This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Industry:Project Review/NIST SP 800-37r1 FPD Appendix E

From OWASP
Jump to: navigation, search

APPENDIX E

SUMMARY OF RMF TASKS

LISTING OF PRIMARY RESPONSIBILITIES AND SUPPORTING ROLES


RMF TASKS
PRIMARY RESPONSIBILITY
SUPPORTING ROLES
RMF Step 1: Categorize Information System
TASK 1-1
Security Categorization
Categorize the information system and document the results of the security categorization in the security plan.
Information System Owner
Information Owner/Steward
Risk Executive (Function)
Authorizing Official or Designated Representative
Chief Information Officer
Senior Information Security Officer
Information System Security Officer
TASK 1-2
Information System Description
Describe the information system (including system boundary) and document the description in the security plan.
Information System Owner
Authorizing Official or Designated Representative
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer
TASK 1-3
Information System Registration
Register the information system with appropriate organizational program/management offices.
Information System Owner
Information System Security Officer
RMF Step 2: Select Security Controls
TASK 2-1
Security Control Selection
Select the security controls for the information system and document the controls in the security plan.
Information Security Architect
Information System Owner
Authorizing Official or Designated Representative
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
TASK 2-2
Common Control Identification
Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).
Chief Information Officer or Senior Information Security Officer
Information Security Architect
Common Control Provider
Risk Executive (Function)
Authorizing Official or Designated Representative
Information System Owner
Information System Security Engineer
TASK 2-3
Monitoring Strategy
Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information system and its environment of operation.
Information System Owner or Common Control Provider
Risk Executive (Function)
Authorizing Official or Designated Representative
Chief Information Officer
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer
TASK 2-4
Security Plan Approval
Review and approve the security plan.
Authorizing Official or Designated Representative
Risk Executive (Function)
Chief Information Officer
Senior Information Security Officer
RMF Step 3: Implement Security Controls
TASK 3-1
Security Control Implementation
Implement the security controls specified in the security plan.
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
TASK 3-2
Security Control Documentation
Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
RMF Step 4: Assess Security Controls
TASK 4-1
Assessment Preparation
Develop, review, and approve a plan to assess the security controls.
Security Control Assessor
Authorizing Official or Designated Representative
Chief Information Officer
Senior Information Security Officer
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
TASK 4-2
Security Control Assessment
Assess the security controls in accordance with the assessment procedures defined in the security assessment plan.
Security Control Assessor
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
TASK 4-3
Security Assessment Report
Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.
Security Control Assessor
Information System Owner or Common Control Provider
Information System Security Officer
RMF Step 5: Authorize Information System
TASK 5-1
Remediation Actions
Conduct initial remediation actions based on the findings and recommendations of the security assessment report.
Information System Owner or Common Control Provider
Authorizing Official or Designated Representative
Chief Information Officer
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
Security Control Assessor
TASK 5-2
Plan of Action and Milestones
Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
TASK 5-3
Security Authorization Package
Assemble the security authorization package and submit the package to the authorizing official for adjudication.
Information System Owner or Common Control Provider
Information System Security Officer
Security Control Assessor
TASK 5-4
Risk Determination
Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
Authorizing Official or Designated Representative
Risk Executive (Function)
Senior Information Security Officer
TASK 5-5
Risk Acceptance
Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
Authorizing Official
Risk Executive (Function)
Authorizing Official Designated Representative
Senior Information Security Officer
RMF Step 6: Monitor Security Controls
TASK 6-1
Information System and Environment Changes
Determine the security impact of proposed or actual changes to the information system and its environment of operation.
Information System Owner or Common Control Provider
Risk Executive (Function)
Authorizing Official or Designated Representative
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer
TASK 6-2
Ongoing Security Control Assessments
Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organizationdefined monitoring strategy.
Security Control Assessor
Authorizing Official or Designated Representative
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
TASK 6-3
Ongoing Remediation Actions
Conduct selected remediation actions based on the results of ongoing monitoring activities and the outstanding items in the plan of action and milestones.
Information System Owner or Common Control Provider
Authorizing Official or Designated Representative
Information Owner/Steward
Information System Security Officer
Information System Security Engineer
Security Control Assessor
TASK 6-4
Critical Updates
Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.
Information System Owner or Common Control Provider
Information Owner/Steward
Information System Security Officer
TASK 6-5
Security Status Reporting
Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system), to appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy.
Information System Owner or Common Control Provider
Information System Security Officer
TASK 6-6
Ongoing Risk Determination and Acceptance
Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.
Authorizing Official
Risk Executive (Function)
Authorizing Official Designated Representative
Senior Information Security Officer
TASK 6-7
Information System Removal and Decommissioning
Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.
Information System Owner
Risk Executive (Function)
Authorizing Official Designated Representative
Senior Information Security Officer
Information Owner/Steward
Information System Security Officer


Sources