Study Guide
Executive RMF
Created By: Lorenzo Enriquez, Teaching Assistant
Module 1: NIST RMF: The Basics
Lesson 1.1: RMF Overview
Skills Learned From This Lesson: RMF Steps, RMF Roles, Integrate RMF
● RMF Steps
○ Prepare is to carry out essential activities at all levels; organizational,
mission/business process, and information systems
■ Manage security/Privacy risk using RMF
○ Categorize System; categorize the system and information
processed/stored/transmitted based on impact analysis
○ Select Controls; initial set of baseline security controls, tailor and supplement
security baseline based on the categorization
○ Implement Controls; implement the selected security controls, deploy within
system and operational environment, include workstations, servers, databases,
websites, and custom developed code and applications
○ Assess Controls; assess the implemented security controls using determined
procedures. Ensure implementation is correct, operating as intended, and
produce desired outcome
○ Authorize System (ATO); determine the risk to
operations/assets/individuals/organization is acceptable to the system.
Independent Assessors make recommendation based on assessment
○ Monitor Controls; monitor security control effectiveness and document
procedures, document changes in system or environment, conduct security
impact analysis of changes, and report security state of system to appropriate
management/teams
● RMF Roles
○ Prepare, EVERYONE is part of the preparation
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
1
�
○ Categorize System; ISSO, System Owner, and Technical guidance provided by
the Information System Security Team are part of this step
○ Select Controls; ISSO, System Owner, and Technical guidance provided by the
Information System Security Team are part of this step
○ Implement Controls; Technical POC’s, Developers, System Admins and the
ISSO take a part of this step
○ Assess Controls; the Continuous monitoring team and an independent assessor
is responsible for this step
○ Authorize System (ATO); System owners and CIO/CISO are responsible for this
section. An Authorizing Official is usually already established
○ Monitor Controls; Continuous monitoring team and system administrators should
work with the ISSO and System Owner for monitoring
● Integrate RMF
○ Improve efficiency of adding security into beginning of SDLC
○ Create repeatable processes for systems
○ Adding security into project development saves money
○ Increase speed of projects and reduce additions/changes at the end of a project
Lesson 1.2: Creating a Top-Down RMF Approach
Skills Learned From This Lesson: Implement, Top-Down, Improve
● Implement
○ RMF Structure, know the steps
○ Organizational Risk is it; Federal, Private Sector, Healthcare, Critical
Infrastructure, Manufacturing, or Academia
● Implemented RMF from the executive level
○ Take time to get to know the structure
○ Talk with other leaders in the organization
○ Is there already a process in place for new system?
○ Can RMF improve that process?
○ Who do I need to be involved in integrating RMF?
○ What systems are already online? What projects are ongoing?
● How RMF implemented into IT projects
○ Start RMF process at the beginning, if not add steps to project schedule
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
2
�
○ Account for potential costs/tools/resources
○ For ongoing projects are any teams implementing security controls/practices
○ Are the ISSO’s involved in the ongoing projects
○ Who manages that system
○ Planning for the future consider what tools will be needed
○ Think about how RMF and security may fit into new projects
○ Weigh the cost of the product vs cost of product plus security
○ Have a Top-Down Approach to RMF
● AI improving RMF
○ Many security software products already leveraging AI
○ Risk management is easier with AI
○ Can adapt AI/ML results to your business and projects
○ Improve speed of projects and decision-making
Lesson 1.3: A New Step -- Preparation
Skills Learned From This Lesson: Preparation, Integrate, Prep Tasks
● Preparation Step
○ Carry out essential activities at the organization, mission and business process,
and information system levels of the enterprise to help prepare for using the RMF
○ Consider a Risk Committee
● Integrate Preparation for each step
○ Provide better link between risk management process and C-suite/governance
levels
○ Institutionalize risk management preparatory activities to improve execution of
RMF
○ Demonstrate alignment from RMF to Cybersecurity Framework (CSF)
○ Integrate privacy risk management into RMF
○ Align life cycle based systems engineering tasks to RMF
○ Integrate supply chain risk management (SCRM)
● Preparation Tasks
○ Risk Management Roles (key roles)
○ Risk Management Strategy (risk tolerance)
○ Risk Assessment (organization-wide)
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
3
�
○ Control Baselines and CSF Profiles (optional)
○ Common Control Identification (available for inheritance)
○ Impact-Level Prioritization (optional)
○ Continuous Monitoring Strategy
Module 2: Categorize, Select and Implement
Lesson 2.1: Categorize the System (Including HVA’s)
Skills Learned From This Lesson: Categorization, Tasks, HVA
● Where Categorization step fits
○ Inform organization risk management processes and tasks
○ Determine the adverse impact to organization operations and assets
○ Determine impact the adverse action has on individuals, other organizations, and
the nation with respect to the loss of confidentiality, integrity, and availability of
organization systems
● Categorize Tasks
○ System Description; Characteristics are described and documented
○ Security Categorization; Categorization of system, including information
processed by system
○ Categorization Review and Approval; results are reviewed and decisions are
made by senior leadership
● How can executive leadership support
○ Understand what systems you have, and how to categorize them properly
○ Know which teams and leaders you should have in each sector to address these
tasks
○ Are the systems categorized to ensure value of system is properly defined?
● HVA
○ High Value Assets
○ Federal Information systems, information, and data that if compromised impact
the United States national security
○ DHS, Securing High Value Assets, 2018 describes this
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
4
�
Lesson 2.2: Selecting Controls
Skills Learned From This Lesson: Selection, tailoring, allocating
● Selection controls
○ Select, tailor, and document the controls necessary to protect the information
system and organization
○ Should provide a full picture of the overall risks and address them accordingly
● Selection Tasks
○ Control Selection – Top-Down Approach
○ Control Tailoring
○ Control Allocation
○ Documentation of Planned Controls
○ Continuous Monitoring Strategy -- ConMon
○ Plan Review/Approval
● Executive leadership involvement
○ Use a top-down approach
○ If you have organization standards, it’ll be easier to address each system
individually
○ System Owners have major responsibilities
○ Make sure management involves appropriate people for each task
Lesson 2.3: Implementing Proper Controls
Skills Learned From This Lesson: Implementation, document, Inputs, Outputs
● Implementing
○ Implement the controls selected
○ Ensure implemented controls are implemented properly
● Implementation Tasks
○ Control Implementation; controls specified in previous step are implemented,
engineering methodologies are used
○ Update Implementation Information; changes to controls are documented,
security and privacy plans are updated
● Example of Implementation
○ Potential Inputs (system plans)
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
5
�
○ Expected Outputs (what risks will be mitigated)
○ Primary Responsibility and Supporting Roles (who does what)
○ Real-World Examples (use best practice guides)
○ Common Controls (are controls inherited and/or shared)
● Important information for execs
○ Be adaptable, things change and sometimes controls don’t work as intended
○ Some risk assessment may point out controls which are not applicable to a
certain OS or type of device
○ Seek advice from security professionals on controls
○ A Security Liaison could make this process easy
Module 3: Assess, Authorize and Monitor
Lesson 3.1: Assessing the System
Skills Learned From This Lesson: Assessment, Tasks, documentation
● Assessment Step
○ Determine if the controls implemented and implemented correctly
○ Determine controls implemented are operating as intended
○ Determine desired outcome of implemented controls
● Assessment Tasks
○ Assessor Selection
○ Assessment Plan
○ Controls Assessments
○ Assessment Reports
○ Remediation Action
○ Plan of Action and Milestones (POA&Ms)
● What Executives can do and need to know
○ Assessment step is a crucial step
○ Choosing the right team can make all the difference
○ Make sure technical people are performing assessments
○ Need to understand risk tolerance level for the system
○ POA&Ms should not be forever, set an actionable date
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
6
�
Lesson 3.2: Lets Get that ATO!
Skills Learned From This Lesson: Authorization, Risk Assessment, Reporting
● Authorization Step
○ Provide organizational accountability
○ Requires senior management official to determine if the security and privacy risk
is acceptable
○ Determination reviews all the previous steps of RMF before making final decision
○ The main goal!
● Authorization Tasks
○ Authorization Package
○ Risk Analysis and Determination
○ Risk Response
○ Authorization Decision
○ Authorization Reporting
● Executive Role
○ Authorizing (or denying) these systems can have an impact on budget/projects
○ Implementing security from the beginning of a project can save additional time at
the end of the project
○ Using RMF steps, systems can be authorized properly and securely
○ Think carefully about Risk Management/Executive groups
Lesson 3.3: Monitoring System, Controls and Changes
Skills Learned From This Lesson: Monitoring, Monitoring Strategy, ConMon, Reporting
● Monitoring Step
○ Maintain an ongoing situation awareness about the security and privacy posture
of the information system and organization
○ Support risk management decisions
● Monitoring Tasks
○ System/Environment Changes
○ Ongoing Assessments
○ Ongoing Risk Response
○ Authorization Package Updates
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
7
�
○ Security/Privacy Reporting
○ Ongoing Authorization
○ System Disposal
● Executive roles
○ Influence the ConMon strategy at the organizational level
○ Use top-down approach
○ Understand possible impacts on the business strategy
○ Budget for potential monitoring tools or team which may need to perform this step
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
8
