3.1 PREPARE52
Purpose
The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.
PREPARE TASKS—ORGANIZATION LEVEL53
Table 1 provides a summary of tasks and expected outcomes for the RMF Prepare step at the organization level. Applicable Cybersecurity Framework constructs are also provided.
TABLE 1: PREPARE TASKS AND OUTCOMES—ORGANIZATION LEVEL
| Tasks | Outcomes | |||
| TASK P-1 RISK MANAGEMENT ROLES | • Individuals are identified and assigned key roles for executing the Risk Management Framework. [Cybersecurity Framework: ID.AM-6; ID.GV-2] | |||
| TASK P-2 RISK MANAGEMENT STRATEGY | • A risk management strategy for the organization that includes a determination and expression of organizational risk tolerance is established. [Cybersecurity Framework: ID.RM; ID.SC] | |||
| TASK P-3 RISK ASSESSMENT—ORGANIZATION | • An organization-wide risk assessment is completed or an existing risk assessment is updated. [Cybersecurity Framework: ID.RA; ID.SC-2] | |||
| TASK P-4 ORGANIZATIONALLY-TAILORED CONTROL BASELINES AND CYBERSECURITY FRAMEWORK PROFILES (OPTIONAL) | • Organizationally-tailored control baselines and/or Cybersecurity Framework Profiles are established and made available. [Cybersecurity Framework: Profile] | |||
| TASK P-5 COMMON CONTROL IDENTIFICATION | • Common controls that are available for inheritance by organizational systems are identified, documented, and published. | |||
| TASK P-6 IMPACT-LEVEL PRIORITIZATION (OPTIONAL) | • A prioritization of organizational systems with the same impact level is conducted. [Cybersecurity Framework: ID.AM-5] | |||
| TASK P-7 CONTINUOUS MONITORING STRATEGY— ORGANIZATION | • An organization-wide strategy for monitoring control effectiveness is developed and implemented. [Cybersecurity Framework: DE.CM; ID.SC-4] | |||
Quick link to summary table for RMF tasks, responsibilities, and supporting roles.
52 The Prepare step is intended to leverage activities already being conducted within security, privacy, and supply chain programs to emphasize the importance of having organization-wide governance and the appropriate resources in place to enable the execution of cost-effective and consistent risk management processes across the organization.
53 For ease of use, the preparatory activities are grouped into organization-level preparation and information system- level preparation.
Table of contents
- • RISK MANAGEMENT ROLES, TASK P-1
- • RISK MANAGEMENT STRATEGY, TASK P-2
- • RISK ASSESSMENT—ORGANIZATION, TASK P-3
- • ORGANIZATIONALLY-TAILORED CONTROL ..., TASK P-4
- • COMMON CONTROL IDENTIFICATION, TASK P-5
- • IMPACT-LEVEL PRIORITIZATION (Optional) 61, TASK P-6
- • CONTINUOUS MONITORING STRATEGY ..., TASK P-7