Rewrite

abell442
StrategyfortheImplementation2.docx
Home>Information Systems homework help>Rewrite

Strategy for the Implementation

The strategy for implementation is to follow the steps outlined in NIST SP800-37. These

steps are tested and approved as a process to successfully implement RMF. Additionally, it was

decided that the implementation would take place on a model information system. It would not

have been feasible to implement an entire RMF on an actual organization due to the possible

impact to business productivity. Using a mock network was decided to be the least disruptive as

no schedule downtime would be required to implement controls, and no adverse effects would

prevent the organization from functioning correctly. Finally, this was the best strategy as using

an actual federal information system could have been restrictive with as far as how much

information would be publically releasable. Since there are no detailed configuration items

outside of industry best practice, it is possible to present this project to the public.

Phases of the Rollout

Phases of the rollout are defined in the NIST documentation as the 6 steps of a risk

management framework. The first three stages are the categorization of the information system,

selection of the security controls, and implementation of the said controls. These first three

phases are the actual implementation and are considered to be the hands on aspect. Next, step

four is the testing stage which is defined as the assessment of the security controls. This will

allow the validation of the implementation and effectiveness of the controls applied. Afterward,

the acceptance stage is step 5 which is the authorization of the information system. After the

controls have been validated, the authorization authority with approve the operation of the

system. Finally, the last stage of RMF is monitoring of the security controls. As the system

Implementation of Risk Management Framework under Federally Compliant Standards 26

performs under normal operation, system changes will be imminent. New features will be added

or modified and new threats may be uncovered. The monitoring stage will ensure the long term

security of the system.

Details of the Go-Live

The project is considered to be fully implemented after the authorization to operate has

been received. This is detailed in step 5 of the NIST SP800-37 document. All 4 prior steps detail

the selection, implementation, and validation of the risk management controls. The 5th step is

where he authorization official verifies the accuracy and completion of the controls

implementation, and validates that the system is compliant. Using their authority, the system is

then granted its accreditation which must be maintained by following the continuous monitoring

of step 6.

Dependencies

The dependencies of the implementation of RMF are each of the prior steps. Before the

first step can be completed, the system must be designed with the configuration details finalized

in the to-be running state. Once the system is spec’d and designed, the system may be

categorized and step two of selecting the controls may commence. Once complete, steps 3 and 4

may begin which are the implementation and assessment of the controls. Finally, steps 5 and 6

will begin which is the authorization approval and the continuous monitoring. The system will

have to receive its approval before the continuous validation of controls begins, and then any

changes will be processed through the 6 steps.