RMF Organization Expectations: Roles and Responsibilities

Another crucial step of implementing RMF and becoming compliant is assigning the necessary managerial roles in order to see that it is done properly. Some of these roles will play an important part in multiple steps of the implementation process, while others are only necessary for one step. These roles have a multitude of different responsibilities and are outlined below:

Head of Agency

• Prepare Step
  • Oversee the entire risk management process
  • Designate lower roles such as ‘senior accountable official for risk management’, ‘senior agency official for privacy’, and ‘chief acquisition officer’
  • Promote cooperation and provide forum to the entire organization to identify risk on organizational level
  • Coordinate with risk executive to establish risk management strategy

Mission/Business Owner

• Prepare Step
  • Define the functions and processes of mission/business that risk management is intended to help with

Enterprise Architect

• Prepare Step
  • Implement enterprise architecture strategy for security and privacy solutions
  • Collaborate with the Authorizing Officials and System Owners to determine authorization boundaries
  • Coordinate with Security Architect and Privacy Architect on security and privacy

Security/Privacy Architect

• Organizational (not step-specific)
  • Coordinate with management/security to allocate controls
  • Advise senior leadership on security/privacy
  • Manage enterprise architecture so that it complies with privacy and security requirements

Chief Acquisition Officer

• Implement Step
  • manage/monitor acquisition programs and activities
  • Establish procurement policies, procedures, and practices
  • Establish authority/responsibility for acquisition decision making

Common Control Provider

• Select Step
  • Tailor common controls following guidance
  • Document assigned common controls to ensure they are implemented properly
  • Ensure system owners have proper security documentation associated with their common controls
  • Define continuous monitoring strategy
• Implement Step
  • Provide safeguards for information security incidents
  • Provide an economical evaluation of the common controls to the information owner/steward
  • Implement controls defined by Information Owner/Steward
• Assess Step
  • Select the common control assessors
    • Ensure they have proper access to common control information
  • Determine the immediate remediation actions that would be necessary based on the common control assessments
    • Determine which findings present harm to organization
    • Resolve any issues found during assessments
  • Review security/privacy assessment plans to ensure they are detailed enough
• Authorize Step
  • Provide the system owner common control information to place in authorization package
  • Update plans for common control to reflect continuous monitoring, real-time risk management and continuous authorization
• Monitor Step
  • Participate in the configuration management process
  • Establish/maintain ‘inventory’ of components associated with common controls
  • Continue to conduct assessments of common controls as outlined in the continuous monitoring strategy
  • Submit privacy and security reports continuously and distribute to owners of systems / senior management
  • Conduct remediation activities when necessary in order to ensure continued compliance and authorization

Chief Information Officer

• Prepare Step
  • Ensure proper security program is established for organization
    • Ensure funding is high enough
    • Designate a ‘ Senior Agency Information Security Officer’
  • Based on organization-wide priorities, determine mission and business function of organization
• Categorize Step
  • Collaborate with all system owner’s / information owner and steward in security categorization process
• Select Step
  • Establish expectations of organization-wide controls and how the continuous monitoring process should function, in order to create consistency
  • Provide resources to system owners in process of selecting controls
  • Help choose organizational common controls
• Assess Step
  • Help guide authorizing officials decisions
• Monitor Step
  • Ensure continuous monitoring program is effective
    • Establish expectations/requirements
    • Provide funding/personnel
  • Maintain communications and relationship between organizational entities
  • Ensure systems have proper security plan, are being continuously monitored, and are authorized

Risk Executive

• Prepare Step
  • Assess ongoing organization-wide security and privacy risk
  • Help develop continuous monitoring strategy
  • Participate in organization-wide forums to identify risk
  • Collaborate with head of agency to determine the organization-wide risk management plan
  • Identify, document, and publish organization-wide common controls

Senior Agency Information Security Officer

• Prepare Step
  • Participate in aforementioned organization-wide forum for risk identification
  • Coordinate with ‘Senior Agency Official For Risk Management’ and ‘Senior Agency Official for privacy’ for coordination between privacy and information security agencies
  • Act as liaison between organizational level risk management and system level risk management
  • Help publish organization-wide common controls
• Categorize Step
  • establish /implement organization-wide categorization guidance
  • Coordinate with the enterprise architecture group to integrate organizational information types into the enterprise architecture
  • Categorize organization-specific information and distribute to information owner/system owners
  • Provide security categorization training
• Select Step
  • Develop guidance on an organizational level for selecting controls
  • Assign common controls to individuals or agencies/organizations
  • Establish/maintain documentation of all the organizations common controls
  • review/update common controls periodically
  • disseminate organization-defined parameter values for relevant controls
  • Develop tools/checklists for control selection process and information security programs
  • Develop continuous monitoring strategy organization-wide
  • Provide training on selecting controls and implementing them
  • Lead process to select controls
• Authorize Step
  • Recommend response actions for Authorizing Official
    • Acknowledge if risk of operating system is acceptable
    • Assist with authorization package
    • Determine risk from use of system with common controls
    • Serve as liaison between Authorizing Official and Chief Information Officer
    • Serve as designated representative if needed
  • Monitor Step
    • Maintain continuous monitoring program
      • Provide training on this process
      • Support Information Owners/System Owners on how to do this
    • develop/analyze milestones and future plans of actions to ensure organizational security has minimal weaknesses

Senior Agency Official For Privacy

• Prepare Step
  • Assign roles for privacy risk management
  • Assess organization-wide ongoing privacy risk
  • Provide input to privacy control baselines
  • Determine organization-wide privacy common controls
  • Support establishment of criteria for determining the minimum frequency for control monitoring in collaboration with organizational officials
  • Identify all stages of the information life cycle
  • Ensure compliance with privacy requirements
  • Coordinate with Senior Agency Information Security Officer on privacy and information security activities
  • Support the definition of the privacy requirements for the system and environment of operation
• Categorize Step
  • Review and approve the security results for systems containing personal/private information before Authorizing Official review
• Select Step
  • Designate/categorize privacy controls (either as common, system-specific, program management, or hybrid)
• Assess Step
  • Analyze the assessments used to determine whether privacy controls have been implemented properly
  • Either conduct the assessments of privacy controls, or delegate the assessment
• Authorize Step
  • Review authorization packages for privacy systems with personally identifiable information to ensure compliance with privacy requirements/manage risk
  • Collaborate with Authorizing Official to finalize determination of risk based on authorization package
• Monitor Step
  • Maintain privacy continuous monitoring program

Authorizing Official

• Prepare Step
  • Determine authorization boundary of system
• Categorize Step
  • Review/approve categorization of security and impact level assigned to different systems
    • Ensure this is consistent with mission/business functions of organization
  • Coordinate with Senior Agency Official For Risk Management or the Risk Executive to ensure categorization for the system is applicable with the organizational risk management strategy
  • Provide guidance on any limitations that occur at the Select step
• Select Step
  • Review Security and Privacy plans
    • Determine if they correctly identify potential risk
    • Recommend changes if insufficient
  • Approve selected controls
  • Determine the need to reauthorize the system after any events occur that may cause changes to the system’s controls
• Assess Step
  • Define level of independence of control assessors
  • Determine independent assessors ability to accurately relay information regarding security and privacy of the system
  • Determine risk to organization based on assessment results
  • review/approve privacy and security assessment plan
    • Determine which findings are important require attention
  • Approve use of previous assessment results
• Authorize Step
  • Collaborate with the Senior Agency Information Security Officer and the Senior Agency Official for privacy
    • Analyze info in authorization package to determine final risk
  • Coordinate with the Chief Information Officer to ensure adequate resources to meet system supporting mission and business functions
  • Analyze relevant privacy/security information when ongoing authorization
  • Review assessments and milestones curated before authorizing
  • implement a preferred course of action in response to the risk determination
  • Consult with Risk Executive prior to authorizing
  • Determine acceptance of risk
  • Issue authorization decision
    • Convey to system and organization owners
  • Determine the authorization termination date for systems not in ongoing authorization
  • Provide the terms and conditions for authorization decision that must be followed by the system owner or common control provider
  • Issue final authorization decision
    • Report any concerns in security/privacy to organizational officials
  • Monitor Step
    • Ensure everything in regard to risk management is maintained
    • Review security/privacy documents and reports
    • Continuously determine if risk to system is acceptable
    • Reauthorize when required

Information Owner or Steward

• Prepare Step
  • Identify different types of information and what should be processed and stored in system
  • Coordinate with the Senior Agency Official for Privacy to identify all parts of the information life cycle for personally identifiable information
  • Coordinate with System Owners and provide input on protection needs, security and privacy requirements
• Categorize Step
  • Assist System Owner in categorizing system based on guidelines from NIST SP 800-60 and FIPS 199
• Select Step
  • Select controls following organizational standards, then document these decisions in the security and privacy plans
  • Determine if common controls are suitable for system
  • Determine if use restrictions are necessary for system
  • Define continuous monitoring strategy for system
  • Obtain approval for controls, use restrictions, and assurance requirements before implemented
  • Review controls periodically
• Implement Step
  • Implement/verify controls to ensure the integrity of the system
    • manage privacy risks
    • ensure compliance with applicable privacy requirements
  • Review and approve access to system as needed
  • Coordinate exceptions for implemented controls
  • Document control implementation
  • Coordinate control assessment with development
    • Necessary to catch early weaknesses or risks
  • Use authorization package to determine if controls are adequate
  • Identify extra controls necessary if current aren’t sufficient
  • Ensure system is protected from unauthorized disclosure or modification
  • Provide authority to implement controls in system
  • Inform system owners on security and privacy requirements and controls
  • Offer controls for inheritance
• Assess Step
  • Determine what information will be assessed and how
  • Determine how an evaluation will affect information
  • Review security and privacy plans
    • Determine if findings present harm to organization
  • Select Control Assessors
    • Ensure they have proper access to system
  • Determine remediation activities based on initial control assessment findings
    • Resolve issues
  • Review security and privacy assessment to ensure it covers enough
    • Ensure assessment proceeds as planned
    • Use previous assessment results if possible for information
  • Ensure Control Assessor provides complete assessment report
• Authorize Step
  • Provide input to plan of action/milestone plan
  • Alongside Common Control Provider and Senior Agency Official for Privacy, submit the authorization package for submission to Authorizing Official for final authorization decision
  • Submit authorization package to Authorizing Official for systems still undergoing authorization
    • Receive authorization decision
      • Determines whether system is authorized to operate
    • Report (to Authorizing Official) vulnerabilities in system or controls found during assessment/continuous monitoring that pose risk
    • Take system offline (if necessary) to address vulnerabilities and revise authorization package
  • Monitor Step
    • Develop and document continuous monitoring strategy
    • Participate in organization-wide configuration process
    • establish/maintain inventory for system
    • Conduct risk assessments on any changes made to a system
    • Conduct control assessments according to the continuous monitoring strategy
    • prepare/submit security status reports
    • Conduct remediation activities (if possible, without shutting down system) to maintain authorization
    • Update controls if events prompt a change or the system changes
    • Update security/privacy documents regularly
    • Review reports from Common Control Providers to verify common controls are adequate

System Owner

• Prepare Step
  • Identify stakeholders with interest in system
  • Identify assets that need security/privacy protection
  • Assist in identifying systems that process personally identifiable information
  • Identify what information should be processed by system
  • Identify risk assessment on system
  • Define privacy security
  • Register system with organizational program
• Categorize Step
  • Categorize system with document results from Information Owner
  • Determine security categorizations based on security risk assessments
    • Ensure this is documented in system security plan
  • Determine impact levels for different categorizations of information with coordination from Information Owner
    • Determine overall system categorization based on this information
    • coordinate with Senior Accountable Official for Risk Management or Risk Executive to select controls based off impact levels
  • Submit categorization process to Authorizing Official
    • If this needs to be repeated, update system accordingly
  • Document characteristics of the system
    • System design and requirements documentation
    • Authorization boundary information
    • List of security and privacy requirements
    • System elements
    • The environment of operation
  • Ensure system documentation is applicable with security categorization and security/privacy risk assessments

System Security/Privacy Officer

• Prepare Step
  • Coordinate with the system owner to determine the authorization boundary and information categories
  • Conduct system security and privacy risk assessments
• Select step
  • Assist System Owner in selecting controls
  • Assist in selecting common controls (organization-wide) to ensure they will be suitable for system
    • Review controls selected
  • Implement Step
    • Assist in determination of security level required
      • Advise System Owner security/privacy requirements
    • Assess Step
      • Oversee implementation of remediation plan/actions
      • Use security/privacy assessment plans to determine assessment activities
      • For low impact systems, can act as an assessor
      • Coordinate security/privacy assessment
        • Help coordinate the report for assessor
      • Monitor Step
        • Support Information Owner in security responsibilities
        • Participate in formal configuration management process

System Security/Privacy Engineer

• Select Step
  • Describe the system and its functions, operation environments, privacy/security requirements, and information categorization
  • Review adequacy of controls
    • Assist in tailoring controls
  • Implement Step
    • Design and implement a secure system
      • Implement secure network that protects privacy
      • Provide security and privacy protection plans
    • Ensure system is compliant with security/privacy requirements and protecting personally identifiable information
    • Implement security/privacy requirements for handling of data
    • Recommend solutions for privacy/security failures
    • Coordinate effective ways to implement controls
  • Assess Step
    • Verify system protections individuals privacy
    • review/analyze security/privacy assessments
      • Design remediation plan if necessary
    • Monitor Step
      • Help with continuous monitoring of system
      • inform on the effects on privacy/security from possible changes to system
      • Participate in configuration management process
      • Participate in activities required to make a change to system
        • Implement approved system changes

System Admin

• Prepare Step
  • Identify assets that require protection
• Implement Step
  • Implement controls
  • Document changes to planned control implementations when controls are in process of being implemented

User

• Select Step
  • Identify mission, business, or operational security requirements
  • Report any weaknesses in current system operations
• Monitor Step
  • Identify changes to mission, business, or operational security requirements
  • Submit and justify system change requests to the Information Owner or System Owner or through the configuration management process

Control Assessor

• Assess Step
  • Develop the assessment plans
    • Conduct assessment of controls
  • Create reports on effectiveness of security/privacy and controls
  • Reassess any changes made to system/controls
• Monitor Step
  • Develop subsets of assessment plans to be used for different controls
  • Submit assessment plan prior to conducting assessment
  • Conduct assessments of controls
  • Update the reports continuously with the continuous monitoring strategies results

It is important to note that there are plenty of roles in implementing RMF, and many of them have a plethora of responsibilities, but not all roles must be assigned to one person. As long as responsibilities don’t overlap (for example, System Owner and Authorizing Official), then the amount of people required to properly implement and authorize RMF can be minimized.