The Risk Management Framework (RMF) Key Players Decision Authorities Element Head Authorizing Official (AO) Designated Authorizing Official (DAO) Implementer & Operations Support Information System Owner (ISO) Information System Security Officer (ISSO)/Information System Security Manager (ISSM) Common Control Provider (CCP) Information System Security Engineer (ISSE) Advisors to AO/DAO Risk Executive Function (REF) Chief Information Office (CIO) Chief Information Security Officer (CISO) DAO Rep Assessors & Mission Data Owners Certification Agent (CA) Delegated Certification Agent (DCA) Security Control Assessor (SCA) Information Steward/ PSO NRO Documents 1 Identify system, its boundaries and purpose; categorize info type; conduct initial threat and risk assessment. 4 Determine security control effectiveness. NI 52-5-1: NRO implementation of RMF IASD: NRO controls Key Players: CA/DCA/SCA, ISSE, ISSO, ISSM, PSO Deliverables: CTP, SSP (v4), SAP (final), RMM, SAR Policy Documents Key Players: ISO, PSO, DAO/DAO Rep, DCA/SCA, ISSO, ISSE, ISSM Deliverables: Cat. Wrksht or SSP (v1) , RMM ICD 503: IC Directive to use RMF CNSSP 22: High level policy on Risk Management CNSSI 1253: Categorization for NSS NIST SP 800-53: Controls catalog NIST SP 800-37: RMF NIST SP 800-53A: Guide for Assessment procedures NIST SP 800-30: Guide for how to do Risk Management NIST SP 800-39: Overall Risk Management guide NIST SP 800-47: Interconnection guidance NIST SP 800-60: Information types CNSSI 4009: IA Glossary NIST SP 800-137: Continuous Monitoring 5 Determine risk to NRO operations & assets, other organizations, and the Nation; if acceptable risk, authorize operation. 2 Select security controls; apply tailoring guidance and supplemental controls as needed based on risk assessment. Key Players: AO/DAO/DAO Rep, ISO, ISSO, PSO Deliverables (Final): POA&M, SAR, SSP Key Players: ISO, AO/DAO/DAO Rep, DCA/SCA, ISSE, ISSO Deliverables: SSP (v2), Continuous Monitoring Strategy, RMM, SAP (draft) 6 Continuously track changes to IS that may affect security controls and reassess control effectiveness. 3 Implement security controls; apply security configuration settings. Key Players: ISO, CCP, PSO, ISSO, AO/DAO/DAO Rep, CA/DCA/SCA Deliverables: Updating Key Players: ISO, ISSO, ISSE, ISSM, PSO, SCA Deliverables: CTP, RMM, SSP (v3)

The Risk Management Framework (RMF) A&A: Assessment and Authorization AO: Authorizing Official ATO: Authorization to Operate A IA: Information Assurance IASD: Information Assurance Standards Document IATT: Interim Approval to Test ICD: Intelligence Community Directive IS: Information System ISA: Interconnection Security Agreement ISA: Information System Architect ISAP: Integrated Security Assessment Program ISO: Information System Owner ISSE: Information System Security Engineer ISSM: Information System Security Manager ISSO: Information System Security Officer IT: Information Technology I Q REF: Risk Executive Function RMF: Risk Management Framework RMM: Risk Management Matrix R B SAISO: Senior Agency Information Security Officer SAP: Security Assessment Plan SAR: Security Assessment Report SAT: Site Acceptance Testing SCA: Security Control Assessor SDLC: System Development Lifecycle SRTM: Security Requirements Traceability Matrix SSP: System Security Plan S CA: Certification Agent CCP: Common Control Provider CIO: Chief Information Office CIA: Confidentiality, Integrity, Availability CIAO: Composite Information Assurance Office CISO: Chief Information Security Officer CNSSI: Committee on National Security Systems Instruction CTP: Certification Test Plan C J TRR: Test Readiness Review TSB: Technical Security Branch T K DAO: Designated Authorizing Official DCA: Delegated Certification Agent DRP: Disaster Recovery Plan D L U M E V NIST: National Institute of Standards and Technology N FAT: Factory Acceptance Testing F W X O G Y POA&M: Plan of Actions and Milestones PSO: Program Security Officer P H Z