Industry:Project Review/NIST SP 800-37r1 FPD Chapter 3

CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

This chapter describes the process of applying the Risk Management Framework (RMF) to federal information systems. The process includes a set of well-defined risk-related tasks that are to be carried out by selected individuals or groups within the organization (e.g., risk executive (function), authorizing official, authorizing official designated representative, chief information officer, senior information security officer, enterprise architect, information security architect, information owner/steward, information system owner, common control provider, information system security officer, and security control assessor). The RMF extends beyond the organization to external providers (e.g., providers of security controls in external environments). Each RMF task description includes the individual or group with the primary responsibility for carrying out the task, the supporting roles that may be called upon to assist in completing the task, the system development life cycle phase most closely associated with the task, supplemental guidance to help explain how the task is executed, and appropriate references for publications or Web sites with information related to the task.

The RMF tasks can be applied at appropriate phases in the system development life cycle. While the tasks appear in sequential order, there can be many points in the risk management process that require divergence from the sequential order. For example, the results from security control assessments can trigger remediation actions on the part of an information system owner, which can in turn require the reassessment of selected controls. Monitoring the security controls in an information system can also generate a potential cycle of tracking changes to the system and its environment of operation, conducting security impact analyses, taking remediation actions, reassessing security controls, and reporting the security status of the system. There may also be other opportunities to diverge from the sequential nature of the tasks when it is more efficient or cost-effective to do so. For example, while the security control assessment tasks are listed after the security control implementation tasks, some organizations may choose to begin the assessment of certain controls as soon as they are implemented but prior to the complete implementation of all controls described in the security plan. This may result in the organization assessing the physical and environmental protection controls within a facility prior to assessing the security controls employed in the hardware and software components of the information system (which may be implemented at a later time).

The process of implementing the RMF tasks (i.e., the order and manner in which the tasks occur and are executed, the names of primary/supporting roles, the names and format of artifacts) may vary from organization to organization. The security categorization process influences the level of effort expended when implementing the RMF. Information systems supporting the most critical and/or sensitive operations and assets within the organization as indicated by the security categorization process, demand the greatest level of attention and effort to ensure that appropriate information security and risk mitigation are achieved. A summary table of the RMF tasks is provided in Appendix E.