RMF Authorize

NIST Risk Management Framework

RMF Authorize

This is the series of articles to use as a study guide for the (ISC)2 CGRC exam. In this article, we will discuss the Authorize steps in the Risk Management Framework.

Authorize Tasks

• R-1 – Authorization Package
• R-2 – Risk Analysis and Determination
• R-3 – Risk Response
• R-4 – Authorization Decision

• R-5 – Authorization Reporting

• 800-37
• 800-39 Managing Information Security Risk
• OMB Circular A-130 – Managing Information as a Strategic Resource

Authorize Task Details

• R-1 – Authorization Package
  • Input – security and privacy plans, assessment reports, plan of action and milestones, supporting assessment evidence or other documentation.
  • Output – Authorization package
  • Primary role – CCP and SO and AO
  • Related tasks – S6, I2, A4, A6
  • SDLC – implementation/assessment
  • Package includes: Executive summary and inputs above
• R-2 – Risk Analysis and Determination
  • Input – authorization package, supporting assessment evidence, information provided by senior accountable official for risk management or risk executive
  • Output – risk determination
  • Primary role – AO or AODR
  • Related tasks – P2, P8, P3, P14, I2, A4, A6
  • SDLC – implementation/assessment
• R-3 – Risk Response
  • Input – authorization package, risk determination, org and system level risk assessment results
  • Output – risk responses for determined risks
  • Primary role – AO or AODR
  • Related tasks – P2, P8, P3, P14, R2
  • SDLC – implementation/assessment
  • Primary response types: acceptance, avoidance, mitigation, sharing/transfer
    • Risk response is NEVER to ignore
    • Risk mitigation changes the risk factor by reducing or eliminating:
    • Likelihood of a threat exploiting a vulnerability
    • Impact of a threat successfully exploiting a vulnerability
    • Exposure of a vulnerability to a threat
    • Risk factors: threat, vulnerability, likelihood, and impact
• R-4 – Authorization Decision
  • Input – risk responses for determined risks
  • Output – authorization to operate, authorization to use, common control authorization, or denial of each of these.
  • Primary role – AO only
  • Related tasks – P2, R2, R3
  • SDLC – implementation/assessment
  • Authorization decision details: T&C, auth termination date or time-driven reauth frequency, events that trigger review of authorization, system impact level
  • Type authorization – common version of a system
  • Facility authorization – controls for a defined environment
• R-5 – Authorization Reporting
  • Input – authorization decision
  • Output – report with authorization decision, annotations of authorization status
  • Primary role – AO or AO DR
  • Related tasks – P18, R4
  • SDLC – implementation/assessment

Twitter  facebook  Email