Risk Management Framework (RMF)
Policy and Procedures following the Risk Management Framework (RMF) for obtaining system authorizations.
RMF Controls
AC – Access Control
Procedures to facilitate the access control policy that limits information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems), and to the types of transactions and functions that authorized users are permitted to exercise.
AT – Awareness and Training
Procedures to facilitate security awareness & training policy that ensures managers and users of National Security Systems are made aware of the information security risks associated with their activities and of the applicable laws, Executive orders, directives, policies, standards, instructions, regulations, or procedures related to the information security of National Security Systems; and ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
AU – Audit and Accountability
Procedures to facilitate the audit and accountability control policy that creates, protects, and retains national security system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and ensures that the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions.
CA – Security Assessment and Authorization
Procedures to facilitate security assessment and authorization policy that periodically assesses the security controls to determine if the controls are effective in their application; develop and implement plans of action & milestones to correct deficiencies and reduce or eliminate vulnerabilities; authorize the operation of national security systems and any associated system connections; and monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
CM – Configuration Management
Procedures to facilitate configuration management that establish and maintain baseline configurations and inventories of national security systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and establish and enforce information security configuration settings for information technology products employed in national security systems.
CP – Contingency Planning
Procedures to facilitate contingency planning that when contractually required establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for national security systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
IA – Identification and Authentication
Policy and Procedures to facilitate identification and authentication policy that identifies system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to national security systems.
IR – Incident Response
Procedures to facilitate incident response policy that establishes an incident handling capability for national security systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate officials and/or authorities.
MA – Maintenance
Procedures to facilitate the system maintenance policy that ensures periodic and timely maintenance on national security systems; and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
MP – Media Protection
Procedures to facilitate the media protection policy that protects National Security Systems (NSS) media, both paper and digital; limits access to information on NSS media to authorized users; and sanitizes or destroys NSS media before disposal or cleared for reuse.
PE – Physical and Environmental Protection
Procedures to facilitate the physical and environmental protection policy that limit physical access to National Security Systems (NSS), equipment, and the respective operating environments to authorized individuals; protect the physical plant and support infrastructure for NSS; provide supporting utilities for NSS; protect NSS against environmental hazards; and provide appropriate environmental controls in facilities containing NSS.
PL – Planning
Procedures to facilitate the security planning policy that describe the security controls in place or planned for the National Security Systems (NSS) and the rules of behavior for individuals accessing the NSS.
PS – Personnel Security
Procedures to facilitate the personnel security policy that ensure individuals occupying positions of responsibility within the organization (including third-party service providers) are trustworthy and meet established National Security System (NSS) criteria for those positions; and ensure NSS are protected during personnel actions such as terminations and transfers; and employ formal sanctions for personnel failing to comply with information security policies and procedures.
RA – Risk Assessment
Procedures to facilitate the risk assessment control policy that is periodically used to assess the risk to Aerojet Rocketdyne operations (including mission, functions, image, or reputation), assets, and individuals resulting from the operation of National Security Systems (NSS) and the associated processing, storage, or transmission of NSS information.
SA – System and Services Acquisition
Procedures to facilitate the system and services acquisition policy that allocates sufficient resources to adequately protect National Security Systems (NSS); employ information system development life cycle processes that incorporate information security considerations; employ software usage and installation restrictions; and ensure that third-party providers employ adequate information security measures to protect information, applications, and/or services.
SC – System and Communications Protection
Procedures to facilitate the system and communications protection policy that monitors, controls, and protects National Security Systems (NSS) communications (i.e., information transmitted or received by NSS) at the external boundaries and key internal boundaries of the NSS; and employs architectural designs, software development techniques, and information systems engineering principles that promote effective information security within NSS.
SI – System and Information Integrity
Procedures to facilitate the system and information integrity policy that identifies, reports, and corrects information and information system flaws in a timely manner; provides protection from malicious code at appropriate locations within National Security Systems (NSS); and monitors information system security alerts and advisories and take appropriate actions in response.
PM – Program Management
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls.