Risk Management Framework
A structured, six-step approach used to oversee and manage risks to organizational operations (mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system.
Describe system authorization boundaries; assess system confidentiality, integrity & availability by low, moderate, or high-risk impact; define privacy requirements; initiate security plan
RMF Steps 1 to 3 – Implement Security
Step 1 - Categorize System
Categorize the information system and document the results of the security categorization in the security plan.
Step 2 - Select Controls
Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan.
Step 3 - Implement Controls
Implement the security controls specified in the security plan.
RMF Steps 4 & 5 – Assess & Authorize
Step 4 - Assess Controls
Develop, review, and approve a plan to assess the security controls.
Step 5 -Authorize System
Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
Step 6 - Continuous Monitoring
Determine the security impact of proposed or actual changes to the information system and its environment of operation.