PNNL-28347

Risk Management Framework

Process Map
Prepared for the Federal Energy Management Program

November 2018

ME Mylrea MD Watson
SNG Gourisetti JE Castleberry
M Touhiduzzaman

Prepared for the U.S. Department of Energy

under Contract DE-AC05-76RL01830
 Acronyms and Abbreviations
AO Authorizing Official
ISO Information System Owner
ISSO Information System Security Officer
NIST National Institute of Standards & Technology
POA&M Plan of Action and Milestones
RAR Risk Assessment Report
RMF Risk Management Framework
SAR Security Assessment Report
SCA Security Control Assessor
SCTM Security Controls Traceability Matrix
SP Special Publication
SSP System Security Plan

iii
 Contents
Acronyms and Abbreviations ...................................................................................................................... iii
1.0 Introduction .......................................................................................................................................... 1
2.0 The Risk Management Framework ...................................................................................................... 1
3.0 RMF Roles and Responsibilities .......................................................................................................... 3
4.0 RMF Step 1—Categorize Information System..................................................................................... 4
5.0 RMF Step 2—Select Security Controls ................................................................................................ 4
6.0 RMF Step 3—Implement Security Controls ........................................................................................ 5
7.0 RMF Step 4—Assess Security Controls ............................................................................................... 6
8.0 RMF Step 5—Authorize Information System ...................................................................................... 7
9.0 RMF Step 6—Monitor Security Controls............................................................................................. 8
10.0 References .......................................................................................................................................... 11
Appendix A – Updates to the Risk Management Framework .................................................................. A.1

iv
 Figures
1. RMF for Information and Platform Information Technology Systems .................................................... 1
2. Document Mapping for RMF ................................................................................................................... 2
3. Multi-Tiered Risk Management Strategy ................................................................................................. 2

Tables
1. RMF Step 1 – Categorize Information System ......................................................................................... 4
2. RMF Step 2—Select Security Controls .................................................................................................... 5
3. RMF Step 3—Implement Security Controls ............................................................................................. 6
4. RMF Step 4—Assess Security Controls ................................................................................................... 6
5. RMF Step 5—Authorize Information System .......................................................................................... 7
6. RMF Step 6—Monitor Security Controls ................................................................................................. 9

v
 1.0 Introduction
The purpose of this document is to provide an overview of the Risk Management Framework (RMF)
codified in National Institute of Standards & Technology (NIST) Special Publication (SP) 800-37r1 for
the Federal Energy Management Program (FEMP). This document, while accurate, is not an authoritative
source on the management of federal information systems. However, the concepts and process discussed
herein are representative of the data points used to compare the RMF with NIST’s Framework for
Improving Critical Infrastructure Cybersecurity, otherwise known as the cybersecurity framework.

2.0 The Risk Management Framework

The RMF is a six-step process meant to guide individuals responsible for mission processes, whose
success is dependent on information systems, in the development of a cybersecurity program. Among
other things, the RMF promotes near-real-time risk management of information systems; links risk
management processes at the system level with the organization’s strategic goals and risk function; and
establishes responsibility for security controls for information systems within the organization’s defined
boundary (NIST 2010). Figure 1 shows the iterative nature of the six-step RMF process.

Figure 1. RMF for Information and Platform Information Technology Systems (NIST, 2010)

The RMF is a living, comprehensive process that requires an appropriate amount of due diligence to be
effective. Figure 2 depicts the available NIST authored guidance documents to assist in each step of the
RMF process.

1
 Figure 2. Document Mapping for RMF

A core concept to the RMF is risk management. The RMF makes use of NIST SP 800-39, Integrated
Enterprise-Wide Risk Management: Organization, Mission, and Information System View. Enterprise risk
management involves a multitiered approach connecting strategic goals with the daily operations of
information systems. Figure 3 depicts this structured risk management process (NIST 2011b).

Figure 3. Multi-Tiered Risk Management Strategy

Tier 1 frames the organization risk and informs all other activities. This is where leaders set priorities and
create policies to achieve strategic objectives. Tier 1 includes, among other things, governance of the
organization to set priorities; the risk executive function to manage organization-wide risks; determination
of the risk management strategy to provide a common framework at all levels of the organization; and the
investment strategy to achieve mission and risk priorities, anticipate risk response needs, and limit
strategic investments to align with organizational priorities. Tier 1 sets the direction for Tier 2 managers.

2
Tier 2 focuses on developing risk-informed mission processes to meet leadership’s stated goals. Tier 2
includes the identification and development of risk-aware mission processes to achieve strategic goals;
the administration of an enterprise architecture to enable mission processes; and establishment of a
consistent information system architecture to cost-effectively ensure resilience of mission-critical
information system assets. Tier 2 builds an organizational infrastructure conducive to the successful
execution of activities at Tier 3.

Tier 3 uses the mission processes developed in Tier 2 and the goals set in Tier 1 to conduct the day-to-day
activities that make the organization successful. Tier 3 addresses risk from an information system
perspective. These activities are the culmination of the organization’s risk management strategy and
ensure that individual systems are secure, reliable, and available to execute mission processes.

In October 2018, NIST announced the final draft of NIST SP 800-37, revision 2 that modifies the RMF
process. The modification is discussed in Appendix A; however, because most organizations will be slow
to transition to version 2, this paper focuses on the initial version of the RMF.

3.0 RMF Roles and Responsibilities

The RMF identifies 13 roles and responsibilities of key participants in the organization’s risk
management. It is not necessary for each role to exist within the organization, but the duties performed
must be accomplished diligently and be assigned to individuals or groups that do not have conflicting
interests.

Risk management roles and responsibilities include the following:

• Chief Executive Officer—Responsible for the organization’s success.
• Risk Executive—Responsible for the organization’s risk program.
• Chief Information Officer—Responsible for designating a senior information security officer;
developing and maintain information security policies, procedures, and control techniques;
overseeing personnel; and assisting senior leaders on all security responsibilities.
• Information Owner—Responsible for statutory, management, or operational authority and the
establishment of policies and procedures governing its generation, collection, processing,
dissemination, and disposal.
• Senior Information Security Officer—Responsible for carrying out the chief information officer
security responsibilities and serving as the primary interface between senior managers and
information system owners.
• Authorizing Official (AO) or Designated Representative—Responsible for accepting an information
system into an operational environment at a known risk level.
• Common Control Provider—Responsible for developing, implementing, assessing, and monitoring
common security controls.
• Information System Owner (ISO)—Responsible for procuring, developing, integrating, modifying,
operating, and maintaining an information system.
• Information System Security Officer (ISSO)—Responsible for ensuring that the appropriate
operational security posture is maintained for an information system.

3
 • Information Security Architect—Responsible for ensuring that the information security requirements
necessary to protect the organization’s core missions and business processes are adequately addressed
in all aspects of enterprise architecture.
• Information System Security Manager (ISSM)—Responsible for conducting information system
security management activities as designated by the ISSO. They develop and maintain the system-
level cybersecurity program.
• Security Control Assessor (SCA)—Responsible for conducting a thorough assessment of the
management, operational, and technical security controls of an information system.

4.0 RMF Step 1—Categorize Information System

To categorize an information system, first categorize the information on the system, according to the
potential impact of a loss of confidentiality, integrity, and availability. Table 1 lists the subtasks under
Step 1, shows who is responsible, and describes each subtask’s deliverable.

Table 1. RMF Step 1 – Categorize Information System

Supporting Tasks Primary Responsibility References Deliverable(s)
Task 1-1—Categorize the ISO or Information NIST SP 800-30, NIST Draft SSP with System
information system and Owner/Steward SP 800-39, NIST SP 800- Categorization filled in
document the results in 59, NIST SP 800-60,
the System Security Plan CNSSI 1253, FIPS 199
(SSP).
Task 1-2—Describe the ISO NIST SP 800-37 Updated SSP to include a
information system description of the
(including system information system
boundary) and document
the description in the
SSP.
Task 1-3—Register the ISO eMASS Document or enter in the
information system with https://emass- information technology
the appropriate army.csd.disa.mil/ registry with the official
organizational program system name, system
management offices. owner, and categorization

5.0 RMF Step 2—Select Security Controls

Using appropriate baseline and overlays, select security controls, and then tailor as required to prevent
security breaches of an information system. Table 2 lists the Step 2 sub-tasks, the role responsible for the
sub-task, and the expected deliverable.

4
 Table 2. RMF Step 2—Select Security Controls
Supporting Tasks Primary Responsibility Reference Deliverable(s)
Task 2-1—Identify the ISO, ISSM/ISSO, SCA NIST SP 800-30, NIST Document the common
security controls that are SP 800-53, CNSSI 1253, controls in the SSP/
provided by the FIPS 199, FIPS 200 Security Controls
organization as common Traceability Matrix
controls for (SCTM)
organizational
information systems and
document the controls in
the SSP.
Task 2-2—Select the ISO NIST SP 800-30, NIST Document the selected
security controls for the SP 800-53, CNSSI 1253, security controls in the
information system (i.e., FIPS 199, FIPS 200 SSP, draft Risk
baseline, overlays, Assessment Report
tailored) and document (RAR)
the controls in the SSP.

Task 2-3 — Develop a ISO NIST SP 800-30, NIST Documented and

strategy for the SP 800-53, NIST SP 800- approved Continuous
continuous monitoring of 53A, NIST SP 800-137, Monitoring Plan/Strategy
security control CNSSI 1253 including frequency of
effectiveness and any monitoring for each
proposed or actual control
changes to the
information system and
its environment of
operation.
Task 2-4 — Review and AO, ISSM/ISSO NIST SP 800-30, NIST Documented and
approve the draft SSP by SP 800-53, CNSSI 1253 approved draft SSP
the AO.

6.0 RMF Step 3—Implement Security Controls

Implement security controls selected in Step 2 on the information system. Table 3 lists the Step 3
subtasks, deliverables, and responsible role.

5
 Table 3. RMF Step 3—Implement Security Controls
Primary
Supporting Tasks Responsibility References Deliverable(s)
Task 3-1—Implement security controls ISO NIST SP 800-37,
specified in the SSP. NIST SP 800-30,
NIST SP 800-53,
NIST SP 800-53A,
CNSSI 1253, web:
SCAP.NIST.GOV,
FIPS 200
Task 3-2—Document the security control ISO; ISSM/ISSO NIST SP 800-53, Updated SSP with
implementation as appropriate in the SSP, CNSSI 1253 information
providing a functional description of the describing how
control implementation. security controls are
implemented

7.0 RMF Step 4—Assess Security Controls

Determine the extent to which the security controls are implemented correctly, operating as intended, and
producing the desired outcome in meeting security requirements. Table 4 lists the Step 4 subtasks,
deliverables, and responsible roles.

Table 4. RMF Step 4—Assess Security Controls

Supporting Tasks Primary Responsibility References Deliverable(s)
Task 4-1—Develop, ISSM/ISSO, SCA NIST SP 800-53A Security Assessment Plan
review, and approve a
plan to assess the security
controls.
Task 4-2—Assess the SCA NIST SP 800-53A Individual test results for
security controls in each test or matrix for all
accordance with the tests
assessment procedures
defined in the Security
Assessment Plan.
Document the security
control implementation, as
appropriate, in the SSP,
providing a functional
description of the control
implementation.

6
 Supporting Tasks Primary Responsibility References Deliverable(s)
Task 4-3—Prepare the NIST SP 800-53A SAR
Security Assessment
Report (SAR),
documenting the issues,
findings, and
recommendations for the
security control
assessment.
Task 4-4 — Conduct ISO, SCA, ISSM/ISSO NIST SP 800-30, NIST Updated RAR
initial remedial actions on SP 800-53A
security controls based on
the findings and
recommendations of the
SAR and reassess
remediated control(s), as
appropriate.

8.0 RMF Step 5—Authorize Information System

Determine the extent to which the security controls are implemented correctly, operating as intended, and
producing the desired outcome in meeting security requirements. Table 5 lists the Step 5 subtasks,
deliverables, and responsible roles.

Table 5. RMF Step 5—Authorize Information System

Supporting Tasks Primary Responsibility Reference Deliverable(s)
Task 5-1—Prepare the SCA (documents initial NIST SP 800-30, NIST SP POA&M
Plan of Action and findings); ISO (completes 800-53A,OMB Memo 02-01,
Milestones (POA&M) POA&M; adds additional
based on the findings and items)
recommendations of the
SAR, excluding any
remediation actions taken.
Task 5-2—Assemble the ISO, ISSM/ISSO, SCA NIST SP 800-37 Security Authorization
Security Authorization Package; artifacts
Package to include include SSP, SAR,
artifacts and submit the POA&M, RAR, and
package to the AO for Continuous
adjudication. Monitoring Plan

7
 Supporting Tasks Primary Responsibility Reference Deliverable(s)
Task 5-3—Determine the AO NIST SP 800-30, NIST SP
risk to organizational 800-39
operations (including
mission, functions, image,
or reputation),
organizational assets,
individuals, other
organizations, or the
nation.
Task 5-4—Determine if AO NIST SP 800-39 Authorization decision
risk to organizational document (e.g.,
operations, organizational Authority to Operate,
assets, individuals, other Denied Authorization
organizations, or the to Operate, and
nation is acceptable. Interim Authorization
to Test)

By the end of RMF Step 5, documents submitted in the Security Authorization Package, at a minimum,
include the following:
• SSP/ SCTM—Provides an overview of security requirements, description of agreed-upon controls,
and other supporting security-related information.
• RAR—Defines the organizationally established level of acceptable risk associated with the operation
of an information technology system at a specific level, identifies risks, and provides an assessed
residual risk level for the system.
• Continuous Monitoring Plan—Provides the strategy to routinely evaluate selected information
assurance controls/metrics. Reference NIST SP 800-137, Information Security Continuous
Monitoring for Federal Information Systems and Organizations (NIST 2011a).
• SAR — Contains security control assessment results and recommended corrective actions for
security-control weaknesses and deficiencies.
• POA&M — Defines plans of action and milestones related to correcting weaknesses or deficiencies
and reducing or eliminating known vulnerabilities and identifies completion dates.

9.0 RMF Step 6—Monitor Security Controls

Assess and track the security state of an information system and its operational environment on an on-
going basis. Table 6 lists the Step 6 subtasks, deliverables, and responsible roles.

8
 Table 6. RMF Step 6—Monitor Security Controls
Primary
Supporting Tasks Responsibility Reference Deliverable(s)
Task 6-1—Determine ISO, ISSO/ISSM NIST SP 800-30, Change Request
the security impact of NIST SP 800-53A
proposed or actual
changes to the
information system
and its environment
of operation.
Task 6-2—Assess a SCA, ISSO/ISSM NIST SP 800-53A, Periodic
selected subset of NIST SP 800-137 Continuous
security controls Monitoring Report
employed within and
inherited by the
information system
in accordance with
the organization-
defined monitoring
strategy.

Task 6-3—Conduct ISO, ISSM/ISSO NIST SP 800-30, Documented

remediation action NIST SP 800-53, evidence of
based on the results NIST SP 800-53A, correction such as
of ongoing CNSSI 1253 scan results,
monitoring activities, registry “dump,”
assessment of risk, etc.
and outstanding
items in the
POA&M.

Task 6-4—Update ISO NIST SP 800-53A SSP, SAR, RAR,

the SSP, SAR, and and POA&M
POA&M based on
the results of the
continuous
monitoring process.

9
 Primary
Supporting Tasks Responsibility Reference Deliverable(s)
Task 6-5—Regularly ISO NIST SP 800-53A Periodic
report the security Continuous
status of the Monitoring Report
information system
(including the
effectiveness of
security controls
employed within and
inherited by the
information system)
to the AO and other
appropriate
organizational
officials, in
accordance with the
monitoring strategy.
Task 6-6—Regularly AO NIST SP 800-30, Authority to
review the reported NIST SP 800-39 Operate
security status of the
information system
(including the
effectiveness of
security controls
employed within and
inherited by the
information system)
in accordance with
the monitoring
strategy to determine
whether there is risk
to organizational
operations,
organizational assets,
individuals, other
organizations, or the
nation.
Task 6-7— ISO NIST SP 800-30, Updated system
Implement an NIST SP 800-53A inventory
information system
decommissioning
strategy, when
needed, that executes
required actions
when a system is
removed from
service.

10
 10.0 References
NIST. 2010. NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach. National Institute of
Standards and Technology, February 2010. http://www.nist.gov/manuscript-publication-
search.cfm?pub_id=904985.

NIST. 2011a. NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM)
for Federal Information Systems and Organizations. National Institute of Standards and Technology,
September 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.

NIST. 2011b. NIST Special Publication 800-39, Managing Information Security Risk: Organization,
Mission, and Information System View. National Institute of Standards and Technology, March 2011.
https://csrc.nist.gov/publications/detail/sp/800-39/final

NIST. 2018. NIST Special Publication 800-37, Revision 2, A System Life Cycle Approach for Security
and Privacy. National Institute of Standards and Technology, October 2018.
https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-fpd.pdf

11
 Appendix A
–
Updates to the Risk Management Framework
The National Institute of Standards & Technology (NIST) released the draft of Special Publication (SP)
800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System
Life Cycle Approach for Security and Privacy. This update is based on the Executive Order 13800,
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Below are the major
objectives of the update:
• Establish preparatory activities at all risk management levels to provide more effective and efficient
execution in RMF
• Demonstrate how NIST cybersecurity framework aligns with NIST risk management process
• Integrate the privacy risk management process documented in NISTIR 8062 into the RMF to support
the privacy protection needs for which privacy programs are responsible
• Align NIST SP 800-160 to RMF for promoting the development of trustworthy, secure software
systems

In version 2, one of the key changes to the RMF is to add the Prepare step. Preparation is critical at tier 1
(organization) and tier 2 (mission/business process) to execute the RMF efficiently (NIST 2018). This
Prepare step involves the essential activities at the organization, mission and business process, and
information system levels of the enterprise by managing security and privacy risk appropriately
throughout the organization. In version 2, the Prepare step is defined as:

Execute the RMF from an organization- and a system-level perspective by establishing a

context and priorities for managing security and privacy risk.

Figure A.1 shows the steps in the RMF according to version 2. Here, the Prepare step is carried-out
iteratively throughout the RMF process.

Figure A.1. Risk Management Framework

Table A.1 provides the summary of the Prepare tasks along with their outcomes and also the alignment
domain of NIST cybersecurity framework. This table focuses on both the organization and system levels.

A.1
 Table A.1. Prepare Task and Outcome
Level Task Title Outcome CSF align
P-1 Risk management roles Individuals are identified and assigned key ID.AM-6; ID.GV-2
roles for executing the Risk Management
Framework.
P-2 Risk management strategy A risk management strategy for the ID.RM; ID.SC
organization that includes a determination and
Organization expression of organizational risk tolerance is
established
P-3 Risk assessment— An organization-wide risk assessment is ID.RA; ID.SC-2
organization completed or an existing risk assessment is
updated
P-4 Organization-wide tailored Tailored control baselines for organization- Profile
control baselines and wide use are established and made available.
profiles (optional)
P-5 Common control Common controls that are available for
identification inheritance by organizational systems are
identified, documented, and published.
P-6 Impact-level prioritization A prioritization of organizational systems with ID.AM-5
(optional) the same impact level is conducted.
P-7 Continuous monitoring An organization-wide strategy for monitoring DE.CM; ID.SC-4
strategy— organization control effectiveness is developed and
implemented.
P-8 Mission or business focus Missions, business functions, and Profile;
mission/business processes that the system is Implementation
intended to support are identified. Tiers; ID.BE
P-9 System stakeholders The stakeholders having an interest in the ID.AM; ID.BE
system are identified.
System
P-10 Asset identification Stakeholder assets are identified and ID.AM
prioritized.
P-11 Authorization boundary The authorization boundary (i.e., system) is
determined.
P-12 Information types The types of information processed, stored, ID.AM-5
and transmitted by the system are identified.
P-13 Information life cycle Identify and understand all stages of the
information life cycle
P-14 Risk assessment—system A system-level risk assessment is completed or ID.RA; ID.SC-2
an existing risk assessment is updated.
P-15 Security and privacy Security and privacy requirements are defined ID.GV; PR.IP
requirements and prioritized.
P-16 Enterprise architecture The placement of the system within the
enterprise architecture is determined.
P-17 System registration The system is registered for purposes of ID.GV
management, accountability, coordination, and
oversight.

A.2