RMF To-Do List
RMF Tasks|Status (done/not done)|Discuss how you determined the status of each task. Consider the following: If done, is it complete? Where is it located?If not done, what are the recommendations for completing? Where should the results be saved? |External documents needed for task|
RMF Step 1: Categorize Information Systems|
1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.|Not done|As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.|FIPS 199 for nonnational security systems, CNSS 1253 for national security systems|
1.2Information System DescriptionIs a description of the information system included in the security plan?||||
1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices.||||
RMF Step 2: Select Security Controls|
2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? ||||
2.2Security Control SelectionAre selected security controls for the information system documented in the security plan?||||
2.3Monitoring StrategyWhat security control monitoring strategies should be used to protect the information system and its environment of operation? ||||
2.4Security Plan ApprovalHas the security plan been reviewed and approved?||||
RMF Step 3: Implement Security Controls|
3.1Security Control ImplementationHave the security