Why RMF With SEMAIS?
SEMAIS expertise provide solutions to sustain cybersecurity regulations and standards for the Risk Management Framework (RMF) and NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Our experience extends across Federal and DoD boundaries to support Office of Inspector General (OIG) audits and Command Cyber Readiness Inspections (CCRI) through ensuring the RMF process is initiated, managed, and controlled to maintain required security state of readiness. Our structured process incorporates NIST SP 800-37, NIST SP 800-53, NIST SP 800-60, DISA STIGS, FedRAMP, FIPS 199, CNSS 1253, and applicable procedures to implement RMF Security Assessment and Authorization (SA&A) required documentation and artifacts. This structured process provides the solution for systems and applications to receive its Authority to Operate (ATO) on time. Our consultants are experienced with using Enterprise Mission Assurance Support Services (eMASS) and RiskVision to complete a Security Control Assessment (SCA). The consultants initiate the RMF process by following organizational policies and guidance.
We can perform ongoing assessment and authorization, often referred to as continuous monitoring systems in the Federal Risk and Authorization Management process. Ongoing assessment and authorization is part of the overall risk management framework for information security and is a requirement maintain their Provisional Authorization. SEMAIS provides processes to determine whether the set of deployed security controls in an information system aligns to the security control boundary.
Security-related information collected through continuous monitoring is used to make recurring updates to the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M) via Continuous Monitoring and Risk Scoring. These updated documents and real-time operational feeds keep the security authorization package timely and provide information about security control effectiveness. This allows agencies to make informed risk management decisions as they evolve through the NIST 800-53 process.
The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions with Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners). The RMF steps particular to Tier 3 include:
© 2017 Secure Manged Instruction Systems, LLC 3350 Riverwood Pkwy Ste 1900 | Atlanta, Georgia 30339 | Email: firstname.lastname@example.org