If you working in an industry that uses the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), then you understand the amount of work and resources it takes to implement and manage. RMF is designed to help manage risks throughout the System Development Lifecycle (SDLC) using system categorization, security control selection, secure engineering principles for implementation, control assessment, authorization, and continuous monitoring.
Let's talk about project management inside of RMF. Often when I explain the entire Level of Effort (LOE) for managing RMF for a system or enclave, system owners are surprised. I explain that there are many roles performing many activities throughout an SDLC to ensure RMF is implemented correctly and timely. I've seen too many issues related to poor project management:
Missed deadlines
Quick scripts written to populate answers for security controls (which usually fail because they didn't have quality assurance)
Security Control Assessors (SCAs) receive requests two days before an authorization expires beginning for a last minute assessment
Authorizing Officials (AOs) with inadequate information to make a final decision on risk
Short term authorization on decisions giving the system owners six months or less to come back with a new authorization package
It's a good idea to have a project manager or a cybersecurity professional with project management experience to help ensure the above does not happen. Security professionals may join the project manager's team and ensure that critical RMF tasks are documented into the SDLC project schedule to ensure important milestones are met on time and any issues that arise can be resolved before impacting cost, schedule, and resources any further. The following are items that should be integrated into the SDLC schedule:
System categorization should be completed early in the design phase
Control selection should have a first draft before system requirements review
The System Security Plan (SSP) should be completed at this stage
Final control tailoring should be complete before the preliminary design review
The SSP should be finalized and sent to the SCA & AO for approval
Control implementation should be implemented before testing/assessment
Depending on the categorization of the system, the LOE for this step can be quite large
Some high categorizations may contain over 500 security controls
During the implementation phase is where these security controls will need to be answered how and when they are implemented
System Owners should request a control assessment from an independent assessor several months in advance
Ensures the SCA has time to plan accordingly
Planning will include several meetings to coordinate logistics, key personnel, locations, etc.
Control assessment should plan to start before final testing begins
After the SCA conducts interviews, technical scans, and observations, it may take 30 days or more to complete their final reports
SCA submit assessment reports to the system owner for review and prepare to submit final risk assessments to the AO
The AO will schedule a meeting with the SCA and the system owner to review the final reports and issue a risk decision
The system owner needs a final decision before they system is deployed to the production environment
It is critical to pad this activity with a few weeks for the AO's team to review the authorization package and final reports
Integrating the RMF tasks/steps into the project management schedule is key to ensuring less impact to cost, schedule and resources and longer duration authorizations.