NIST Risk Management Framework (RMF)
NIST Risk Management Framework Approach
There are several benefits to utilizing SEMAIS as a resource element for RMF. First, the entire organization will operate under one process and provide more confidence for users, to include warfighters, that the systems they are operating daily are more secure. Next, reciprocity, or the ability to leverage a previously granted authorization across agencies could be realized under a single process by using our solution strategy. Using the same security control requirements would enable a more standard approach to measuring cyber risks. Additionally, we help standardize the language used for security across the entire federal government.
DoDI 8510.01 Risk Management Framework for DoD IT Implementation
NIST SP 800-53 Risk Management Framework (RMF) Assessment
Transition in Support of DoD IT Risk Management Framework (RMF)
Complete Assessment and Authorization (A&A) Services
Cyber Security Controls and Enhancement Implementation
Cyber Security Controls – Compensating Controls Implementation
Vulnerability Assessment and Penetration Testing
Security Plan & Policy Development
Security Engineering (NIST SP 800-160)
Risk Assessment (NIST SP 800-30)
The Delivery of RMF Security Process
Categorize Information System
Using FIPS 199, FIPS 200, DoDI 8500.01, and DoDI 8510.01 we perform a detailed impact assessment for Security Objectives (Confidentiality, Integrity, Availability) to determine security impact assessments relates to the system
Select Security Controls
Our SMEs start the security control selection procedure by identifying an initial set of baseline controls based on NIST SP 800-53 control families and tailor the selected controls based on security requirements, risk factors, overlays, and the security architect.
Implement Security Controls
Our methodology for security control implementation is to utilize the security design and security architect employed for the system. This process will start by reviewing the selected controls and architectural description and developing an implementation plan for the system or application.
Assess Security Controls
We start the Security Control Assessment (SCA) by coordinating with the customer on how to utilize NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations to determine which controls have been fully implemented. This will be achieved by assessing security controls per the Security Test Plan (STP).
Authorize Information System
We work closely with the customer to assemble the Security Authorization Package (Readiness Assessment Report (RAR), SAR, System Security Plan (SSP), POA&M, and STP) for the Authorizing Official and/or Deputy Authorizing Official’s (AO/DAO) (via the SCA) for acceptance to include artifacts and interpret the AO’s risk determination.
Monitor Security Controls
For continuous monitoring, we use the initial state to determine the security impact of proposed or operational changes. Our methodology will extract the configuration baseline to identify changes and vulnerabilities identified from ACAS scans and IAVAs.
Awards & Certifications
© 2018 Secure Manged Instruction Systems, LLC