1. The Risk Management Framework (RMF)
Key Players
Decision Authorities
Element Head
Authorizing Official (AO)
Designated Authorizing Official (DAO)
Implementer & Operations Support
Information System Owner (ISO)
Information System Security Officer (ISSO)/Information System Security Manager (ISSM)
Common Control Provider (CCP)
Information System Security Engineer (ISSE)
Advisors to AO/DAO
Risk Executive Function (REF)
Chief Information Office (CIO)
Chief Information Security Officer (CISO)
DAO Rep
Assessors & Mission Data Owners
Certification Agent (CA)
Delegated Certification Agent (DCA)
Security Control Assessor (SCA)
Information Steward/ PSO
NRO Documents 1
Identify system, its boundaries and purpose; categorize info type; conduct initial threat and risk assessment. 4
Determine security control effectiveness.
NI : NRO implementation of RMF
IASD: NRO controls
Key Players: CA/DCA/SCA, ISSE, ISSO, ISSM, PSO
Deliverables: CTP, SSP (v4), SAP (final), RMM, SAR
Policy Documents
Key Players: ISO, PSO, DAO/DAO Rep, DCA/SCA, ISSO, ISSE, ISSM
Deliverables: Cat. Wrksht or SSP (v1) , RMM
ICD 503: IC Directive to use RMF
CNSSP 22: High level policy on Risk Management
CNSSI 1253: Categorization for NSS
NIST SP : Controls catalog
NIST SP : RMF
NIST SP A: Guide for Assessment procedures
NIST SP : Guide for how to do Risk Management
NIST SP : Overall Risk Management guide
NIST SP : Interconnection guidance
NIST SP : Information types
CNSSI 4009: IA Glossary
NIST SP : Continuous Monitoring 5
Determine risk to NRO operations & assets, other organizations, and the Nation; if acceptable risk, authorize operation. 2
Select security controls; apply tailoring guidance and supplemental controls as needed based on risk assessment.
Key Players: AO/DAO/DAO Rep, ISO, ISSO, PSO
Deliverables (Final): POA&M, SAR, SSP
Key Players: ISO, AO/DAO/DAO Rep, DCA/SCA, ISSE, ISSO
Deliverables: SSP (v2), Continuous Monitoring Strategy, RMM, SAP (draft) 6
Continuously track changes to IS that may affect security controls and reassess control effectiveness. 3
Implement security controls; apply security configuration settings.
Key Players: ISO, CCP, PSO, ISSO, AO/DAO/DAO Rep, CA/DCA/SCA
Deliverables: Updating
Key Players: ISO, ISSO, ISSE, ISSM, PSO, SCA
Deliverables: CTP, RMM, SSP (v3)

2. The Risk Management Framework (RMF)
A&A: Assessment and Authorization
AO: Authorizing Official
ATO: Authorization to Operate A
IA: Information Assurance
IASD: Information Assurance Standards Document
IATT: Interim Approval to Test
ICD: Intelligence Community Directive
IS: Information System
ISA: Interconnection Security Agreement
ISA: Information System Architect
ISAP: Integrated Security Assessment Program
ISO: Information System Owner
ISSE: Information System Security Engineer
ISSM: Information System Security Manager
ISSO: Information System Security Officer
IT: Information Technology I Q
REF: Risk Executive Function
RMF: Risk Management Framework
RMM: Risk Management Matrix R B
SAISO: Senior Agency Information Security Officer
SAP: Security Assessment Plan
SAR: Security Assessment Report
SAT: Site Acceptance Testing
SCA: Security Control Assessor
SDLC: System Development Lifecycle
SRTM: Security Requirements Traceability Matrix
SSP: System Security Plan S
CA: Certification Agent
CCP: Common Control Provider
CIO: Chief Information Office
CIA: Confidentiality, Integrity, Availability
CIAO: Composite Information Assurance Office
CISO: Chief Information Security Officer
CNSSI: Committee on National Security Systems Instruction
CTP: Certification Test Plan C J
TRR: Test Readiness Review
TSB: Technical Security Branch T K
DAO: Designated Authorizing Official
DCA: Delegated Certification Agent
DRP: Disaster Recovery Plan D L U M E V
NIST: National Institute of Standards and Technology N
FAT: Factory Acceptance Testing F W X O G Y
POA&M: Plan of Actions and Milestones
PSO: Program Security Officer P H Z