The Risk Management Framework – Part 2

In this lesson, Subject Matter Expert (SME) Kelly Handerhan discusses NIST Special Publication (SP) 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”, that was created as part of NIST’s responsibility under FISMA to develop standards and guidelines for the requirements and process steps for the certification, accreditation, and monitoring of information systems.

Handerhan explains the use and usefulness of other NIST SP documents in the RMF process.

You will learn:

• the six Risk Management Framework (RMF) phases
• the role of the Information System Owner
• when and how to create and update the System Security Plan (SSP)
• how to develop a Plan of Actions and Milestones (POAM) to document weaknesses and vulnerabilities and to set mitigation milestones
• how to develop a Minimum Security Baseline (MSB)
• how to select and implement security control activities
• documentation requirements and methods
• contingency planning for federal agency systems’ continuity (“systems” goes beyond just computer systems)
• how to develop a Business Impact Analysis
• the three phases of continuity
• the differences between recovery and reconstitution
• rules and responsibilities of the incident response team in a contingency environment
• incident analysis and returning to an operational state
• understanding and using the “plan, do, check, act” model

THE DISCUSSION OF IMPORTANT RMF DOCUMENTS AND USING THE RMF CONTINUES IN LESSON 2.