Risk Management Framework (RMF)
Policy and Procedures following the Risk Management Framework (RMF) for obtaining system authorizations.
« RMF Controls
Policy
In agreement to provide and maintain a system of security controls in accordance with the requirements of the National Industrial Security Program Operating Manual (NISPOM)1, [The Facility] implements procedures to facilitate security assessment and authorization policy that periodically assesses the security controls to determine if the controls are effective in their application; develop and implement plans of action & milestones to correct deficiencies and reduce or eliminate vulnerabilities; authorize the operation of national security systems and any associated system connections; and monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.2
Procedures
- CA-1 Security Assessment and Authorization Policies & Procedures
- CA-2 Security Assessments
- CA-2(1) Independent Assessors
- CA-3 System Interconnections
- CA-3(5) Restrictions on External Network Connections
- CA-5 Plan of Action & Milestones
- CA-6 Security Authorization
- CA-7 Continuous Monitoring
- CA-7(1) Independent Assessment
- CA-9 Internal System Connections
System Level Continuous Monitoring
◊ CA0100
◊ CA0200
◊ CA0201
◊ CA0300
◊ CA0305
◊ CA0500
◊ CA0600
◊ CA0700
◊ CA0701
◊ CA0900
-
DoD Form 441, Department of Defense Security Agreement. ↩
-
The Common Control Provider (CCP) for facilities, even enterprise facilities, under the NISP are able to addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance in a single policy for minus (-1) controls. ↩