Professional Documents
Culture Documents
September 2023
www.bluedog.net 1
Bluedog Inc. August 2023
the organization's mission, roles and of reporting in conjunction with the Plan of Action & Milestones
responsibilities, the system's operating (POA&M) to track and manage any failed controls, ensuring
environment, intended use, and remediation efforts are promptly addressed.
connections to other systems, can The final step in the RMF process involves continuous monitoring of
influence the final determination of security controls. This ongoing monitoring allows organizations to
the security impact level for the maintain the security authorization of an information system in an
information system. ever-evolving operating environment. Given the dynamic nature of
Security controls are essential threats, vulnerabilities, technologies, and mission/business processes,
safeguards or countermeasures continuous monitoring is crucial for staying ahead of potential security
implemented within an organizational incidents. While automated support tools are not mandatory, they can
information system to protect its enhance risk management by enabling near real-time monitoring and
confidentiality, integrity, and providing standardized reporting for Authorization to Operate (ATO)
availability, as well as that of the status. Automated tools help identify configuration drift and other
information it handles. The assurance security concerns associated with unexpected changes in core
factor plays a crucial role in instilling components and their configurations.
confidence that these security controls Incorporating these steps into an organization's risk management
are effective in practice. Organizations practices ensures a comprehensive approach to information security
must select and tailor security controls and risk mitigation. This framework not only helps protect sensitive
to align with their specific security data but also supports the organization's compliance with regulatory
requirements and documentation. requirements and its commitment to safeguarding the confidentiality,
This step involves describing how each integrity, and availability of information systems and data. It allows a
control is employed within the focus on risk to address the diversity of components, systems and
information system and its operational custom environments as opposed to using a one-size-fits-all solution.
environment.
After all is said-and-done, assessing
security controls is a critical phase
that involves using appropriate
assessment procedures to determine
the extent to which controls are
correctly implemented, functioning as
intended, and producing the desired
outcomes in terms of meeting security
requirements. This step is
instrumental in identifying any
potential vulnerabilities or weaknesses
in the security posture of the system.
The authorization of information
system operation hinges on a
comprehensive assessment of the risks
posed to organizational operations,
individuals, assets, other
organizations, and the nation.
Additionally, this step entails the use
Learn More
For reference, see NIST Special Publications 800-53A, 800-53, 800-137; NISTIR 8011, NISTIR 8212 . Contact us to
find out how Bluedog's consulting services can help improve security and process controls to drive the success of your
organization — visit www.Bluedog.net
www.bluedog.net 2