| RMF TASKS
|
PRIMARY RESPONSIBILITY
|
SUPPORTING ROLES
|
| RMF Step 1: Categorize Information System
|
TASK 1-1
- Security Categorization
- Categorize the information system and document the results of the security categorization in the security plan.
|
- Information System Owner
- Information Owner/Steward
|
- Risk Executive (Function)
- Authorizing Official or Designated Representative
- Chief Information Officer
- Senior Information Security Officer
- Information System Security Officer
|
TASK 1-2
- Information System Description
- Describe the information system (including system boundary) and document the description in the security plan.
|
- Information System Owner
|
- Authorizing Official or Designated Representative
- Senior Information Security Officer
- Information Owner/Steward
- Information System Security Officer
|
TASK 1-3
- Information System Registration
- Register the information system with appropriate organizational program/management offices.
|
- Information System Owner
|
- Information System Security Officer
|
| RMF Step 2: Select Security Controls
|
TASK 2-1
- Security Control Selection
- Select the security controls for the information system and document the controls in the security plan.
|
- Information Security Architect
- Information System Owner
|
- Authorizing Official or Designated Representative
- Information Owner/Steward
- Information System Security Officer
- Information System Security Engineer
|
TASK 2-2
- Common Control Identification
- Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).
|
- Chief Information Officer or Senior Information Security Officer
- Information Security Architect
- Common Control Provider
|
- Risk Executive (Function)
- Authorizing Official or Designated Representative
- Information System Owner
- Information System Security Engineer
|
TASK 2-3
- Monitoring Strategy
- Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information system and its environment of operation.
|
- Information System Owner or Common Control Provider
|
- Risk Executive (Function)
- Authorizing Official or Designated Representative
- Chief Information Officer
- Senior Information Security Officer
- Information Owner/Steward
- Information System Security Officer
|
TASK 2-4
- Security Plan Approval
- Review and approve the security plan.
|
- Authorizing Official or Designated Representative
|
- Risk Executive (Function)
- Chief Information Officer
- Senior Information Security Officer
|
| RMF Step 3: Implement Security Controls
|
TASK 3-1
- Security Control Implementation
- Implement the security controls specified in the security plan.
|
- Information System Owner or Common Control Provider
|
- Information Owner/Steward
- Information System Security Officer
- Information System Security Engineer
|
TASK 3-2
- Security Control Documentation
- Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).
|
- Information System Owner or Common Control Provider
|
- Information Owner/Steward
- Information System Security Officer
- Information System Security Engineer
|
| RMF Step 4: Assess Security Controls
|
TASK 4-1
- Assessment Preparation
- Develop, review, and approve a plan to assess the security controls.
|
- Security Control Assessor
|
- Authorizing Official or Designated Representative
- Chief Information Officer
- Senior Information Security Officer
- Information System Owner or Common Control Provider
- Information Owner/Steward
- Information System Security Officer
|
TASK 4-2
- Security Control Assessment
- Assess the security controls in accordance with the assessment procedures defined in the security assessment plan.
|
- Security Control Assessor
|
- Information System Owner or Common Control Provider
- Information Owner/Steward
- Information System Security Officer
|
TASK 4-3
- Security Assessment Report
- Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.
|
- Security Control Assessor
|
- Information System Owner or Common Control Provider
- Information System Security Officer
|
| RMF Step 5: Authorize Information System
|
TASK 5-1
- Remediation Actions
- Conduct initial remediation actions based on the findings and recommendations of the security assessment report.
|
- Information System Owner or Common Control Provider
|
- Authorizing Official or Designated Representative
- Chief Information Officer
- Senior Information Security Officer
- Information Owner/Steward
- Information System Security Officer
- Information System Security Engineer
- Security Control Assessor
|
TASK 5-2
- Plan of Action and Milestones
- Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
|
- Information System Owner or Common Control Provider
|
- Information Owner/Steward
- Information System Security Officer
|
TASK 5-3
- Security Authorization Package
- Assemble the security authorization package and submit the package to the authorizing official for adjudication.
|
- Information System Owner or Common Control Provider
|
- Information System Security Officer
- Security Control Assessor
|
TASK 5-4
- Risk Determination
- Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
|
- Authorizing Official or Designated Representative
|
- Risk Executive (Function)
- Senior Information Security Officer
|
TASK 5-5
- Risk Acceptance
- Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
|
- Authorizing Official
|
- Risk Executive (Function)
- Authorizing Official Designated Representative
- Senior Information Security Officer
|
| RMF Step 6: Monitor Security Controls
|
TASK 6-1
- Information System and Environment Changes
- Determine the security impact of proposed or actual changes to the information system and its environment of operation.
|
- Information System Owner or Common Control Provider
|
- Risk Executive (Function)
- Authorizing Official or Designated Representative
- Senior Information Security Officer
- Information Owner/Steward
- Information System Security Officer
|
TASK 6-2
- Ongoing Security Control Assessments
- Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organizationdefined monitoring strategy.
|
- Security Control Assessor
|
- Authorizing Official or Designated Representative
- Information System Owner or Common Control Provider
- Information Owner/Steward
- Information System Security Officer
|
TASK 6-3
- Ongoing Remediation Actions
- Conduct selected remediation actions based on the results of ongoing monitoring activities and the outstanding items in the plan of action and milestones.
|
- Information System Owner or Common Control Provider
|
- Authorizing Official or Designated Representative
- Information Owner/Steward
- Information System Security Officer
- Information System Security Engineer
- Security Control Assessor
|
TASK 6-4
- Critical Updates
- Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.
|
- Information System Owner or Common Control Provider
|
- Information Owner/Steward
- Information System Security Officer
|
TASK 6-5
- Security Status Reporting
- Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system), to appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy.
|
- Information System Owner or Common Control Provider
|
- Information System Security Officer
|
TASK 6-6
- Ongoing Risk Determination and Acceptance
- Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.
|
- Authorizing Official
|
- Risk Executive (Function)
- Authorizing Official Designated Representative
- Senior Information Security Officer
|
TASK 6-7
- Information System Removal and Decommissioning
- Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.
|
- Information System Owner
|
- Risk Executive (Function)
- Authorizing Official Designated Representative
- Senior Information Security Officer
- Information Owner/Steward
- Information System Security Officer
|
