NIST Risk Management Framework

Quick Start Guide

ROLES AND RESPONSIBILITIES

CROSSWALK
(March 11, 2021)
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

Legend:
P: Prepare (step)
C: Categorize (step)
S: Select (step)
I: Implement (step)
A: Assess (step)
R: Authorize (step)
M: Monitor (step)
ORG: Organizational (responsibility)
SYS: System (responsibility)

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

Index:
• AUTHORIZING OFFICIAL OR SENIOR ACCOUNTABLE OFFICIAL FOR
AUTHORIZING OFFICIAL DESIGNATED RISK MANAGEMENT
REPRESENTATIVE
• SECURITY OR PRIVACY ARCHITECT
• CHIEF ACQUISITION OFFICER
• SENIOR AGENCY INFORMATION
• CHIEF INFORMATION OFFICER SECURITY OFFICER
• COMMON CONTROL PROVIDER • SENIOR AGENCY OFFICIAL FOR
PRIVACY
• CONTROL ASSESSOR
• SYSTEM ADMINISTRATOR
• ENTERPRISE ARCHITECT
• SYSTEM OWNER
• HEAD OF AGENCY
• SYSTEM SECURITY OR PRIVACY
• INFORMATION OWNER OR STEWARD ENGINEER
(OR SYSTEM OWNER)
• SYSTEM SECURITY OR PRIVACY
• MISSION OR BUSINESS OWNER OFFICER
• RISK EXECUTIVE (FUNCTION) OR • USER

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Designate a senior accountable official for risk management, senior agency official for privacy,
and chief acquisition officer
• Oversee risk management process
HEAD OF
X X • Provide an organization-wide forum to consider all sources of risk, and to promote collaboration
AGENCY
and cooperation
• Institute the commitment to effectively manage security and privacy risk
• Coordinate with risk executive (function) to establish a risk management strategy
• Assist in development of organization-wide tailored control baselines and/or profiles (Task P-4
X X
INDEX

MISSION OR [Optional])
BUSINESS
OWNER • Define mission, business functions, and mission/business processes that the system is intended to
X X
support
• Implement an enterprise architecture strategy that facilitates effective security and privacy
solutions
X X • Collaborate with system owners and authorizing officials to facilitate authorization boundary
ENTERPRISE
determinations
ARCHITECT
• Coordinate with security and privacy architects on security and privacy issues

X X • Determine placement of system within the enterprise architecture

• Liaise between the enterprise architect and the system security or privacy engineer
• Allocate controls in coordination with system owners, common control providers, and system
security or privacy officers
SECURITY OR
• Advise senior leadership on a range of security and privacy issues
PRIVACY X
• Manage aspects of the enterprise architecture that: protect information and systems from
ARCHITECT
unauthorized system activity or behavior; that ensure compliance with privacy requirements; and
that manage privacy risks to individuals associated with the processing of personally identifiable
information

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Manage and monitor the performance of acquisition programs and activities
• Establish clear lines of authority, accountability, and responsibility for acquisition decision-
CHIEF
making
ACQUISITION X X
• Establish procurement policies, procedures, and practices
OFFICER
• Ensure that security and privacy requirements are defined in organizational procurements and
acquisitions
INDEX

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Tailor and supplement the common controls following organizational guidance
• Document the assigned common controls for the organization in sufficient detail to enable a
compliant implementation of the control and maintain the documentation
X X
• Disseminate the security documentation associated with the common controls to system owners
that employ the common control in their system
• Define the continuous monitoring strategy for the common controls
• Provide safeguards responsible for detecting, reporting, and investigating information security
incidents
INDEX

COMMON X X • Provide evaluation to information owner/steward that explains economical value of implemented
CONTROL controls
PROVIDER • Implement the controls defined by the information owner/steward over the specified data
• Determine which findings, if any, present no harm to the organization
(continues next • Select control assessors based on technical expertise and level of independence
page) • Ensure that assessors have proper access to common control information
X X • Determine initial remediation actions and prioritization based on control assessment findings
• Resolve issues found during control assessments
• Review the security and privacy assessment plans to ensure appropriate assessment depth and
coverage
• Provide system owner common control information and documentation to place in authorization
package assembly
X X
• Update plans for common controls to provide near-real time risk management and ongoing
authorization

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Develop and document a continuous monitoring strategy for their assigned common controls
• Participate in the organization’s configuration management process
(continued from • Establish and maintain an inventory of components associated with the common control
previous page) • Monitor common controls
• Conduct assessments of the common controls as defined in the common control provider’s
X X
COMMON continuous monitoring strategy
CONTROL • Prepare and submit security and privacy posture reports at the organization-defined frequency
PROVIDER • Conduct remediation activities as necessary to maintain the current authorization status
• Update critical security and privacy documentation on a regular basis and distribute to individual
INDEX

information owners/system owners and other senior leaders

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Ensure an effective security program is established for the organization, including establishing
expectations and requirements
X X • Designate a Senior Agency Information Security Officer
• Ensure an appropriate level of funding and resources to support a robust security program
• Determine mission and business function of the organization based on organizational priorities
• Cooperate and collaborate with system owners and the information owner or steward in the
X X
security categorization process.
INDEX

• Establish expectations for the control selection and ongoing monitoring processes to provide a
more consistent identification of controls throughout the organization
CHIEF X X • Provide resources as needed to support system owners during the process of selecting controls
INFORMATION • Maintain organizational relationships and connections
OFFICER • Participate in the selection and approval of organizational level common controls

X X • Help guide and inform authorizing official decisions regarding assessor independence.

• Ensure an effective continuous monitoring program is established for the organization

• Establish expectations/requirements for the organization’s continuous monitoring process
• Provide funding, personnel, and other resources to support continuous monitoring
X X • Maintain high-level communications and working group relationships among organizational
entities
• Ensure that systems are covered by an approved security plan, are authorized to operate, and are
monitored throughout the system development life cycle

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(Risk Executive [function])
• Assess ongoing organization-wide security and privacy risk
• Develop and implement an organization-wide strategy for continuously monitoring control
effectiveness
• Provide input to Head of Agency to determine organizational risk management strategy
X X
• Identify, document, and publish organization-wide common controls
RISK • Develop organization-wide tailored control baselines and/or profiles (Task P-4 [Optional])
EXECUTIVE • Coordinate with the senior accountable official for risk management to prioritize organizational
(FUNCTION) OR systems with the same impact level (Task P-6 [Optional])
INDEX

SENIOR • Participate in organization-wide forums to consider all types and sources of risk
ACCOUNTABLE
OFFICIAL FOR (Senior Accountable Official for Risk Management)
RISK • Implement comprehensive continuous monitoring program to maintain the initial system or
MANAGEMENT common control authorizations, and security and privacy reporting requirements and
recipients
(continues next • Identify, document, and publish organization-wide common controls
page) • Provide input to head of agency to determine organizational risk management strategy
X X
• Assess ongoing organization-wide security and privacy risk
• Review, approve, and publish organization-wide tailored control baselines and/or profiles (Task
P-4 [Optional])
• Align information security management processes with strategic, operational, and budgetary
planning processes
• Lead the risk executive (function)

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Provide oversight to the categorization process to ensure organizational risk to mission and
business success is considered in decision making
• Provide an organization wide forum to consider all sources of risk, including aggregated risk
from individual systems
X X • Promote collaboration and cooperation among organizational entities
• Facilitate the sharing of security risk related information among authorizing officials
• Coordinate with system owner for organizational system impact levels and system prioritization
(continued from • Coordinate with the authorizing official to ensure that the categorization decision is appropriate
for the organizational risk management strategy and satisfies requirements for high value assets
INDEX

previous page)
• Define the organization’s risk management strategy and ensure the selection of controls are
RISK consistent with the strategy
EXECUTIVE X X • Promote the use of common controls to more effectively use organizational resources
(FUNCTION) OR • Integrate the organization’s risk management strategy into the enterprise architecture
SENIOR • Promote collaboration and cooperation among organizational entities
ACCOUNTABLE
OFFICIAL FOR • Provide input to the authorization official on whether or not the risk of operating a system is
RISK acceptable
X X
MANAGEMENT • Provide information to the authorizing official that is considered in the final determination of risk
from either the operation or use of the system or the provision of common controls
• Provide oversight to the risk management process to ensure organizational risk to mission and
business success is considered in decision making
• Provide an organization-wide forum to consider all sources of risk, including aggregated risk
X X
from individual systems
• Promote collaboration and cooperation among organizational entities
• Facilitate the sharing of security risk-related information among authorizing officials

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Support an organization-wide forum to consider all sources of risk
• Coordinate with senior agency official for risk management
• Coordinate with senior agency official for privacy to ensure coordination between privacy and
X X information security programs
• Serve as liaison between organization risk management roles and system level risk management
roles
• Identify, document, and publish organization-wide common controls
• Establish and implement the organization-wide categorization guidance
INDEX

• Coordinate with the enterprise architecture group to integrate organizational information types
into the enterprise architecture
SENIOR • Define organization-specific information types (additional to NIST SP 800-60) and distribute
AGENCY X X them to information owners/system owners
INFORMATION • Lead the organization-wide categorization process to ensure consistent impact levels for the
SECURITY organization’s systems
OFFICER • Acquire or develop categorization tools or templates
• Provide security categorization training
(continues next
page) • Develop organization-wide control selection guidance
• Assign responsibility for common controls to individuals or organizations
• Establish and maintain a catalog of the organization’s common controls
• Review the common controls periodically and, when necessary, update the common control
selections
• Define and disseminate organization-defined parameter values for relevant controls
X X
• Acquire/develop and maintain tools, templates, or checklists to support the control selection
process and the development of system security plans
• Develop a continuous monitoring strategy for the organization
• Provide training on selecting controls and documenting them in the security plan
• Lead the organization’s process for selecting controls consistent with the organizational
guidance

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Recommend potential response actions to authorizing official
• Provide input to the authorizing official on appropriate risk determinations
• Provide input to the authorization official if the risk of operating a system is acceptable or not
• Assist with assembly of the authorization package by providing input to system owner as needed
X X
• Provide input to the authorizing official to determine risk from the operation or use of the system
(continued from or common control provisions
previous page) • Serve as liaison between authorizing official and the chief information officer
• Serve as authorizing official designated representative if needed
INDEX

SENIOR • Establish, implement, and maintain the organization’s continuous monitoring program
AGENCY • Develop organizational guidance for continuous monitoring of systems
INFORMATION • Develop configuration guidance for the organization’s information technologies
SECURITY • Consolidate and analyze plans of action and milestones to determine organizational security
OFFICER weaknesses and deficiencies
X X
• Acquire/develop and maintain automated tools to support security authorization and continuous
monitoring
• Provide training on the organization’s continuous monitoring process
• Provide support to information owners/system owners on how to develop and implement
continuous monitoring strategies for their systems

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S

• Assign individuals to specific roles associated with privacy risk management, and ensure no
conflict of interest in privacy risk management roles
• Assess ongoing organization-wide privacy risk
• Provide input and review to organization-wide tailored privacy control baselines (Task P-4
[Optional])
• Identify, document, and publish organization-wide common privacy common controls
X X
• Support establishment of criteria for determining the minimum frequency for control monitoring
in collaboration with organizational officials
INDEX

• Identify all stages of the information life cycle

SENIOR • Ensure compliance with applicable privacy requirements and managing privacy risk
AGENCY • Coordinate with senior agency information security officer on privacy and information security
OFFICIAL FOR activities
PRIVACY
X X • Support the definition of the privacy requirements for the system and environment of operation
(continues next
page) • Review and approve the security categorization results and decision for systems processing
X X
personally identifiable information prior to the Authorizing Official review

• Designate which privacy controls will be treated as program management, common, system-
X X
specific, and hybrid privacy controls
• Identify assessment methodologies and metrics to determine whether privacy controls are
implemented correctly, operating as intended, and sufficient to ensure compliance with applicable
X X privacy requirements and manage privacy risks
• Conduct assessments of privacy controls and document results, or delegate assessment functions,
consistent with applicable policies

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Review authorization packages for systems processing personally identifiable information to
(continued from ensure compliance with applicable privacy requirements and manage privacy risks, prior to
previous page) authorizing officials making risk determination and acceptance decisions
X X
• Collaborate with the authorizing official or designated representative to analyze the information in
SENIOR the authorization package provided by the control assessor, system owner, or common control
AGENCY provider, and finalize the determination of risk
OFFICIAL FOR
PRIVACY • Establish and maintain a privacy continuous monitoring program to ensure compliance with
X X
privacy requirements and manage privacy risks
INDEX

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Review and approve the security category and impact level assigned to the information
types and system
• Ensure that the security category selected for the system is consistent with the mission and
business functions of the organization and protect those missions and functions
X X • Coordinate with senior agency official for risk management or the risk executive (function)
AUTHORIZING to ensure that categorization decisions for the system is commensurate with organizational
OFFICIAL OR risk management strategy and satisfies requirements for high-value assets
AUTHORIZING • Provide guidance system owner for any limitations on baseline tailoring activities for the
system that occur at the RMF Select step
INDEX

OFFICIAL
DESIGNATED • Review the security and privacy plans to determine if the plans are complete, consistent, and
REPRESENTATIVE satisfies the stated security and privacy requirements for the system
• Determine if the security and privacy plans correctly identify the potential risk to
(continues next page) organizational operations, assets, individuals, other organizations, and the Nation and
X X recommend changes to the plans if insufficient
• Approve the selected set of controls, including all tailoring and supplementation decisions,
any use restrictions, and the minimum assurance requirements
• Determine the need to reauthorize the system after significant events occur that may trigger
changes to the system’s controls

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(continued from
• Define the level of independence required for the control assessor(s)
previous page)
• Determine confidence in independent assessor’s ability to provide relevant information
about the security and privacy posture of the system to support risk-based decisions
AUTHORIZING
• Determine risk to organizational operations and assets, individuals, and other organizations
OFFICIAL OR X X
based on assessment results
AUTHORIZING
• Review and approve security and privacy assessment plan
OFFICIAL
• Decide which findings are significant and require immediate action
DESIGNATED
• Approve use of any previous assessment results
REPRESENTATIVE
INDEX

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Collaborate with the senior agency information security officer and the senior agency
official for privacy (for systems processing personally identifiable information), analyzes
the information in the authorization package to finalize the risk determination
• Coordinate with the chief information officer to ensure adequate protection of resources to
meet system supporting mission and business functions supporting organization priorities
• Analyze the relevant security and privacy information provided by security/privacy
personnel (or a reporting tool if utilized) to determine the current security and privacy
(continued from posture of the system when in ongoing authorization
previous page) • Review assessment reports and plans of action and milestones for risk mitigation prior to
INDEX

authorization
AUTHORIZING • Review the information with the specific time-driven authorization frequency defined by
OFFICIAL OR X X the organization as part of the continuous monitoring strategy and determines if the risk of
AUTHORIZING continued system operation or the provision of common controls remains acceptable
OFFICIAL • Identify and implement a preferred course of action in response to the risk determination
DESIGNATED • Consult with senior accountable official for risk management or risk executive (function)
REPRESENTATIVE prior to making final authorization decision for the system or common controls
• Determine acceptance of risk; risk acceptance cannot be delegated to other officials
• Issue an authorization decision for the system or for organization-designated common
controls
• Convey the authorization decision to the system owner or common control provider, and
other organizational officials, as appropriate
• Determine the authorization termination date for systems not in ongoing authorization
(continues next page)

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(continued from
previous page)
• Provide the terms and conditions for authorization decision with any applicable specific
limitations or restrictions placed on the operation of the system or the controls that must
AUTHORIZING
be followed by the system owner or common control provider
OFFICIAL OR X X
• Issue the final authorization decision for the system
AUTHORIZING
• Report the authorization decision and any deficiencies in controls that represent
OFFICIAL
significant security or privacy risk to designated organization officials
DESIGNATED
REPRESENTATIVE
INDEX

AUTHORIZING • Conduct and coordinate response actions on behalf of authorizing official except signing
OFFICIAL of authorization decision document (acceptance of risk)
X X
DESIGNATED • Serve as alternate for authorizing official for risk determination and mitigation and
REPRESENTATIVE authorization reporting

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(continued from • Ensure the security and privacy posture of the organization’s systems is maintained
previous page) • Review security and privacy posture reports and critical security documents and
determine if the risk to the organization of operating the system remains acceptable
AUTHORIZING • Determine whether significant system changes require reauthorization actions for the
OFFICIAL OR X X system under their purview
AUTHORIZING • Reauthorize systems when required
OFFICIAL
DESIGNATED
REPRESENTATIVE
INDEX

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Identify the types of information to be processed, stored, and transmitted by the system
• Coordinate with the senior agency official for privacy to identify all parts of the information life
X X cycle for personally identifiable information
• Coordinate with system owners and provide input on protection needs, security and privacy
requirements
• Assist the system owner to categorize the system based on FIPS 199, NIST SP 800-60, and
X X
organizational guidance
INFORMATION
OWNER OR
INDEX

(or System Owner)

STEWARD • Select, tailor, and supplement the controls following organizational guidance, documenting the
decisions in the security and privacy plans with appropriate rationale for the decisions
(continues next • Determine the suitability of common controls for use in the system
page) • Determine the need for use restrictions in the system
• Document the tailored and supplemented set of controls in the security and privacy plans in
X X
sufficient detail to enable a compliant implementation of the control
• Define the continuous monitoring strategy for the system
• Obtain approval for the tailored and supplemented controls, common controls, compensating
controls, use restrictions, and assurance requirements prior to their implementation
• Review the controls periodically and, when necessary, update the control selections
• Maintain and update the system security and privacy plans

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(or system owner)
• Implement and verify controls to ensure the confidentiality, integrity and availability of the
system; manage privacy risks; and ensure compliance with applicable privacy requirements
• Provide the appropriate level of authority to implement the controls to the system
• Review and approve access to the system based on need
• Coordinate exceptions to implemented controls
• Document control implementation to allow for traceability of decisions prior to and after
deployment of the system
(continued from • Coordinate the control assessment in parallel with development to facilitate early detection of
INDEX

previous page) weak or inefficient controls

• Refer to authorization package to determine adequacy of implemented common controls
X X
INFORMATION • Identify compensating or additional controls to enhance protection levels not met by inherited
OWNER OR common controls
STEWARD • Ensure the system is protected from unauthorized disclosure, modification or deletion
• Provide the appropriate level of authority to implement the controls to the system
• Approve access, based on necessity, to the system
• Coordinate exceptions to implemented controls
• Document control implementation to allow for traceability of decisions prior to and after
deployment of the system
• Provide input to system owners regarding the security and privacy requirements and controls for
the system
• Offer controls for inheritance (as needed)

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(or System Owner)
• Understand what information will be assessed and how that information will be assessed
• Understand how the information that is going to be evaluated will be affected during the
assessment
• Review the security and privacy assessment plans for consistency with the information
security and privacy requirements
• Determine which findings, if any, present no harm to the organization
(continued from
• Select control assessors based on technical expertise and level of independence
previous page)
• Ensure that assessors have proper access to the system and/or operating environment
INDEX

X X • Determine initial remediation actions and prioritization based on control assessment findings
INFORMATION
• Resolve issues found during control assessments
OWNER OR
• Review the security and privacy assessment plans to ensure appropriate assessment depth
STEWARD
and coverage
• Provide support for security and privacy assessment activities
• Ensure security and privacy assessments activities are proceeding as planned
• Determine if any previous assessments results are available and may be relevant
• Ensure that control assessments are conducted in parallel with the development/acquisition
and implementation phases of the life cycle
• Ensure that the control assessor provide a complete control assessment report

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(or System Owner)
• Provide input to plan of action and milestone development for information protection
• Assemble the authorization package with common control provider and senior agency official
for privacy for submission to authorizing official for final authorization decision
• Present the authorizing official via automated reports (if applicable) the authorization
(continued from package for those systems under ongoing authorization
previous page) • Receive authorization decision from authorizing official on system operations.
Authorization decision includes whether system is authorized to operate or not via final
X X
INFORMATION authorization package.
INDEX

OWNER OR • Receive guidance from authorizing official when to conduct an authorization or re-
STEWARD authorization
• Report and track exploitable deficiencies (i.e., vulnerabilities) in the system or controls found
out during the assessment and continuous monitoring that have significant security or privacy
risk to the authorizing official
• Take system off-line to address system deficiencies and revise authorization package to
authorizing official’s satisfaction if system is issued authorization to operate.

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
(or System Owner)
• Develop and document a continuous monitoring strategy for their systems
• Participate in the organization’s configuration management process
• Establish and maintain an inventory of the system’s components
(continued from
• Conduct risk assessments on all changes to their systems
previous page)
• Conduct control assessments according to their continuous monitoring strategies
X X • Prepare and submit security status reports at the organization-defined frequency
INFORMATION
• Conduct remediation activities as necessary to maintain the current authorization status
OWNER OR
• Update the selection of controls for the system when events occur that indicate the baseline set
INDEX

STEWARD
of controls is no longer adequate to protect the system
• Update critical security and privacy documents on a regular basis
• Review reports from common control providers to verify that the common control continues to
provide adequate protection for the system

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Identify stakeholders who have an interest in the system
• Identify assets that require security and privacy protection
SYSTEM • Determine the authorization boundary
OWNER • Assist senior agency official for privacy to identify systems that process personally identifiable
X X information
(continues next • Identify the types of information to be processed, stored, and transmitted by the system
page) • Conduct a system-level risk assessment and continually update the risk assessment
• Define the protection needs and security and privacy requirements for the system
• Register the system with organizational program or management offices
INDEX

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Categorize system based and document results with input from information owner or steward
• Collaborate with senior leaders and executives to ensure system categorization is based on
mission and business impacts of the organization
• Review security risk assessment results to help determine security categorization
• Coordinate with information owner to determine impact levels for each information type and each
security objective
• Determine overall system categorization based on high water mark of information type impact
levels
(continued from • Ensure security categorization is documented in the system security plan and cross-referenced in a
INDEX

previous page) privacy plan, if applicable

X X • Review impact-prioritization and coordinate with senior accountable official for risk management
SYSTEM or risk executive (function) in control selection and tailoring decisions
OWNER • Initiate and repeat categorization process and submits adjusted results to authorizing official if
initial security categorization decision is not approved
• Update system registration with approved security categorization and characterization information
• Document characteristics of the system (e.g., system design and requirements documentation;
authorization boundary information; list of security and privacy requirements allocated to the
system, system elements, and the environment of operation; system element information) in
appropriate documentation (e.g., system security plan)
• Ensure level of detail for system documentation is commensurate with security categorization and
security and privacy risk assessments

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S

• Coordinate with the system owner to determine the authorization boundary and information types
X X
• Conduct system-level security and privacy risk assessments

• Support the system owner in selecting controls for the system

• Participate in the selection of the organization’s common controls and in determining their
X X
suitability for use in the system
• Review the controls regarding their adequacy in protecting the information and system
SYSTEM
• Assist in the determination of an appropriate level of security commensurate with the impact level
SECURITY OR X X
INDEX

• Advise the system owner regarding security and privacy requirements

PRIVACY
OFFICER • Oversee implementation of remediation action
• Review the security and privacy assessment plans to coordinate assessment activities
X X • May act as the control assessor for low impact systems
• Coordinate security and privacy assessment activities
• Coordinate security and privacy assessment report detail with the assessor

• Support the information owner/system owner to complete security responsibilities

X X
• Participate in the formal configuration management process

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S
• Provide advice in describing the system and its functions, information types, operating
environments, and security and privacy requirements
X X • Review the adequacy of the controls and their ability to protect the system and its information,
manage privacy risk, and ensure compliance with applicable privacy requirements
• Assist in tailoring the controls
• Ensure the confidentiality, integrity, and availability of the system by designing and implementing
a secure system
• Ensure system compliance with privacy requirements and management of the privacy risks to
INDEX

individuals associated with the processing of PII

X X • Implement secure and privacy-enhancing networking and computing environments
SYSTEM • Provide security and privacy planning to support the system
SECURITY OR • Implement security and privacy requirements for the proper handling of data within the system
PRIVACY • Recommend system-level solutions to resolve security and privacy requirements
ENGINEER • Coordinate the most effective way to implement common controls in organizational systems
• Verify that the system protects individual’s privacy and against identified
• Review and analyze security and privacy assessment reports
X X
• Design remediation plan
• Verify remediation
• Provide advice on the continuous monitoring of the system
• Provide advice on the impacts of system changes to the security and privacy posture of the system
• Participate in the configuration management process
X X
• Participate in any acquisition/development activities that are required to implement a system
change
• Implement approved system changes

https://nist.gov/rmf
 2021-3-11

RMF
NIST
NIST RMF Quick Start Guide
RISK MANAGEMENT FRAMEWORK

nist.gov/rmf Roles and Responsibilities Crosswalk

O S
ROLE P C S I A R M R Y RESPONSIBILITIES
G S

X X • Identify assets that require protection

SYSTEM
ADMIN. • Implement the controls in the security and privacy plans
X X • Document changes to planned control implementations based on the “as-implemented” state of
controls.

• Identify mission, business, or operational security requirements

X X
• Report any weaknesses in, or new requirements for, current system operations
INDEX

USER • Identify changes to mission, business, or operational security and privacy requirements
• Report any weaknesses in, or new requirements for, current system operations
X X
• Submit and justify system change requests to the information owner/system owner or through the
organization’s formal configuration management process
• Develop security and privacy assessment plan(s)
• Conduct assessment of the controls used in and/or inherited by a system
• Create security and privacy assessment report(s) reflecting effectiveness of employed and
X inherited controls
CONTROL • Reassess any weak or deficient controls that have been corrected
ASSESSOR • Note: the senior agency official for privacy is responsible for assessing privacy controls. At the
discretion of the organization, privacy controls may be assessed by an independent assessor
(internal or • Develop a security and privacy assessment plan(s) for each subset of controls that will be assessed
independent) • Submit the security and privacy assessment plan(s) for approval prior to conducting the
assessment
X
• Conduct the assessment of controls as defined in the security and privacy assessment plan(s)
• Update the security and privacy assessment report(s) on a regular basis with the continuous
monitoring assessment results

https://nist.gov/rmf