Mapping Out the Risk Management Framework

The days of DIACAP are phasing out. No more MAC and CL yes! The DOD and all federal agencies are now utilizing a new risk management framework developed by National Institute of Standards (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS).

This new Risk Management Framework (RMF) aims to change the Certification and Accreditation (C&A) process into six steps that ensure security considerations are addressed early on in the system development lifecycle.


The Risk Management process is an improvement to DIACAP as it emphasizes:

1 Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls

2 Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes

3 Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems.

Breaking Down the Steps

The six steps of the RMF process (Categorize, Select, Implement, Assess, Authorize and Monitor), as shown in the diagram above, are briefly explained below to help you understand the overall process. Don’t worry,  in future posts we will be diving deeper into each step.

So you have already dreamed up what your new system will have and all the cool things it will do for you. In this phase, the information system and the information type it processes, stores, and transmits is categorized based on an impact analysis. Instructions on how to categorize systems are provided in the Federal Information Processing Standards (FIPS) -199 and NIST Special Publication 800-60.

With your system categorization done, you are getting closer to being able to use your new toy. The information from categorization is used in selecting an initial set of baseline security controls for the information system . The selection process entails tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. Instructions on selecting controls are provided in Federal Information Processing Standards (FIPS) -200 and NIST Special Publication 800-53.

In this stage, security engineers and IA professionals shine as they implement security controls which were selected in the stage prior are described. The controls are also employed within the information system and its environment of operation.

Once security engineers and IA professionals are done showing off and implementing security controls , appropriate assessment procedures are used to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Guidelines on assessing controls are provided in NIST Special Publication 800-53A.

This is were you get permission to go plug your new toy into the network! Based on the results derived from the assessment of the implemented controls. Risk executives are able to determine risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. Guidelines on authorizing controls are provided in NIST Special Publication 800-37.

Ok! You have now gotten your toy, but you need to take care of it unless it will be taken away from you! Once a system is authorized and is now deployed into usage the security controls in the information system are monitored on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. Guidelines on monitoring information systems are available in NIST Special Publication 800-53A.

With DIACAP no longer being the standard and RMF here to stay for a while, Federal agencies should endeavor to start implementing the prescribed six – steps as early on in the system development life cycle as possible. This is to ensure compliance with FISMA and to identify and mitigate the risk of operating an information system. This posting is one in a series of future RMF related postings to come, with each one focusing on each step of the process detailing what it entails, organizational participants, desired outcomes etc. So check back with us periodically for more on RMF!


Posted in