequires

RAL?

ValidateTailored-Out

SecCtrls Justification

(DD 254, SOW)

SecCtrlJustificationIncluded?

Update SSP with Baseline Security

Controls

Update SSP with Tailored Security

Controls & Justification

No

DSSOverlay

CNSSI 1253Overlay(s)

Notify ISSMof RAL

Requirement

Yes

ReviewRMF Pkg

Submission

Yes

No

Yes

No

YesNo

Email ISSM of DSS RMF Step 1/2

OBMS Submission

DSSOverlay

NIST SP 800-53v4

SevereIssues w/RMF Pkg

No

YesTo Step 4Part (B)

UNCLAS Docs Only

Proceed w/DATOAction

DSS Risk Management Framework (RMF) Process – Step 3 (Implement Security Controls) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SMG

CA

AO

ISSP

/SCA

Implement Technical Security

Controls on System(s)

Continuity of Operations (COOP)

Plan

FromRMF

Step-2

Update SSP with Security Control Implementation

Status

Develop Applicable Non-Technical

Documentation

Updated SSP (UNCLAS Docs Only)

ToRMF

Step-4

Disaster Recovery Plan (DRP)

Configuration Management (CM)

Plan

Incident Response Plan (IRP)

Security Awareness

Training Plan

MOU/MOAs

OtherApplicable Artifacts

DAAPMTailored

SSPSTIG

Viewer

NAO Group Policy Config

Tool

SCAP Compliance

Checker (SCC) Tool

Manual

Configuration

Various Applicable Policies

Start POA&MAs Applicable

Implementation Tools

DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (A) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SMIS

SP/

SC

AA

O

Conduct Initial Assessment to Ensure Security

Controls Operating as Intended

FromRMF

Step-3

Update SSP with Actual Security

Control State Information

Updated SSP

ToRMF

Step-4B

Develop/Update POA&M with Residual

Vulnerabilities

POA&M

Download Validation Tools and Install on System for SCA OSV(STIG Viewer, SCC,

etc.)

Submit Final RMF Authorization

Package via OBMS(UNCLAS Docs Only)

Email ISSPof

OBMSSubmission

DAAPM

Tailored SSP Parameters

NIST Security Controls

SCAP ComplianceChecker (SCC)

STIG ViewerTool

ISSM Appointment Letter

(Required)

All Other Relevant Artifacts(Policy)

Certification Statement(Required)

CM PlanCCB Charter

SSP(Required)

Contract Info(DD 254, SOW, RFP)

POA&M(Required)

RAL(s)

RAR(Required)

IRP

Security Awareness &

Training Plan

MOU/MOA/ISA

COOP, DRP, etc.

Assessment Tools

DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (B) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SP-T

LIS

SP/S

CA

AO

RMF Pkg and/or OSV

Issues?

GotoStep 5Part

FromRMF

Step-4A

DownloadRMF Auth Pkg

from OBMS

ReviewRMF Auth Pkg

Documentation

Schedule OSV with ISSM

Conduct OSV and Assess IS

Against SSP andCurrent Policy

DAAPMOther Policy

Tailored SSP&

Artifacts

Security Controls

SCAP Compliance

Checker (SCC)

STIG Viewer

Tool

Verify POA&MReflects All

Vulnerabilities

Correct on the Spot

and/orUpdate POA&M

Email DATO Package to

AO

No

YesRMF AuthPackage

Acceptable?

InitiateDATO

Package

Record Plan Review TRAP & Vulnerabilities

in OBMS

Email DATO Package to

ISSP-TL

QC CheckDATO Package

No

Yes

Sign DATO Letter & Email to ISSM/DSS

Staff

DATO PkgPass QC Check?

Send DATO Pkg Back to ISSP

with Corrections

Upload DATO Ltr in OBMS &

Closeout Record

Confirm ISSM installed latest

STIG/SCAP Tools

Yes

No

Document Weaknesses/Deficiencies In

SAR

UnsatSAR?

Yes

No

Upload SAR & Support Docs

into OBMS

Stop

FromStep 5

FromStep 2

Assessment Tools

DSS Risk Management Framework (RMF) Process – Step 5 (Authorize Information System) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SP-T

LIS

SP/S

CAA

OIS

SM

FromStep-4Part (B)

Email ATO Package to

AO

InitiateATO

Package

RecordOSV TRAP &

Vulnerabilities in OBMS

Email ATO Package to

ISSP-TL

QC CheckATO Package

Goto Step 6

Sign ATO Ltrand Email to

ISSM/DSS Staff

ATO PkgPass QC Check?

Send ATO Pkg Back to ISSP

with Corrections

Upload ATO Ltr in OBMS & Closeout Record

No

RecordTerms &

Conditions in ATO Letter

Yes

AOAccepts

Risk?

Return ATO Pkg to ISSP-TL with Risk Concerns

Yes

No

CoordinateDATO Action

with ISSP

To Step 4Part (B)

DSS Risk Management Framework (RMF) Process – Step 6 (Monitor Security Controls) Source: DAAPM Ver. 1.1

Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS

SP/S

CAIS

SMIS

SP-T

LA

O

FromStep-5

Implement CONMON Strategy

Mitigate Risk Based on CONMON

Results

Update SSP & POA&M with

CONMON Results

Submit Status Reports to ISSP IAW CONMON

Strategy

Review ISSM s Status Report

Assess Security Control Subset IAW CONMON

Strategy

AcceptableRisk?

File Status Report

Create ISFD Entry

ISDecommis-

sioned?

Submit IS Decommission Action in OBMS

ImplementDecommission

Strategy

Yes

No

Yes

Stop

Immediately Contact

ISSP-TL/AO

No

Develop Risk Mitigation

Strategy with ISSM

Review/Update Risk Mitigation

Strategy

Approve Mitigation Strategy

Prepare Decommission

Letter

Email Decommission

Letter toISSP/TL

Sign Decommision

Letter

Upload Decom Ltr in OBMS &

Closeout Record

ImplementAO-Approved

Mitigation Strategy

Email Decommision

Ltr toISSM/DSS Staff