NIST Risk Management Framework (RMF) Process NISP WorkflowD
SS C
I/IO
GC
A S
take
ho
lder
sIS
SM/I
SSO
Au
tho
riza
tio
n
Off
icia
l (A
O)
ISSP
TEA
M L
EAD
(TL
)
Categorization & Coordination Control Discussion with GCA
Coordinate with ISR/CISA
STEP 1: CATEGORIZE
Start
STEP 2: SELECT Controls Submit
Initial / Revise Package
SSP with tailored
controls
ISSP/SCAAssigned?
STEP 2: SELECT Validate
Categorization and
Controls Selection
YES
TL Assigns anISSP/SCA
NO
Concur?
STEP 3: IMPLEMENT
ISSM Builds System / Update Configuration
YES
ThreatProfile
STEP 4: ASSESS Test / ISSM
Certify System
SSP and Supporting Artifacts
NO
STEP 4: ASSESS Test ISSM Certify
System
Schedule / ConductOn-Site Visit
Start Security Assessment Report
and complete OBMS inputs
AuthorizationRecommendation?
ATO Letter Update OBMS
Include ArtifactsForward to AO
YES
ISSP Update OBMS Vulnerability Table & Security Assessment
Report
NO
Existing ActiveAuthorization?
Complete SARAuthorization
Letter
Use Systems Return vice DenialYES
ISSP Return SSP with Rationale to Industry
Returnto
Step 3
STEP 5: AUTHORIZE
AO Deny System
NO
STEP 5: AUTHORIZE
AO Approves System
STEP 6: MONITOR
Monitoring Phase: ISSM is responsible for ensuring the security posture is
maintained. Assess impact of changes to the system upon the environment. Review selected controls annually
STEP 6: MONITORISSP continually assesses system
posture
KEYINTERNAL PROCESS EXTERNAL PROCESS
START
PROCESS
MANUAL
DOCUMENT
STORAGE
EXTERNAL CONTROL
DECISION
PROCESS VARIABLE
STOP
ASSOCIATION
RETURN
JULY 2017
Initial SSP, RAR
Initial SSP w/ identified controls,
RAR
Final SSP, Certification Statement, RAR, POA&M,
and SSP Supporting Artifacts
Updated SSP w/ functional description of security
control implementation, POA&M (if applicable)
Initial SSP w/ identified
controls, RAR
Final SSP, Certification
Statement, RAR, POA&M, and SSP
Supporting Artifacts
Final SSP, SSP Supporting Artifacts, POA&M (if applicable), SAR, and Authorization Letter
Final SSP, SSP Supporting Artifacts,
POA&M (if applicable), SAR, and Authorization Letter
Updated POA&M, Updated SSP, Status Reports,
Decommissioning Strategy (as necessary) and Continuous
Monitoring Strategy
Updated POA&M, Updated SSP, Status Reports,
Decommissioning Strategy (as necessary) and Continuous
Monitoring Strategy
Repeat
DSS Risk Management Framework (RMF) Process – Step 1 (Categorize) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SMD
SS IO
/CI
GC
A/
Stak
eho
lde
rsIS
SP/
SCA
AO
Provide Program Risk Assessment/
Threat Data Information
Coordinate with Company s
Assigned DSS ISR/CISA
Collect Key Documents
(Contract, DD 254, RAR, SCG, etc.)
Start
Prepare Risk Assessment
Report (RAR)
HigherImpact Levels
Justified?
No
No
Yes
GCA / Stakeholder Approval Memo
GotoRMF
Step-2
DetermineSystem s
Authorization Boundary
Obtain GCA / Stakeholder
Approval(SSP Artifact)
Determine Final Categorization of IS & Information
There-in(Default=M-L-L)
Update SSP(Description, Auth Boundary, System
Type, etc.)
Current RAROn
Record?Yes
DSS Risk Management Framework (RMF) Process – Step 2 (Select Security Controls) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SP/S
CAIS
SMG
CA
/St
akeh
old
ers
ISSP
-TL
/ A
O
Identify BaselineSecurity Controls
ForIS Categorization
FromRMF
Step-1
DevelopCONMONStrategy
Tailor Security Controls As
NeededREF: RAR, SCG, Contract, etc.
Submit SSP, RAR, CONMON
Strategy, & Artifacts into
OBMS
Email ISSP of DSS RMF Step 1/2
OBMS Submission
Concur w/Cat & SecCtrl
Selection?
Complete Categorization & Implementation
Non-Concurrence Form
ToRMF
Step-3
Complete Categorization & Implementation
Concurrence Form
Upload Categorization & Implementation
Concurrence Form into OBMS
DAAPM
Tailored SecCtrl Approval
(DD 254, SOW, RAL)
Return OBMS Record back to
Submitter (ISSM)
Tailored-Out SecCtrls?
CoordinateTailored SecCtrls with ISSP-TL / AO
AORequires
RAL?
ValidateTailored-Out
SecCtrls Justification
(DD 254, SOW)
SecCtrlJustificationIncluded?
Update SSP with Baseline Security
Controls
Update SSP with Tailored Security
Controls & Justification
No
DSSOverlay
CNSSI 1253Overlay(s)
Notify ISSMof RAL
Requirement
Yes
ReviewRMF Pkg
Submission
Yes
No
Yes
No
YesNo
Email ISSM of DSS RMF Step 1/2
OBMS Submission
DSSOverlay
NIST SP 800-53v4
SevereIssues w/RMF Pkg
No
YesTo Step 4Part (B)
UNCLAS Docs Only
Proceed w/DATOAction
DSS Risk Management Framework (RMF) Process – Step 3 (Implement Security Controls) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SMG
CA
AO
ISSP
/SCA
Implement Technical Security
Controls on System(s)
Continuity of Operations (COOP)
Plan
FromRMF
Step-2
Update SSP with Security Control Implementation
Status
Develop Applicable Non-Technical
Documentation
Updated SSP (UNCLAS Docs Only)
ToRMF
Step-4
Disaster Recovery Plan (DRP)
Configuration Management (CM)
Plan
Incident Response Plan (IRP)
Security Awareness
Training Plan
MOU/MOAs
OtherApplicable Artifacts
DAAPMTailored
SSPSTIG
Viewer
NAO Group Policy Config
Tool
SCAP Compliance
Checker (SCC) Tool
Manual
Configuration
Various Applicable Policies
Start POA&MAs Applicable
Implementation Tools
DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (A) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SMIS
SP/
SC
AA
O
Conduct Initial Assessment to Ensure Security
Controls Operating as Intended
FromRMF
Step-3
Update SSP with Actual Security
Control State Information
Updated SSP
ToRMF
Step-4B
Develop/Update POA&M with Residual
Vulnerabilities
POA&M
Download Validation Tools and Install on System for SCA OSV(STIG Viewer, SCC,
etc.)
Submit Final RMF Authorization
Package via OBMS(UNCLAS Docs Only)
Email ISSPof
OBMSSubmission
DAAPM
Tailored SSP Parameters
NIST Security Controls
SCAP ComplianceChecker (SCC)
STIG ViewerTool
ISSM Appointment Letter
(Required)
All Other Relevant Artifacts(Policy)
Certification Statement(Required)
CM PlanCCB Charter
SSP(Required)
Contract Info(DD 254, SOW, RFP)
POA&M(Required)
RAL(s)
RAR(Required)
IRP
Security Awareness &
Training Plan
MOU/MOA/ISA
COOP, DRP, etc.
Assessment Tools
DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (B) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SP-T
LIS
SP/S
CA
AO
RMF Pkg and/or OSV
Issues?
GotoStep 5Part
FromRMF
Step-4A
DownloadRMF Auth Pkg
from OBMS
ReviewRMF Auth Pkg
Documentation
Schedule OSV with ISSM
Conduct OSV and Assess IS
Against SSP andCurrent Policy
DAAPMOther Policy
Tailored SSP&
Artifacts
Security Controls
SCAP Compliance
Checker (SCC)
STIG Viewer
Tool
Verify POA&MReflects All
Vulnerabilities
Correct on the Spot
and/orUpdate POA&M
Email DATO Package to
AO
No
YesRMF AuthPackage
Acceptable?
InitiateDATO
Package
Record Plan Review TRAP & Vulnerabilities
in OBMS
Email DATO Package to
ISSP-TL
QC CheckDATO Package
No
Yes
Sign DATO Letter & Email to ISSM/DSS
Staff
DATO PkgPass QC Check?
Send DATO Pkg Back to ISSP
with Corrections
Upload DATO Ltr in OBMS &
Closeout Record
Confirm ISSM installed latest
STIG/SCAP Tools
Yes
No
Document Weaknesses/Deficiencies In
SAR
UnsatSAR?
Yes
No
Upload SAR & Support Docs
into OBMS
Stop
FromStep 5
FromStep 2
Assessment Tools
DSS Risk Management Framework (RMF) Process – Step 5 (Authorize Information System) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SP-T
LIS
SP/S
CAA
OIS
SM
FromStep-4Part (B)
Email ATO Package to
AO
InitiateATO
Package
RecordOSV TRAP &
Vulnerabilities in OBMS
Email ATO Package to
ISSP-TL
QC CheckATO Package
Goto Step 6
Sign ATO Ltrand Email to
ISSM/DSS Staff
ATO PkgPass QC Check?
Send ATO Pkg Back to ISSP
with Corrections
Upload ATO Ltr in OBMS & Closeout Record
No
RecordTerms &
Conditions in ATO Letter
Yes
AOAccepts
Risk?
Return ATO Pkg to ISSP-TL with Risk Concerns
Yes
No
CoordinateDATO Action
with ISSP
To Step 4Part (B)
DSS Risk Management Framework (RMF) Process – Step 6 (Monitor Security Controls) Source: DAAPM Ver. 1.1
Author: A.E. Carbone/IOFSA Revised: 2017/05/18IS
SP/S
CAIS
SMIS
SP-T
LA
O
FromStep-5
Implement CONMON Strategy
Mitigate Risk Based on CONMON
Results
Update SSP & POA&M with
CONMON Results
Submit Status Reports to ISSP IAW CONMON
Strategy
Review ISSM s Status Report
Assess Security Control Subset IAW CONMON
Strategy
AcceptableRisk?
File Status Report
Create ISFD Entry
ISDecommis-
sioned?
Submit IS Decommission Action in OBMS
ImplementDecommission
Strategy
Yes
No
Yes
Stop
Immediately Contact
ISSP-TL/AO
No
Develop Risk Mitigation
Strategy with ISSM
Review/Update Risk Mitigation
Strategy
Approve Mitigation Strategy
Prepare Decommission
Letter
Email Decommission
Letter toISSP/TL
Sign Decommision
Letter
Upload Decom Ltr in OBMS &
Closeout Record
ImplementAO-Approved
Mitigation Strategy
Email Decommision
Ltr toISSM/DSS Staff