By Lon J. Berman, CISSP, RDRP
Q. The Risk Management Framework (RMF) life cycle is comprised of how many steps?
A. Oh, that’s easy, it’s six.
Well … not so fast.
As you probably know, the Risk Management Framework (RMF) has always been described as a six step process, to wit: 1-Categorize, 2-Select, 3-Implement, 4-Assess, 5-Authorize, 6-Monitor. The “traditional” pictorial view of the RMF life cycle (from NIST Special Publication 800-37 Rev 1) is shown in Figure 1 below.
This six step process was also adopted in DoD Instruction 8510.01, “Risk Management Framework for DoD IT”.
In NIST Special Publication 800-37 Rev 2, a significant revision was made to the RMF life cycle. A new “Prepare” step has been added. The activities in the Prepare step provide information that feeds into the traditional six steps, as shown in Figure 2 below.
NIST further divides the activities in the Prepare step into “Organization level activities” and “System level activities”. Organization level tasks include assignment of RMF roles, initial risk assessment, common control identification, continuous monitoring strategy, and more. System level tasks include asset identification, system boundary determination, identification of information types, system registration, and more. RMF has thus morphed into a seven step process, but to preserve the numbering of the traditional six steps, the Prepare step is sometimes referred to as “Step 0”.
DoD has yet to update DoDI 8510.01 to reflect the seven step RMF process. That said, however, you should note the References section of DoDI 8510.01 cites the NIST publication as follows: “NIST Special Publication 800-37 … as amended”. It is therefore safe to assume DoD has fully embraced the revised RMF life cycle, and we can expect this to be reflected in the next publication of DoDI 8510.01.
So, the proper answer to the question “RMF is comprised of how many steps?” is “Seven, and they are numbered zero through six”!