RMF Support

Risk Management Framework

A structured, six-step approach used to oversee and manage risks to organizational operations (mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system.

1. Categorize System

Describe system authorization boundaries; assess system confidentiality, integrity & availability by low, moderate, or high-risk impact; define privacy requirements; initiate security plan

2. Select Controls
3. Implement Controls
4. Assess Controls
5. Authorize System
6. Continuously Monitor
Risk-Management Steps

RMF Steps 1 to 3 – Implement Security

Step 1 - Categorize System

Step 1-1:

Categorize the information system and document the results of the security categorization in the security plan.

Step 1-2:
Step 1-3:

Step 2 - Select Controls

Step 2-1:

Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan.

Step 2-2:
Step 2-3:
Step 2-4:

Step 3 - Implement Controls

Step 3-1:

Implement the security controls specified in the security plan.

Step 3-2:
Risk-Management Steps

RMF Steps 4 & 5 – Assess & Authorize

Step 4 - Assess Controls

Step 4-1:

Develop, review, and approve a plan to assess the security controls.

Step 4-2:
Step 4-3:
Step 4-4:

Step 5 -Authorize System

Step 5-1:

Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

Step 5-2:
Step 5-3:
Step 5-4:
Risk-Management Steps

Step 6 - Continuous Monitoring

Step 6-1:

Determine the security impact of proposed or actual changes to the information system and its environment of operation.

Step 6-2:
Step 6-3:
Step 6-4:
Step 6-5:
Risk-Management Steps