CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

This chapter describes the steps and associated tasks that comprise the RMF and the selected individuals or groups (defined organizational roles) that carry out such tasks.⁵¹ Organizations align their risk management roles with complementary or similar roles defined for the SDLC whenever possible, and consistent with missions and business functions. RMF tasks are executed concurrently with, or as part of, the SDLC processes in the organization. Executing RMF tasks concurrently with SDLC processes helps to ensure that organizations are effectively integrating the process of managing information security and privacy risks into SDLC processes. Moreover, the expected outputs required by the RMF (e.g., security and privacy plans, assessment reports, plans of action and milestones), can be routinely obtained from the SDLC processes in place within organizations and may not need to be developed solely for RMF implementation.

RMF ALIGNMENT WITH THE SDLC

The best RMF implementation is one that is indistinguishable from the routine SDLC processes carried out by organizations. That is, RMF tasks are closely aligned with the ongoing activities in the SDLC processes, ensuring the seamless integration of security and privacy protections into organizational systems—and taking maximum advantage of the artifacts generated by the SDLC processes to produce the necessary evidence in authorization packages to facilitate credible, risk-based decision making by senior leaders in organizations.

The process of implementing RMF tasks may vary from organization to organization. While the tasks appear in sequential order, there can be many points in the risk management process that require divergence from the sequential order, including the need for iterative cycles between initial task execution and revisiting tasks. For example, control assessment results can trigger a set of remediation actions by system owners and common control providers, which can in turn require the reassessment of selected controls. Monitoring controls can generate a cycle of tracking changes to the system and its environment of operation; assessing the information security and privacy impact; reassessing controls, taking remediation actions, and reporting the security and privacy posture of the system and the organization.

There may be other opportunities to diverge from the sequential nature of the tasks when it is more effective, efficient, or cost-effective to do so. For example, while the control assessment tasks are listed after the control implementation tasks, organizations may begin the assessment of controls as soon as they are implemented but prior to the complete implementation of all controls described in the system security plans and privacy plans. Assessing controls as soon as they are implemented may result in organizations assessing the physical and environmental protection controls within a facility prior to assessing the controls implemented in the hardware, firmware, or software components of the system (which may be implemented later). Regardless of the task ordering, the final action before a system is placed into operation is the explicit acceptance of risk by the authorizing official.

⁵¹ Appendix D describes the roles and responsibilities of key participants involved in organizational risk management and the execution of the RMF. Many risk management roles defined in this publication have counterpart roles defined in the SDLC process.

The RMF steps and associated tasks can be applied to new development systems and existing systems at appropriate phases in the SDLC. For new and existing systems, organizations ensure that the designated tasks have been completed to prepare for the execution of the RMF. For existing systems, organizations confirm that the security categorization and (for information systems processing PII) a privacy risk assessment have been completed and are appropriate; and that the needed controls have been selected, tailored, and implemented.

Applying the RMF steps and associated tasks to existing systems can serve as a gap analysis to determine if the organization’s security and privacy risks have been effectively managed. Deficiencies in controls can be addressed in the RMF steps for implementation, assessment, authorization, and monitoring in the same manner as in new development systems. If no deficiencies are discovered during the gap analysis and there is a current authorization in effect, the organization can move directly to the continuous monitoring step in the RMF. If a current authorization is not in effect, the organization continues in the usual sequence with the assessment, authorization, and monitoring steps.

TASK DELEGATION

The roles specified in the Primary Responsibility section for each RMF task are responsible for ensuring that the task is completed. The roles with primary responsibility may complete a task or may delegate completion of a task to one or more supporting roles except where delegation is specifically prohibited or disallowed in the task Discussion section or Appendix D. If completion of a task is delegated, the role with primary responsibility for that task remains accountable for task completion.

TIPS FOR STREAMLINING RMF IMPLEMENTATION

Use the tasks and outputs of the Organization-Level and System-Level Prepare Step to promote a consistent starting point within organizations to execute the RMF.
Maximize the use of common controls to promote standardized, consistent, and cost- effective security and privacy capability inheritance.
Maximize the use of shared or cloud-based systems, services, and applications where applicable, to reduce the number of organizational authorizations.
Employ organizationally-tailored control baselines to increase the speed of security and privacy plan development, promote consistency of security and privacy plan content, and address organization-wide threats.
Employ organization-defined controls based on security and privacy requirements generated from a systems security engineering process.
Maximize the use of automated tools to manage security categorization; control selection, assessment, and monitoring; and the authorization process.
Decrease the level of effort and resource expenditures for low-impact systems if those systems cannot adversely affect higher-impact systems through system connections.
Maximize the reuse of RMF artifacts (e.g., security and privacy assessment results) for standardized hardware/software deployments, including configuration settings.
Reduce the complexity of the IT/OT infrastructure by eliminating unnecessary systems, system elements, and services — employ least functionality principle.
Make the transition to ongoing authorization and use continuous monitoring approaches to reduce the cost and increase the efficiency of security and privacy programs.

DEVELOPING WELL-DEFINED SECURITY AND PRIVACY REQUIREMENTS

The RMF is an SDLC-based process that can be effectively used to help ensure that security and privacy requirements are satisfied for information systems or organizations. Defining clear, consistent, and unambiguous security and privacy requirements is an important element in the successful execution of the RMF. The requirements are defined early in the SDLC in collaboration with the senior leaders and are integrated into the acquisition and procurement processes. For example, organizations can use the [SP 800-160 v1] life cycle-based systems engineering process to define an initial set of security and privacy requirements, which in turn, can be used to select a set of controls* to satisfy the requirements. The requirements or the controls can be stated in the Request for Proposal or other contractual agreement when organizations acquire systems, system components, or services. Requirements can also be added throughout the life cycle, such as with the agile development methodology where new features are continuously deployed.

The NIST Cybersecurity Framework [NIST CSF] (i.e., Core, Profiles) can also be used to identify, align, and deconflict security requirements and to subsequently inform the selection of security controls for an organization. Cybersecurity Framework Profiles can provide a link between cybersecurity activities and organizational mission/business objectives, which supports risk- based decision-making throughout the RMF. While Profiles may be used as a starting point to inform control selection and tailoring activities, further evaluation is needed to ensure the appropriate controls are selected. Some organizations may choose to use the Cybersecurity Framework in concert with the NIST Systems Security Engineering publications—identifying, aligning, and deconflicting requirements across a sector, an industry, or an organization—and subsequently employing a systems engineering approach to further refine the requirements and obtain trustworthy secure solutions to help protect the organization’s operations, assets, individuals.

*See Section 2.3 for specific guidance on privacy control selection and managing privacy risk.

ORGANIZATION AND SYSTEM PREPARATION

Preparation can achieve effective, efficient, and cost-effective execution of risk management processes. The primary objectives of the Prepare step include:

Facilitate better communication between senior leaders and executives in the C-suite and system owners and operators—
- aligning organizational priorities with resource allocation and prioritization at the system level; and
- conveying acceptable limits regarding the selection and implementation of controls within the established organizational risk tolerance.
Promote organization-wide identification of common controls and the development of organizationally-tailored control baselines, to reduce the workload on individual system owners and the cost of system development and protection.
Reduce the complexity of the IT infrastructure by consolidating,standardizing,and optimizing systems, applications, and services through the application of enterprise architecture concepts and models.
Identify, prioritize, and focus resources on high value assets (as defined in [OMB M-19- 03]), that require increased levels of protection.
Facilitate system readiness for system-specific tasks.

These objectives, if achieved, significantly reduce the information technology footprint and the attack surface of organizations, promote IT modernization objectives, and prioritize security and privacy activities to focus protection strategies on the most critical assets and systems.

Finally, certain tasks in the Prepare step at the organization level are designated as optional. These tasks are included to provide organizations additional options to help make their RMF implementations more effective, efficient, and cost-effective.