RMF Process

Step 1

Categorize System

• Categorize the system in accordance with the CNSSI 1253
• Initiate the Security Plan
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles

RMF Process

Step 2

Select Security Controls

• Common Control Identification - Common controls are selected as "common" and provided via the Knowledge Service based on risk assessments conducted by these entities at the Tier 1 and Tiew 2 levels
• Select security controls and Overlay Selection - Identify the security baseline for the system
• Develop system-level continuous monitoring strategy
• Review and approve the security plan and continous monitoring strategy - Develope and document a system-level strategy for the continous monitoring of the effectiveness of security controls
• Apply overlays and tailor 

RMF Process

Step 3

Implement Security Controls

• Implement control solutions consistent with DoD Component Cybersecurity architectures
• Document security control implementation in the security plan

RMF Process

Step 4

Assess Security Controls

• Develop and approve Security Assessment Plan
• Assess security controls
• SCA prepares Security Assessment Report (SAR)
• Conduct initial remediation actions

RMF Process

Step 5

Authorize System

• Prepare the POA&M
• Submit Security Authorization -- Package (security plan, SAR and POA&M) to AO
• AO conducts final risk determination
• AO makes authorization decision

RMF Process

Step 6

Monitor Security Controls

• Determine impact of changes to the system and environment
• Assess selected controls annually
• Conduct needed remediation
• Update security plan, SAR, and POA&M
• Report security status to AO
• AO reviews reported status
• Implement system decommissioning strategy