Prepare Tasks - morgan-hanrahan/Tech-Journal GitHub Wiki

Provides a summary of tasks and expected outcomes for the RMF Prepare step.

  1. Risk Management Roles - Key roles for performing RMF are identified and allocated to specific people.

  2. Risk Management Strategy - The organization establishes a risk management strategy that includes determining and expressing its level of risk tolerance.

  3. Risk Assessment - Organization - A risk assessment for the entire organization is finished, or an existing risk assessment is updated.

  4. Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles - Cybersecurity Framework Profiles or organizationally specific control baselines are created and made available.

  5. Common Control Identification - The identification, documentation, and publication of common controls that organizational systems may inherit are done.

  6. Impact-Level Prioritization - Organizational systems with similar impact levels are prioritized.

  7. Continuous Monitoring Strategy - Organization - The development and application of a corporate plan for control effectiveness monitoring.

  8. Mission or Business Focus - There are identified missions, business functions, and mission/business processes that the system is meant to support.

  9. System Stakeholders - System stakeholders are characterized as those with an interest in it.

  10. Asset Identification - Assets owned by stakeholders are listed and ranked.

  11. Authorization Boundary - It is decided what the authorization boundary (or system) is.

  12. Information Types - The types of information that the system processes, stores, and transmits are identified.

  13. Information Life Cycle - For each type of information that the system processes, stores, or transmits, all phases of the information life cycle are recognized and understood.

  14. Risk Assessment - System - An revised risk assessment or a system-level risk assessment is finished.

  15. Requirements Definition - The needs for security and privacy are listed and ranked.

  16. Enterprise Architecture - It is decided where to place the system within the enterprise architecture. 

  17. Requirements Allocation - System and operating environment-specific security and privacy criteria are established.

  18. System Registration - The system has been registered for management, responsibility, coordination, and oversight purposes.