RMF – Find Your Path
Before you can begin configuring an IT system for the DoD or working on needed paperwork, you need to find your Risk Management Framework (RMF) path. Major applications, systems and networks require a full RMF package where security risk is assessed and authorized. IT services and products may require a lesser RMF package where security risk is assessed only. In this video, Linda Gross explains how security controls protect IT systems and mitigate or fix system risks.
Prepare and Categorize
Early documentation, a project plan and preliminary risk assessment are your best steps for starting a DoD Risk Management Framework (RMF) path. In this video, Linda Gross provides an overview of the Risk Management Model, RMF lifecycle process and security objectives of confidentiality, integrity and availability. Linda explains Step 1—Categorize Activities—if a full RMF package is required. In Step 1, key personnel, including the Authorizing Official (AO), are identified and assigned.
Select and Implement
Assess, Authorize and Monitor
Steps 4 and 5 in the DoD Risk Management Framework (RMF) process include an independent compliance assessment of security controls and submitting documentation that hopefully results in an authorization to operate. Step 6 in this lifecycle approach is monitoring an authorized information system for changes that may be detrimental to security. As Linda Gross explains, this includes configuration management, continuous monitoring, updates, remediation and reporting.
