The three levels of risk relate to each other in a pyramid structure. Tier 1, refers to organization level. Tier 2, is mission/business process level. Tier 3, is information system level. They relate to each other because deficiencies in one tier can have an impact another.
Security and privacy controls are assigned to one of the following options: preventative, detective and corrective. Preventative measures are put in place to avoid vulnerabilities by implementing strong procedures for risk assessment. Detective measures are responsible for identifying risks and vulnerabilities. Corrective provides solutions to the risk assessment and attempts to restore the system’s operation and reputation.
System and Services Acquisition (SA) Control is a family of 22 controls, and has only a few control enhancements. The control family is for management control. There are three baselines of low, medium and high impact. SA provides methods of securing systems, policies and procedures and associated resources.
The Incident Response (IR) has 10 controls and is operational. It is significant for giving organizations policies and procedures for responding to actions that are adversely affected by risk and vulnerabilities. It is also giving cybersecurity methods for reporting the negative actions that has taken place, which will help the organization develop stronger policies going forward.
The Maintenance controls address ongoing policies and procedures for organizations to use in order to fix parts of the system that need to be patched or upgraded. The control family has 6 controls and are technical. It also has four control enhancements. Maintenance controls give cybersecurity the ability to keep systems running effectively and improve them if necessary.
The Media Protection (MP) Controls addresses the storage, protection and use of media for a company’s system. It is a control family of eight and it is operational. These controls give cybersecurity the methods of maintaining the integrity of media, particularly in cases where media data needs to be transported from one place to another.
Planning (PL) controls address system security planning and keeping systems secure through the production of ongoing updates, policies and procedures. It addresses both security and privacy for the systems. PL has nine controls and one control enhancement. It is one of the most crucial components of RMF because it details the organization’s approach to updating its system security plan.
The Personnel Security (PS) addresses any policy and procedure that directs human behavior in ways that reduce risk and promote security and privacy. Its eight controls are operational, and there are two control enhancements. Without PS organizations would not have a plan or a direction for their staff to use, which would make completing the RMF process and running an organization impossible.
Configuration Management (CM) addresses all of the policies and procedures in regards to their control settings in order to change or analyze parts of a system. It also gives cybersecurity the ability to set restrictions that can prevent unauthorized individuals from gaining access to areas of a system that they are not supposed to have. CM has 11 controls that are technical and four control enhancements.
Program Management (PM) controls address the development of an information security plan and implements a plan of action. It addresses important aspects like critical infrastructure and risk assessment. It directs specific staff to address risk and vulnerability concerns. It has 16 management controls that help to train cybersecurity on methods of keeping systems away from insider threats and other threat agents.
Systems and Communications (SC) protection controls address the parameters of communication for the system. It concerns who is authorized to send what type of communication to others within the organization. It provides protection against denial-of-service (DDoS) and other threat agents. It creates an environment that promotes confidentiality, integrity and available of data. It has 44 controls that are technical and seven control enhancements.
The Access controls addresses who has the authorization to complete specific tasks regarding the RMF process. It gives cybersecurity roles and responsibilities that when met, will reduce risk associated with any system. It is also flexible in the sense that it can change; when a staff member changes their position at an organization it may require for them to have different access to data. The control family assists organizations in handling this process.
The Risk Assessment (RA) controls address the ability to conduct measures that will give the organization the opportunity to discover what types of risks may be available on their assets, and how to reduce and mitigate it. RA controls identifies risk and provides a solution for staff to implement.