RMF Process
What is Prepare?
This is the first RMF step where the organization establishes the context and groundwork for managing security and privacy risk.
What is RA-05?
What is RA-05 (Vulnerability Monitoring and Scanning)?
This control focuses on vulnerability monitoring and scanning to identify security weaknesses within a system.
What is an SSP (System Security Plan)?
What is a document that describes how security controls are implemented within a system.
What is SaaS (Software as a Service)?
In this cloud service model, the provider manages the application, platform, and infrastructure, and users simply access the software through a web browser.
What does ISCP stand for?
What is Information System Contingency Plan?
What is Categorize?
During this RMF step, the system is assigned a security categorization based on the potential impact to confidentiality, integrity, and availability.
What is IA?
What is IA (Identification and Authentication)?
This control family is responsible for ensuring users are properly identified and authenticated before accessing a system.
What is a POA&M (Plan of Action and Milestones)?
What is a document that is used to track security weaknesses until they have been remediated and verified.
What is PaaS (Platform as a Service)?
In this cloud service model, the provider manages the infrastructure and platform, while the customer manages their applications and data.
What does BIA stand for?
What is Business Impact Analysis?
What is Select?
During this RMF step, security and privacy controls are chosen based on the system’s categorization and risk requirements.
What is CM-02?
What is Baseline Configuration?
This control requires organizations to establish, document, and maintain a current baseline configuration for the system.
What is a SAR (Security Assessment Report)?
What is a document that contains the results of a security control assessment and identifies findings and weaknesses.
What is IaaS (Infrastructure as a Service)?
In this cloud service model, the provider supplies virtual servers, storage, and networking, while the customer manages the operating system and applications.
Who is the CO?
Who is the Certifying Official?
What is Assess?
During this RMF step, assessors determine whether security controls are implemented correctly, operating as intended, and producing the desired outcome.
What is AU-06?
What is Audit Record Review, Analysis, and Reporting?
This control requires organizations to review and analyze audit records for indications of inappropriate or unusual activity.
What is an IRP (Incident Response Plan)?
What is a document that outlines the actions an organization will take to respond to cybersecurity incidents.
What is a Virtual Desktop?
This type of desktop runs on a remote server or cloud environment and is accessed from another device over a network.
Who is the AO?
Who is the Authorizing Official?
What is Authorize?
This RMF step involves the Authorizing Official reviewing the SSP, SAR, and POA&M to determine whether the system’s risk is acceptable for operation.
What is SI-02?
What is flaw remediation?
An organization applies security patches after vulnerabilities are discovered during a scan. This control governs the remediation process.
What is a PIA (Privacy Impact Assessment)?
What is a document that evaluates how a system collects, maintains, uses, and disseminates personally identifiable information (PII).
What is Microsoft Azure?
This cloud provider offers services such as Azure Virtual Machines, Azure SQL, and Azure App Services.
What does SAR stand for?
What is a Security Assessment Report?