The document discusses the Risk Management Framework (RMF) process for authorizing information systems and maintaining ongoing security authorization. It outlines the six steps of the RMF process - Categorize, Select, Implement, Assess, Authorize, Monitor. The ultimate goal is to achieve ongoing authorization where the authorizing official has sufficient knowledge of the system's security state to determine if continued operation is acceptable based on ongoing risk assessments. Any changes to the system may change the risk, and the RMF process includes tasks for evaluating changes and their impact on risk.

2. Categorize
Select
Implement
Assess
Authorize
Monitor

12. Categorize
Select
Implement
Assess
Authorize
Monitor

13. “The ultimate objective is to achieve a state of ongoing
authorization where the authorizing official maintains
sufficient knowledge of the current security state of the
information system (including the effectiveness of the
security controls employed within and inherited by the
system) to determine whether continued operation is
acceptable based on ongoing risk determinations, and if
not, which step or steps in the Risk Management
Framework needs to be re-executed in order to
adequately mitigate the additional risk.”
– NIST SP 800-37 Rev 1

26.  Anytime there is a change to the system there is a change to the
risk to that system
 Is the change material?

27. Identify
Change
Evaluate
Request
DecisionImplement
Monitor
Evaluate
change in
risk

39. Continuous
Risk
Management
Control
Failure
Assessment
Results
Incidents
System
Changes
Industry
Advisories
Business
Objective
Change

47. NIST SP 800-53 Rev 4 pg 24

50. Categorize
Select
Implement
Assess
Authorize
Monitor

52. NIST

53. Categorize
Select
Implement
Assess
Authorize
Monitor
TASK 1-1 Security Categorization
TASK 1-2 Information System Description
TASK 1-3 Information System Registration
TASK 2-1 Common Control
Identification
TASK 2-2 Security Control
Selection
TASK 2-3 Monitoring Strategy
TASK 2-4 Security Plan Approval
TASK 3-1 Security Control Implementation
TASK 3-2 Security Control Documentation
TASK 4-1 Assessment Preparation
TASK 4-2 Security Control Assessment
TASK 4-3 Security Assessment Report
TASK 4-4 Remediation Actions
TASK 5-1 Plan of Action and Milestones
TASK 5-2 Security Authorization Package
TASK 5-3 Risk Determination
TASK 5-4 Risk Acceptance
TASK 6-1 Information System and Environment Changes
TASK 6-2 Ongoing Security Control Assessments
TASK 6-3 Ongoing Remediation Actions
TASK 6-4 Key Updates
TASK 6-5 Security Status Reporting
TASK 6-6 Ongoing Risk Determination and Acceptance
TASK 6-7 Information System Removal and Decommissioning