Risk Management Framework

The Risk Management Framework (RMF) activities are performed on systems throughout the year. The premise of conducting an assessment and/or authorization once every three (3) years has been changed through the continuous monitoring requirements issued by the Office of Management and Budget (OMB) and NIST Special Publications.

The system owner is required to assess the condition of security controls annually and receive a new accreditation decision by the Authorizing Official (AO) when the system has experienced (1) Significant Change as defined by NIST SP 800-37 rev. 2, or (2) New Authorizing Official directs this action.

This chart graphically communicates the seven phases of the RMF process, as defined by the NIST Special Publication 800-37 Revision 2. When performing RMF on a Major Application, General Support System, Critical or Listed System, a series of security program artifacts are reviewed and their content information is validated through stakeholder involvement, Security Control Assessment (SCA) and relevant documentation reviews. This chart describes the four phases, associated tasks, activities and stakeholder responsibilities.

The green color identifies the certification agent responsibilities during the initiation and certification phases. An Agency or Commercial organization should use this chart to create the Risk Management Manual, educate security and privacy professionals, and standardize RMF activities. Additional uses of this chart include:

  • Development and Validation of your Risk Management Policies, Standards, and Manual/Guide
  • Defining Roles and Responsibilities
  • Developing Project Management Plan
  • Educating Stakeholders, System Owners and Security & Privacy Professionals
  • Human Resources – Conducting Resume Reviews and Candidate Interviews