3350 Riverwood Pkwy #1900, Atlanta, GA 30339

semais@semais.net

NIST Risk Management Framework (RMF)

NIST Risk Management Framework Approach

There are several benefits to utilizing SEMAIS as a resource element for RMF. First, the entire organization will operate under one process and provide more confidence for users, to include warfighters, that the systems they are operating daily are more secure. Next, reciprocity, or the ability to leverage a previously granted authorization across agencies could be realized under a single process by using our solution strategy. Using the same security control requirements would enable a more standard approach to measuring cyber risks. Additionally, we help standardize the language used for security across the entire federal government.

DoDI 8510.01 Risk Management Framework for DoD IT Implementation

NIST SP 800-53 Risk Management Framework (RMF) Assessment

Transition in Support of DoD IT Risk Management Framework (RMF)

Complete Assessment and Authorization (A&A) Services

Cyber Security Controls and Enhancement Implementation

Cyber Security Controls – Compensating Controls Implementation

Vulnerability Assessment and Penetration Testing

Security Plan & Policy Development

Security Engineering (NIST SP 800-160)

Risk Assessment (NIST SP 800-30)

The Delivery of RMF Security Process

Categorize Information System

Using FIPS 199, FIPS 200, DoDI 8500.01, and DoDI 8510.01 we perform a detailed impact assessment for Security Objectives (Confidentiality, Integrity, Availability) to determine security impact assessments relates to the system

Select Security Controls

Our SMEs start the security control selection procedure by identifying an initial set of baseline controls based on NIST SP 800-53 control families and tailor the selected controls based on security requirements, risk factors, overlays, and the security architect.

Implement Security Controls

Our methodology for security control implementation is to utilize the security design and security architect employed for the system. This process will start by reviewing the selected controls and architectural description and developing an implementation plan for the system or application.

Assess Security Controls

We start the Security Control Assessment (SCA) by coordinating with the customer on how to utilize NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations to determine which controls have been fully implemented. This will be achieved by assessing security controls per the Security Test Plan (STP).

Authorize Information System

We work closely with the customer to assemble the Security Authorization Package (Readiness Assessment Report (RAR), SAR, System Security Plan (SSP), POA&M, and STP) for the Authorizing Official and/or Deputy Authorizing Official’s (AO/DAO) (via the SCA) for acceptance to include artifacts and interpret the AO’s risk determination.

Monitor Security Controls

For continuous monitoring, we use the initial state to determine the security impact of proposed or operational changes. Our methodology will extract the configuration baseline to identify changes and vulnerabilities identified from ACAS scans and IAVAs.

Awards & Certifications