RMF Step 6: Monitor Security Controls

Step 6 of the RMF addresses the monitoring of security controls associated with the information system or platform information technology (PIT) system (hereafter referred to as system) (Step 6). The objective is to continuously monitor the security of an organization’s networks, information, and systems under organizational and system-level information security continuous monitoring (ISCM) strategies and respond by accepting, avoiding, mitigating, sharing, or transferring risk as situations change. Monitoring is the phase of the RMF that supports the complementary goals of Federal Information Security Modernization Act (FISMA) compliance and maintaining ongoing system security.

​

This content was based on NIST SP 800-37 r2, “Risk Management Framework for Information Systems and Organizations - A System Life Cycle Approach for Security and Privacy.” It also incorporated information from NIST 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” that provided information about creating an ISCM strategy and implementing an ISCM program. The goal of an ISCM program is to detect whether the set of security controls planned, required, and deployed on a system or inherited by the system are still effective over time as a result of unavoidable modifications. Individual system-level ISCM strategies must align with the organization’s broader ISCM strategy when considering the security impacts on a system resulting from planned and unplanned changes to the hardware, software, firmware, or operating environment. ISCM is a method for assessing the security impacts on a system resulting from planned and unplanned changes to the hardware, software, firmware, or operating environment. Authorizing Officials must consider how ISCM will be implemented organization-wide as one of the key components of the security life cycle represented by the RMF.

​

ISCM activities, on their own, need to provide a comprehensive enterprise-wide risk management approach. Instead, ISCM helps AOs make risk-based decisions through continuous activity. To date, robust ISCM has led to ongoing authorization. However, once the DoD CIO decides that the DoD ISCM program is mature and robust enough to support ongoing authorization, the DoD will continue to require three-year reauthorization.

Making the process of ISCM more cost-effective, consistent, and efficient can be accomplished through automation. NIST Special Publication 800-53—especially in the technical families of Access Control, Auditing and Accountability, Identification and Authentication, and Systems and Communications Protection—provides many excellent candidates for automated monitoring of security controls. The real-time monitoring of security controls using automated tools can give an organization a more dynamic picture of security status. However, even if monitoring all security controls is not easily automated, it is essential to recognize that a comprehensive information security program must regularly audit all implemented security controls, including management and operational controls.

RMF STEP 6 has a few processes; they are as follows:

• System and Environment Changes

• Ongoing Security Control Assessments

• Ongoing Remediation Actions

• Key Updates

• Security Status Reporting

• Ongoing Risk Determination and Acceptance

• System Removal and Disposal

​

​

​

1. System and Environment Changes. This task is focused on identifying the security implications of planned or current system alterations. The ISO should determine the security implications of planned or current system alterations by performing a security impact assessment. The security impact assessment assesses the extent to which visual changes to the system or its environment of operation would significantly affect the system’s security status. Security controls currently installed on the system (ranging from system-specific, mixed, and common security controls) might be affected, new vulnerabilities might be created, or new security controls might be required due to system alterations. Maintaining the security authorization over time is an important aspect of security control monitoring and maintaining the security status quo of a system or an environment of operation. Documenting proposed or actual changes to a system or its environment of operation and subsequently assessing the potential impact those changes may have on the security status quo is an important aspect of security control monitoring and maintaining the security authorization. If the security impact analysis results show that system changes are required or have already been implemented, the security configuration board, SISO, or the SCA should be notified. After being notified, the SCA may make further decisions. Security-related changes to the system and its operating environment should only be implemented by first consulting with appropriate organizational officials/entities (configuration control board, SISO, SCA). In addition, security authorization artifacts (SP, SAR, RAR, POA&M) should be updated and revised to reflect any changes. The revision and update of artifacts indicate whether an action should be taken to reauthorize the AO/AODR. Most modifications to a system or operating environment may be handled by an organization’s ISCM program, thus supporting near-real-time risk management; however, for the most critical controls, automated tools (e.g., dashboards) might be required to provide timely notifications and allow for fast responses.

​

2. Ongoing Security Control Assessments. Many controls must be continuously monitored to keep up with the changes in the security environment. The technical, management and operational security controls must now be assessed annually rather than quarterly. AO-approved ISCM strategies provide the framework for assessing security controls in systems. Because the frequency of monitoring depends on the severity of the controls, the system-level ISCM strategy must be continuously evaluated and updated. It is acceptable to draw upon assessment results from one or more of the following sources:

• Security control assessments conducted as part of a system authorization or reauthorization;

• Ongoing monitoring activities; or

• Testing and evaluation of the system as part of the SDLC.

3. Ongoing Remediation Actions. The results of ISMC activities, risk assessment, and outstanding POA&M items are used to remediate POA&M activities. In addition to updating SARs or dashboards, interim reports on security controls (e.g., dashboards) are created to present findings from continuous monitoring. As a result of POA&M findings and control findings, remediation actions are initiated for outstanding POA&M items and security control findings. The ISCM process may result in remediation recommendations from the SCA or ISSO. A risk assessment (either formal or informal) is used to determine whether organizational decisions should be made about continuing remediation actions. The SCA or ISSM/ISSO may reevaluate security controls modified, enhanced, or added during the ISCM process to ensure appropriate corrective actions are taken to eliminate weaknesses or deficiencies or to mitigate identified risks.

4. Key Updates. To complete this task, the SP, RAR, SAR, and POA&M must be updated. The ISO and common control provider ensure that security documentation, including the SP and POA&M, is updated and maintained based on the results of ISCM. The updated SP should reflect any modifications to security controls based on risk mitigation activities carried out by the ISO or common control provider. The updated POA&M provides information on how the ISO or common control provider plans to deal with vulnerabilities discovered during security impact analysis or control monitoring. The critical updates provided by these updates help raise awareness of the current security state of the system (and the common controls it inherits) to support near real-time risk management. When updating critical information in SPs and POA&Ms, organizations must ensure that the original information needed for oversight, management, and auditing is not altered or destroyed. The SCA should regularly update and maintain the RAR and SAR based on the ISCM results. The RAR reflects any changes in the system risk posture. The SAR reflects additional assessment activities carried out to evaluate security control effectiveness in light of modifications to the security plan and deployed controls.

5. Security Status Reporting. Reporting the system’s security status (including the effectiveness of security controls employed within and inherited by it) to the AO and other appropriate organizational officials continuously is part of this task. It is the responsibility of the ISO and common control provider, with the assistance of the ISSM/ISSO, to report security status. Security status may be reported in a variety of ways. The goal is to produce economical and efficient ongoing communication with senior leaders that conveys the current security status of the system and its environment of operation to organizational missions and business functions.

Note: For the most critical controls (as identified in the ISCM strategy) where an immediate response or decision from the AO is required, it may be necessary to develop additional, more responsive means (ISCM dashboards) to provide and respond to updated security status information. This is because updating the SP, SAR, RAR, and POA&M takes longer than the ISCM strategy allows for more critical controls. Therefore, follow-up actions still are required to update the SP, SAR, RAR, and POA&M.

6. Ongoing Risk Determination and Acceptance. The AO continuously reviews the system’s security status (including the effectiveness of security controls implemented within and inherited by the system) in accordance with the ISCM strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the nation remains acceptable. Due to the security status change, the AO may change an authorization decision from an ATO to an ATO with conditions or to a DATO.

7. System Removal and Disposal. The ISO is responsible for developing a system decommissioning strategy when needed. The task is to implement a system decommissioning strategy when required. When a system is removed from service, the ISO must perform the required actions. All security controls must be implemented addressing system removal and decommissioning (e.g., media sanitization, configuration management, control, component disposal, or reuse). Organizational tracking and management systems (including inventory systems) should be updated to indicate the specific system components being removed from the service. Users and application owners hosted on decommissioned systems should be notified if appropriate, and any security control inheritance relationships should be evaluated and assessed for impact.