References for RMF
DODI 8500.01 Cyber Security
Provides the foundation for establishing a DOD Cybersecurity program for defense of networks, systems and information technology to include definitions of terms, security controls guidance, and enterprise governance.
DODI 8510.10 DoD Risk Management Framework
Establishes a policy governing DoD cybersecurity, assigns responsibilities, and details execution of the RMF process.
The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework
FIPS Publication 199 Security Categorization
Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels.
FIPS Publication 200 Minimum Security Controls
Specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.
NIST SP 800-39 Managing Information Security Risk
Documents a program for understanding and assessing information security risk within an organization.
NIST SP 800-37 Risk Management Framework
Provides guiding principles for implementing RMF on federal information systems to ensure consistency, full integration, and more secure configuration of security controls on a system.
NIST SP 800-30 Risk Assessment
Documents a strategy for conducting risk assessments on information systems and organizations as a part of an overall risk management process.
NIST SP 800-53 Cyber Security Controls and Enhancements
Establishes guidelines for assigning security controls for the purposes of achieving secure operations of information systems.
NIST SP 800-53A Cyber Security Control Assessment
Procedures Initial point for defining assessment procedures for applicable security controls for a given system.
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
Provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies.
NIST SP 800-137 Information Security Continuous Monitoring
Assists organizations in the implementation of a continuous monitoring strategy.
NIST SP 800-60 Mapping Types of Information to Security Categories
Supports organizations in the process of aligning information and information systems with the appropriate security category in a consistent manner.
NIST SP 800-160 Systems Security Engineering
Provides a comprehensive guideline of the principles and concepts of security engineering for federal information systems.
OMB-130 Management of Federal Information Resources
This Circular establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices."
CNSSP 22 Policy on Information Assurance Risk Management Policy for NSS
Serves as the requirement for establishing an organizational Information Assurance policy for National Security Systems.
CNSSI 1253 Security Categorization and Control Selection for National Security Systems
Provides a foundation for selecting and applying security controls from NIST SP 800-53 for implementation on a National Security System.
CNSSI 1253A Implementation and Assessment Procedures
Establishes a guideline for assessing compliance with applicable security controls on a National Security System.
CNSS 4009 National Information Assurance Glossary
Documents a detailed glossary of Information Assurance related terms to minimize differences in terminology to ensure consistency and standardization.
"The objective of RMF is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence". National Institute of Standards and Technology, 2014
Awards & Certifications
© 2018 Secure Manged Instruction Systems, LLC