RMF Roles and Responsibilities

Video Activity

This lesson discusses RMF roles and responsibilities. The instructor discusses how RMF roles are assigned and how to best perform the assigned role. Roles within RMF include: Head of Agency Risk Executive Chief Information Officer Information Owner/Steward Senior Information Security Officer Authorizing Official Authorizing Official Designated Repr...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 22 minutes
Video Description

This lesson discusses RMF roles and responsibilities. The instructor discusses how RMF roles are assigned and how to best perform the assigned role. Roles within RMF include:

  1. Head of Agency
  2. Risk Executive
  3. Chief Information Officer
  4. Information Owner/Steward
  5. Senior Information Security Officer
  6. Authorizing Official
  7. Authorizing Official Designated Representative
  8. Common Control Provider
  9. Information System Owner
  10. Information System Security Officer
  11. Information Security Architect
  12. Information System Engineer
  13. Security Control Assessor: Representative and Validator
Video Transcription
Welcome back to the Beauty Risk Management Framework Video. Siri's Mike Redmond getting you through everything you need to know to fully implement the risk management framework within at D. O. D. Environment. In this section, we're gonna deal with de risk management, framework, roles and responsibilities
Throughout this chapter. We will gain and understand
how to assign the correct roles in the arms of process and performed the responsibilities associated with your arm F role as well as be able to identify and explain the arm if rose to your colleagues. If you're studying for the I S C squared cap examination
management is ultimately responsible for security across the Enterprise,
or M F identifies new management roles with direct responsibilities for enterprise security. As we look at the higher, cool design of the risk management framework, it starts with the head of the agency or the CEO now understanding that the D. O. D. Really doesn't have a CEO.
The equivalent,
of course, would be the president. We also have the risk executive function. We'll talk a little bit more about that later. The chief information officer, information owner or Stuart, the senior information security officer authorising official authorising official designated representative,
common controls Provider, the information system owner, the Information systems Security officer, Thea, Information Security architect,
the Information Security Engineer, the Information Control Assessor, as well as the Security Control Assessor representatives and the Security Control Assessor Validators. Starting with the head of the agency, it is generally the highest level senior official again. The president
that has the overall responsibility for information and information systems
security, integrated with the strategic and operational processes as well as establishing the appropriate accountability, provides active support and oversees the monitoring aspects. You will find this exact same role within the di cat process. Next is the risk executive function.
This is not an individual person. It is
collectively all those responsible for security within an organization. Whether it's information securities, cyber security, physical and environmental security, personnel security, everyone has a role to play within the risk executive function.
Their job is to ensure that risk related considerations are organization wide
as well as consistent across the organization. They will coordinate with the senior leadership to provide comprehensive approach, is develop a risk management strategy overall, facilitate the sharing of risk information and provide a form to consider all risk sources.
Next is the chief information officer.
The chief information officer is the one who will designate this senior information security officer in the organization. Will oversee the creation of information security policies, ensures adequately trained personnel as well as assist senior officials with their security responsibility at
allocates. Appropriate resource is to meet those responsibilities there also ultimately responsible for all fisma reporting.
Next, we have the information owner or Stuart, and this is the individual that authorized the specific information. They may or may not be the system owner. It is okay to have two separate. They're not mutually exclusive. However, the information Stewart is there to provide input
to the information system owner and to advise of the rules of behavior for the specific information system.
A single system may in fact contain multiple information owners. Next, the senior information security officer. This is the individual that carries out this CEO Fiszman responsibilities.
They are the primary liaison for the C i o. To the organization senior officials, and possesses a professional qualification to do so. Generally, you'll find that this individual is the one that heads the office that conducts. The FISMA reported that brings us to the authorising official. They are the individual that formally assumes the risk and responsibility off the information system itself. They're there to oversee the budget for all requirements and are accountable for all security risks.
They must be a senior management position. Now that does not mean that they have to be executive management. There is no requirement with end the Miss guidelines that the OEO needs to be a flag level officer, just senior management and, in fact,
within the deal, the structure that could be a slow as a GS 14. The ale is there to also approved the security plan and the poem for the system.
And keeping in mind that there may be multiple A owes within a single information system, Theo has the authority to delegate a representative for most all their functions, all of them with the exception of a final authorization decision,
a D R can coordinate and conduct the day to day security requirements and activities for the information system and even may prepare all the final Prock imitation for final approval.
Next, the common controls provider often asked, How do I find a common control? My answer is simple. Where your administrative control ends with, you can no longer control the input or output on that system administratively,
that is being provided by a common control provider. That is how you identify the common controls versus the controls you as the information system owner or the information security officer, are required to maintain
next. The information system owner. This is often identified as the program manager. They serve as the focal point for the information system itself in a responsible for the information system throughout the system development life cycle from cradle to grave.
They're there to address the operational interest off the years of community for that information system and ensure compliance with information security requirements,
as well as developing and maintaining a system security plan and poem. And they also decide who has access to the system. On some occasions, they are the primary point of contact for the controls. Assess their to re mediate any identified deficiencies.
Next, the information system security officer. They're there to ensure the appropriate security posture of the information system itself and
served as the principal adviser to the program manager and the AO that responsible for the day to day security operations of the system, including physical, environmental personnel and incident handling and security training and awareness.
As you can tell, this individual often must be an expert in many fields. Otherwise, you would need to find multiple inflation system security officers to fill the four requirements there. Also there to help develop the policies and procedures for the organization's information systems and
active system monitoring, the Information Security Architect is there to adequately address security requirements and enterprise architecture, such as reference models. Serve as the liaison between the enterprise Architect of the information system. Security Engineer on
advised to senior officials As to this system. Boundary assessing severity of specific deficiencies.
Organized and maintain the poem and risk mitigation approaches as it pertains to that individual system.
Wth e information systems security engineer is part of the development team. They employ security controls, best practices. They work closely with the architect to ensure that there is no gap and total security. We often associate this with the dye cap. I Oh, I understand.
Looking at the pure definition of a information system security engineer, they're there to ensure that the requirements are properly integrated into information technology component products and
information systems. That brings us to the security controls assessor. Their primary responsibility is to conduct this system security plan assessment. They're there to conduct control assessments to ensure that the implemented controls are acting and behaving as intended. For that system.
They provide assessment of all deficiencies and recommended corrective actions that controls. Assessor will prepare a final security assessment report or roar. And the only requirement for the security assessor is independence now to identify independence. It's a simple, two step
They must be able to be an unbiased assessor and be able to provide an objective risk determination that cannot have any vested interest in the success or failure of that particular information system. If you meet these two requirements, you can be a security controls assessor.
Here's a chart of all the roles and responsibilities we've just spoken about, and their alignment to the risk management framework process in the next section will deal with big risk analysis process
Up Next
What is the Risk Management Framework?

This course introduces the Department of Defense (DoD) Risk Management Framework (RMF). This course prepares participants to take the CAP Exam which consists of 125 multiple choice questions and covers the following domains:

Instructed By