Rmf Prepare Step

STEP 0-A. At the organizational-level: - risk management roles and the risk management strategy are defined. - organization-level risk assessment is also conducted. - Organizationally-tailored control baselines and/or Cybersecurity Framework Profiles are established, and common controls are identified. - Impact-level prioritization may occur, and an organization-wide strategy for continuously monitoring control effectiveness will be developed and implemented.

STEP 0-B. At the system-level: - mission/business focus, and assets that require protection are identified. - The authorization boundary is determined; and the information types to be processed, stored, and transmitted by the system are identified. - Stages of the information life cycle are also identified for each information type. - A system-level risk assessment is conducted and the results are updated on an ongoing basis. - Security and privacy requirements are defined - Placement of system within enterprise architecture is determined - Security and privacy requirements are allocated - System is registered with organizational program or management offices.

STEP 1. - Characteristics of the system are documented - System is categorized (security categorizaton) - Security categorization results are reviewed and approved

STEP 2. - Security controls are selected. - Controls are tailored for the system and operation environment. - Security and privacy controls are allocated to system and operation environment -Controls for the system and operation environment are documented in security and privacy plans. - System-level continuous monitoring strategy is developed and implemented. - Security and privacy plans are reviewed and approved.

STEP 3. - Controls in the security and privacy plans are implemented. - Changes to planned control implementations are documented.

STEP 4. - Assessor or assessment team is selected for control assessment. - Plans to assess implemented controls are developed, reviewed, and approved. - Controls are assessed in accordance with procedures described in assessment plans. - Assessment reports that document the findings and recommendations from the control assessments are prepared. - Initial remediation actions on the controls are conducted, and remediated controls are reassessed. - The POA&Ms based on findings and recommendations of the assessment reports are prepared.

STEP 5. - Authorization package is assembled and submitted to the AO for an authorization decision. - The risk from operation or use of the system or provision of common controls is analyzed and determined. - A preferred course of action in response to the risk determined is identified and implemented. - It is determined if the risk from operation or use of the system or the provision or use of common controls is acceptable. - The authorization decision and any deficiencies in controls that represent significant security or privacy risk is reported.

STEP 6. - The system and its operation environment are monitored for changes that impact the security and privacy posture. - The controls implemented within and inherited by the system are assessed in accordance with the continuous monitoring strategy. - Risks based on the results of ongoing monitoring activities , risk assessments, and outstanding items in POA&Ms are responded to. - Plans, assessment reports, and POA&Ms are updated based on the results of the continuous monitoring process. -The security and privacy posture of the system is reported to the AO and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.