Call Us Today! (256) 704-0234 |

| Information Assurance & Risk Management Framework

The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors.

Information Assurance & Risk Management Framework2019-04-29T20:26:40-05:00

Consultation Support for your RMF Process

What is RMF?

The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are:

  • To improve information security
  • To strengthen risk management processes
  • To encourage reciprocity among federal agencies

Through implementation of RMF, federal agencies can achieve compliance with policy directives such as the Federal Information Security Mangement Act (FISMA), and Office of Management and Budget (OMB) Circular A-130. RMF effectively transforms traditional Certification and Accreditation (C&A) programs into a six-step life cycle process consiting of:

What is eMASS?

eMASS is the centerpiece of an ongoing Department of Defense (DoD) effort to automate a broad range of services for comprehensive, fully-integrated cybersecurity management for DoD components. eMASS facilitates robust, measurable cybersecurity program management (PM) through the following capabilities:

The National Institute of Standards and Technology (NIST), in partnership with the Joint Task Force Transformation Initiative (JTFTI), has developed a series of publications that provide detailed guidance on RMF implementation, categorization, security controls, etc.

  • NIST Special Publication (SP) 800-37 (Rev. 1) – contains detailed guidance on the RMF roles, responsibilities, and life cycle process
  • Federal Information Processing Standard (FIPS) Publication 199 & NIST SP 800-60 vol. 1, NIST SP 800-60 vol. 2 – contain information on categorization of systems and data
  • FIPS 200 & NIST SP 800-53 (Rev.4) – contain details on the security controls (requirements) for federal information systems
  • NIST SP 800-53A (Rev. 1) – contains guidance on security controls assessments
  • NIST SP 800-137 – contains guidance on security controls monitoring
  • Security-process management and reporting based on compliance with Security Controls
  • Standardized information exchange to facilitate dynamic connection decisions
  • Workflow automation
  • Simplified management of the entire authorization process from security authorization package submission through completion
  • Traceable systems-security engineering across the entire system-development life-cycle
  • Facilitation of regulatory and cybersecurity management-reporting requirements, such as those contained in the Federal Information Security Management Act (FISMA)
  • Categorization of information systems
  • Selection of security controls
  • Implementation of security controls
  • Assessment of security controls
  • Authorization of information systems
  • Monitoring of security controls

Contact Us

Where do you work?