top of page

Project Management inside Risk Management Framework (RMF)

Updated: Apr 21, 2023

If you working in an industry that uses the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), then you understand the amount of work and resources it takes to implement and manage. RMF is designed to help manage risks throughout the System Development Lifecycle (SDLC) using system categorization, security control selection, secure engineering principles for implementation, control assessment, authorization, and continuous monitoring.

Let's talk about project management inside of RMF. Often when I explain the entire Level of Effort (LOE) for managing RMF for a system or enclave, system owners are surprised. I explain that there are many roles performing many activities throughout an SDLC to ensure RMF is implemented correctly and timely. I've seen too many issues related to poor project management:

  • Missed deadlines

  • Quick scripts written to populate answers for security controls (which usually fail because they didn't have quality assurance)

  • Security Control Assessors (SCAs) receive requests two days before an authorization expires beginning for a last minute assessment

  • Authorizing Officials (AOs) with inadequate information to make a final decision on risk

  • Short term authorization on decisions giving the system owners six months or less to come back with a new authorization package

It's a good idea to have a project manager or a cybersecurity professional with project management experience to help ensure the above does not happen. Security professionals may join the project manager's team and ensure that critical RMF tasks are documented into the SDLC project schedule to ensure important milestones are met on time and any issues that arise can be resolved before impacting cost, schedule, and resources any further. The following are items that should be integrated into the SDLC schedule:

  • System categorization should be completed early in the design phase

  • Control selection should have a first draft before system requirements review

    • The System Security Plan (SSP) should be completed at this stage

  • Final control tailoring should be complete before the preliminary design review

    • The SSP should be finalized and sent to the SCA & AO for approval

  • Control implementation should be implemented before testing/assessment

    • Depending on the categorization of the system, the LOE for this step can be quite large

    • Some high categorizations may contain over 500 security controls

    • During the implementation phase is where these security controls will need to be answered how and when they are implemented

  • System Owners should request a control assessment from an independent assessor several months in advance

    • Ensures the SCA has time to plan accordingly

    • Planning will include several meetings to coordinate logistics, key personnel, locations, etc.

  • Control assessment should plan to start before final testing begins

    • After the SCA conducts interviews, technical scans, and observations, it may take 30 days or more to complete their final reports

  • SCA submit assessment reports to the system owner for review and prepare to submit final risk assessments to the AO

  • The AO will schedule a meeting with the SCA and the system owner to review the final reports and issue a risk decision

    • The system owner needs a final decision before they system is deployed to the production environment

    • It is critical to pad this activity with a few weeks for the AO's team to review the authorization package and final reports

Integrating the RMF tasks/steps into the project management schedule is key to ensuring less impact to cost, schedule and resources and longer duration authorizations.

27 views0 comments

Recent Posts

See All


bottom of page