Risk Management Framework (RMF)

RMF 101

The Risk Management Framework (RMF) was developed by the National Institute for Standards and Technology (NIST) to help DoD and Federal agencies manage risks to and from Information Technology (IT) systems more easily, efficiently and effectively. The Risk Management Framework provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization; and processes to help  agencies pass FISMA, CCRI Inspections, and OIG Audits. The ongoing assessment and authorization program is based on NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems, and  NIST SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organization. Our approach builds ongoing assessment and authorization that results in greater transparency into the security posture and enables timely risk-management decisions; and implement safeguards and assurance practices to defend systems.



SEMAIS expertise provide solutions to sustain cybersecurity regulations and standards for the  Risk Management Framework (RMF) and NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  Our experience extends across Federal and DoD boundaries to support Office of Inspector General (OIG) audits and Command Cyber Readiness Inspections (CCRI) through ensuring the RMF process is initiated, managed, and controlled to maintain required security state of readiness.  Our structured process incorporates NIST SP 800-37, NIST SP 800-53, NIST SP 800-60, DISA STIGS, FedRAMP, FIPS 199, CNSS 1253, and applicable procedures to implement RMF Security Assessment and Authorization (SA&A) required documentation and artifacts.  This structured process provides the solution for systems and applications to receive its Authority to Operate (ATO) on time. Our consultants are experienced with using Enterprise Mission Assurance Support Services (eMASS) and RiskVision to complete a Security Control Assessment (SCA). The consultants initiate the RMF process by following organizational policies and guidance.



Continuous Monitoring

We can perform ongoing assessment and authorization, often referred to as continuous monitoring systems in the Federal Risk and Authorization Management process. Ongoing assessment and authorization is part of the overall risk management framework for information security and is a requirement maintain their Provisional Authorization. SEMAIS provides processes to determine whether the set of deployed security controls in an information system aligns to the security control boundary.


Security-related information collected through continuous monitoring is used to make recurring updates to the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M) via Continuous Monitoring and Risk Scoring. These updated documents and real-time operational feeds keep the security authorization package timely and provide information about security control effectiveness. This allows agencies to make informed risk management decisions as they evolve through the NIST 800-53 process.


RMF Phases

The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions with Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners). The RMF steps particular to Tier 3 include:

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.





© 2017 Secure Manged Instruction Systems, LLC 3350 Riverwood Pkwy  Ste 1900 |  Atlanta, Georgia 30339  | Email: semais@semais.net