NAVY AUTHORIZING OFFICIAL AND SECURITY CONTROL ASSESSOR

RISK MANAGEMENT FRAMEWORK TRAINING

Module 4 RMF Step2 Select Security Controls

Version 1.1

UNCLASSIFIED 1
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Training Plan

Twenty Modules= Eight Sessions

Session A - Process
Module 1: RMF Overview
Module 2: RMF Process Flow
Overview
Session B - Transition
Module 1: RMF Overview
Module 9: Difference Between
DIACAP & RMF
Module 10: Authorization Options
Additional Brief: Office of Financial
Mgmt. Audit & RMF

Session C – Migration Session D – Step 1 Session E - RMF Step 2

Module 20: RMF in eMASS
Module 21: DIACAP to RMF
Migration
Module 22: Migration Tool
Module 23: Changing CIA
Module 26: Org Assigned Values
Module 3: RMF Step 1 Module 4: RMF Step 2 Select
Categorization Security Controls
Module 11: Navy Qualified Validator Module 25: eMASS RMF
Program Overview Implementation Plan
Module 24: eMASS Registration

Session F – RMF Step 3
Module 5: RMF Step 3 Implement
Security Controls
Session G – RMF Step 4
Module 6: RMF Step 4 Assess
Security Controls
Module 27: eMASS Risk
Assessment
Session H – RMF Step 5/6
Module 7: RMF Step 5 Authorize
System
Module 8: RMF Step 6 Monitor
Security Controls

UNCLASSIFIED 2
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Objective

• This training module we will cover the following topics:

• The Department of Defense (DoD) Risk Management
Framework (RMF) Step 2 Process
– RMF Step 2 Roles & Responsibilities
– RMF Step 2 Select Controls Process Breakdown
– ISCM Strategy Initiation
– Develop SAP
– RMF Step 2 Review and Checkpoint Process
– ECH II Triage Checklist
– Step 2 Concurrence Form

3
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 DoD RMF Process

UNCLASSIFIED 4
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Process Changes
DIACAP RMF
Initiate & Plan IA C&A Categorization: Security Objectives
Mission Assurance Category (MAC) Confidentiality (C)
Confidentiality Level (CL) Integrity (I)
Availability (A)
IA Control Selection Security Control Selection
IA Controls determined based on MAC/CL Security Controls determined by Impact Codes
Augment IA Controls Overlays to complement /refine security control
baselines
Completed by Validator Determined by PM w/out NQV
Many requirements to one control More controls with single requirements
IATO ATO With Conditions
IATT – Issued without CD IATT – Requires SAR
Roles & Responsibilities Roles & Responsibilities
Validator: Completed tasking for PM & ISSM Validator: SCA “Trusted Agent”
User Representative - Consulted Information Owner – Active Participant
Optional DIP Concurrence Mandatory Step 2 Checkpoint
Mandatory Activity 3 Collaboration Mandatory Step 5 Checkpoint
Static Package Artifacts after C&A Information System Continuous
Monitoring (ISCM)
UNCLASSIFIED 5
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Terminology Changes
DIACAP RMF
Certification and Accreditation (C&A) Assess and Authorize (A&A)
Designated Approving Authority (DAA) Authorizing Official (AO)
Action Officer (AO) Cyber Security Analyst (CSA)

Navy Certifying Authority (CA) Security Control Assessor (SCA)

CA Liaison SCA Liaison
Fully Qualified Navy Validator (FQNV) Validator/Navy Qualified Validator (NQV)

Information Assurance Manager (IAM) Information System Security Manager (ISSM)

Collaboration Checkpoint

DIP Concurrence (Optional) Step 2 Concurrence (Now Required)

DIACAP Package Security Authorization Package (No Acronym)

C&A Plan/System Identification Profile (SIP) Security Plan (SP)

Scorecard Authorization Decision Document

Test Plan Security Assessment Plan (SAP)

Raw test results Risk Assessment Report (RAR)

Certification Determination (CD) Security Assessment Report (SAR)

Validation Procedures (VP) Assessment Procedures (AP)

UNCLASSIFIED 6
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Navy RMF Workflow

UNCLASSIFIED 7
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Roles and Responsibilities

RMF Step 2: Select Security Controls and ISCM Strategy

1-Security Controls: 2-Document Controls : 3-ISCM Strategy:
R – ISSE R – ISSM R – PM/ISO, ISSM
A – PM/ISO A – PM/ISO A – PM/ISO
S – ECH II, ISSM, UR S – ECH II, ISSE, S – ECH II, ISSE
C – SCA, SCA Liaison, C – SCA, SCA Liaison, C – SCA, SCA Liaison,
NQV, AO, AO CSA NQV, AO, AO CSA NQV, AO, AO CSA
I – None Identified I – None Identified I – None Identified

4-SAP: 5-RMF Step 2 6-RMF Step 2 Approval:

R – NQV Checkpoint: R – AO CSA, AO
A – SCA R – ECH II A – AO
S – ISSE, ISSM A – PM/ISO S – ECH II
C – PM/ISO, ECH II, SCA S – ISSE, ISSM, SCA C – SCA
Liaison, AO, AO CSA Liaison, NQV, AO CSA I – PM/ISO, ISSE, ISSM,
I – None Identified C – SCA, AO SCA Liaison, NQV
I – None Identified
(R) Responsible (A) Accountable (S) Supporting (C) Consult (I) Informed

UNCLASSIFIED 8
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Select Baseline Security Controls
9
Selected based on the results of categorization
– Coordinated effort between ISSE and PM/ISO
– The ISSM and Echelon II provide support
– AO CSA, validator, and SCA Liaison provide consultation and approval
• Navy Control Selection Form
– Optional tool to assist in the selection process
– Final security control selection is entered into eMASS
• Security Category (SC) = based on CIA high water mark
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

Initiate Security Plan

Select Baseline Security Tailor Security
Controls
Controls

9
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Baseline Controls Cont.
9 NIST SP 800-53 Rev 4 - Security Control Source
– Contains 958 Security Controls and Control Enhancements
– H/H/H Baseline contains 478 Security Controls and Enhancements
– All other baselines contain fewer than 478
– Non-baseline controls are added during tailoring if applicable
• CNSSI 1253 - Security Control Baseline Source
– All DoD systems will be treated as NSS for the purposed of establishing
security control baselines as a common reference point
• Transition Note:
– Due to noted inconsistencies between the DoD RMF Knowledge Service
(KS), NIST SP 800-53 Rev 4, CNSSI 1253 and eMASS it is recommended
the KS Security Control Explorer be used to generate the baseline control
spreadsheet for manual validation and eMASS entry.
– The DoD RMF KS is considered the authoritative source

10
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Security Control Baseline Distribution

Numerical Breakdown Baseline Controls

(RMF KS Security Control Explorer)
Confidentiality

High Moderate Low

I H M M M L H M M M L H M M M L
A H H M L L H H M L L H H M L L
478 463 440 418 393 475 446 403 381 356 469 440 397 375 310

High Moderate Low

A H M M M L H M M M L H M M M L
Integrity

C H H M L L H H M L L H H M L L
478 457 454 432 426 463 440 403 397 375 443 420 383 397 310

High Moderate Low

Availability

C H M M M L H M M M L H M M M L
I H H M L L H H M L L H H M L L
478 475 446 426 397 457 454 403 383 354 435 432 381 375 310

UNCLASSIFIED 11
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Security Control Family

• Security Controls and Control Enhancements organized

into 18 RMF Security Control Families
• Control Flexibility
– Assignment and selection statements embedded within controls to allow
organizations to define these values

12
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Security Control Structure

• NIST 800-53 Ref 4 Control Structure

i. Control Section
ii. Supplemental Guidance (Including Related Controls)
iii. Control Enhancements
iv. References
v. Priority and Baseline Allocation
• Security Control enhancements
– Add functionality/specificity to a control
– Increase the strength of a control
– If Security Control is not applicable all enhancements also not applicable
– If Security Control is applicable each enhancement must be individually
evaluated for applicability

13
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Security Control Example

14
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
Security Control Baseline Example

15
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Overlays
10 Overlays are tailored guidance to baseline security
controls established for community-wide use to:
– Address Specialized Requirements
– Technologies
– Unique Missions/Environments of Operation
• Categories of Overlays
– Communities of interest (healthcare, intelligence, law enforcement, etc.)
– Information technologies/computing paradigms (cloud/mobile, CDS, etc.)
– Environments of operation (space, tactical, RDT&E, etc.)
– Types of information systems and operating modes (industrial control
systems, weapons systems, single-user systems, standalone, etc.)
– Types of mission/operations (counterterrorism, RDT&E, etc.)
– Statutory/regulatory requirements (HIPA, Privacy Act, etc.)

16
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Tailor Security Controls
10 Includes:
– Applying scoping considerations
– Selecting compensating controls, if needed
– Assigning specific values to security control parameters
– Supplementing initial baselines with additional controls/enhancements
– Providing additional information for control implementation
– Identifying and designating common controls
*NIST SP 800-53 Rev 4 Note*
”Organizations do NOT remove security controls for operational convenience”

Select Baseline
Security Controls
Tailor Security Identify Common
Controls
(eMASS) Controls

17
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Apply Scoping Considerations
10 Eliminate unnecessary security controls from initial
baseline controls
– All not-applicable justifications align under one of the following
considerations:
• Control Allocation and Placement Considerations*
• Operational/Environmental-Related Considerations *
• Security Objective-Related Considerations *
• Technology Related Considerations
• Mission Requirements-Related Considerations *
– Must provide justification why baseline security controls could not be
employed

* Often, under DIACAP Considerations would have been

considered applicable with requested DAA “risk acceptance”

18
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Select Compensating Security Controls
10 Alternative security controls employed in lieu of
specific controls
– Provide equivalent or comparable protection
– Necessary due to:
• Specific nature of the information system
• Environments of operation
• Not cost-effective means to meet risk mitigation
– Selected after applying scoping considerations
– Must provide supporting rationale for equivalency
– Organizations assess and accept the risk associated with implementing
compensating controls

19
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Assigning Security Control Parameter
10 Assign security control and control enhancement
embedded parameters, per:
– Federal Laws
– Executive Orders
– Directives
– Regulations
– Organization Policy and Standards

20
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Supplementing Baselines
10 Select security controls or control enhancement beyond
those identified in baselines or overlays necessary to
sufficiently mitigate risks
– Risk Assessment in the security control selection process provides essential
information in determining the necessity and sufficiency of the security
controls and control enhancements
– NIST SP 800-53 Rev 4 Appendix F contains Control Catalog
– Situations Requiring Potential Baseline Supplementation
• Advanced Persistent Threat
• Cross-Domain Services
• Mobility
• Classified Information

21
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Identify Additional Needs
10 Recommended methods to identifying additional
needed security controls
– Requirements definition: organizations obtain specific and credible threat
information about adversary activities, capabilities, and potential attack
– Gap Analysis: organizational assessment of current defensive capability or
level of cyber preparedness to determine the types of threats they can
reasonably expect to encounter
• Reevaluate the priority codes from the security control
baselines to determine if changes to those priorities are
appropriate

22
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Enhancing Information Security
10 When Organizations cannot apply sufficient security
controls alternative strategies are needed:
• Strategies must consider the mission/business risks
– Limiting information the IS can process, store, or transmit
– Limiting the manner mission/business functions are automated
– Prohibiting external access, removing selected systems from networks
– Prohibiting information types from public access system

23
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Common Controls
11 Common Controls
– Protect multiple organizational information systems
– Implemented with regard to the highest impact level among systems
• If not, system owners need to take additional actions
– Designation of Common Control Providers (CCP) is the responsibility of the
DoD CIO or Navy CIO
• Navy process to designate CCPs is still in development
• Some DoD Common Controls have been identified and entered into eMASS

Tailor Security Identify Common Document Control

Controls Tailoring
Controls

24
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Non-Common Controls
11 System-Specific Controls
– Primary responsibility of IS owner
• Hybrid Controls
– One part of the control is common and another control is system-specific
• Controls provided by External Service Providers
– Entities within the organization but outside the authorization boundary
– Entities outside the organization (other Federal or Commercial)
– Controls provided by External Service Providers must have documented
agreements (i.e. MOA/MOU, SLA, eMASS Inheritance, etc)

25
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Inherited Controls
11 All common controls are inherited but not all inherited
controls are common controls
– Common controls are inherited but differ from standard inherited controls
• Common Controls are always inherited from a Common Control Provider
– Common controls can be applied in layers, example:
• A Navy ship could leverage DoD provided common controls, DoN provided
common controls, and common controls inherent to the afloat environment
through ships’ design
– Hybrid Controls are shared with a Common Control Provider
– Inherited Controls are inherited from an External Service Provider such as:
• Enclave
• IA Suite
• Data Center
• Hosting facility
• Other Information System

26
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Document Tailored Controls
12 ISSM will document final control set in eMASS
– Tailored control set and rationale for selection decisions must be documented in
eMASS
– eMASS generated SP and POA&M will include added/removed controls with
rationale
• Note: some DoD instructions indicate the POA&M is “initiated” at this step because of
the identification of not-applicable controls, however, the POA&M is not actually
initiated until after control selection is complete and implementation begins
– NIST 800-53 Rev 4 “Finally, the security control tailoring process is not static –
that is, organizations revisit the tailoring step as often as needed based on
ongoing organizational assessments of risk”.

Identify Common Document Control Develop ISCM

Controls Strategy
Tailoring

27
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Develop ISCM Strategy
13 Develop ISCM Strategy
– Reference NIST SP 800-137
• Template is available on DoD RMF KS and ODAA C&A Portal
– DoD is identifying specific controls that must be continuously monitored
• Red/White/Yellow control list identifies monitoring periodicity requirements
• Includes requirements such as: patching and scanning strategy, auditing, and review
of Logs
– Impact to Annual Security Review Requirements
• Annual security review is only required for controls NOT identified in the ISCM

Note: DoD has not finalized the end-to-end technical solution or policy for real time continuous
monitoring. Be prepared to update ISCMs as DoD releases additional guidance.

Develop
Document System Level Develop Security
Control Tailoring Assessment Plan
Continuous Monitoring
(ISCM) Strategy

28
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Develop SAP
14 NQV develops Security Assessment Plan
– SCA responsibility carried out by the NQV
– Use of a NQV is required to complete this action
– Security Control Assessment events should be coordinated with other
required test events such as Operational Test & Evaluation when possible
– Coordination of events must be documented in the SAP
– SAP must be approved SCA and provide to the AO for overall Step 2
approval

Programmatic
Review

Validator Develop
Develop
ISCM Strategy Security Assessment
Plan (SAP)

EII Review SP, SAP,

and ISCM Strategy

29
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
ISCM Template

SAP Template

 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 

 Echelon II Review
15 Program & Echelon II Concurrent Review
– Reviews are concurrently for efficiency but have different purposes
– Echelon IIs are encouraged to enforce separation of duties within their
organization to eliminate duplication of effort
– Documentation will be processed at different paces vice as “package”
• i.e. the SP will need to be reviewed/approved by AO CSA before the SAP and
ISCM are completed

Programmatic
Review

Develop Security Ready for SCA

Assessment Plan and AO Review

EII Review SP, SAP, and

ISCM Strategy NO

31
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Program Review
15 Program & Echelon II Concurrent Review
– Program/System stakeholders’ ensure planned implementation meets the
user community’s needs
• Verify control tailoring and implementation do not negatively impact the
operational requirements provided by the user community
• Verify the control requirements of the information owner have been implemented

Programmatic
Review

Develop Security Ready for SCA

Assessment Plan and AO Review

EII Review SP, SAP, and NO

ISCM Strategy

32
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 ECH II Review Decision
17 Echelon II Review Decision
– Conduct review in accordance with ECH II checklist and any additional
requirements imposed by ECH II
– Initiate correspondence log
– ECH II will not forward to AO or SCA if minimum requirements are not met
• ECH II will use mandatory Step 2 Triage Checklist
– Forwarding to AO and SCA signifies concurrence of the ECH II
• ECH II will sign Step 2 Concurrence Form

Programmatic
Review

Ready for
Ready for SCA
SCA and YES and AO Review
AO Review

EII Review SP, STP, NO

and ISCM Strategy
NO

33
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 SCA and AO Review
18 SCA and AO Concurrent Review
– Reviews are coordinated and concurrent event
– AO CSA will provide preliminary concurrence of the SP for the SCA to
proceed with SAP review
– The SCA/AO are eliminating duplication reviews to gain efficiency
• SCA Liaison reviews: SAP
• AO CSA reviews: SP, ISCM

SCA Review

Ready for SCA

and AO Review
YES Approve SAP

AO Review
NO NO
(Assess Determination)

34
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 SCA Approves SAP
19 SCA Approves Security Assessment Plan (SAP)
– The SCA will review SP to determine if it is adequate to provide the
information to review and approve SAP
– SCA concurrence and processing SAP for signature can occur before AO
concurrence of the SP and ISCM strategy

SCA Review

Approve Approve SP, SAP,

YES ISCM Strategy
SAP

AO Review
NO
(Assess Only
Determination) NO

35
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 RMF Step 2 Checkpoint
20 ECH II Schedules and Executes Checkpoint
– Scheduling is mandatory to “reserve” SCA Liaison/AO CSA time, however, if
both agree the requirement to meet can be waived
– Conclusion of the checkpoint
• ECH II provides Step 2 Concurrence Form endorsed by the User Rep, PM/ISO,
ECH II, SCA, and, if necessary, additional signatures to the AO

EII
Checkpoint
SCA/AO Reviews YES YES AO Approval
PM, SCA,
AO
NO
NO

36
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 AO Step 2 Approval
21 AO signs Step 2 Concurrence Form approving:
– SP
– ISCM Strategy
– SCA Approved SAP
• Required before the program can move to Step 3

AO
Approves
Implement Security
EII Checkpoint YES SAP, SP, YES Controls
and ISCM
Strategy
NO
NO

37
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 ECH II Triage Template

Step 2 Concurrence Template

 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 

 Summary

• In this training module we covered the following topics:

• The Department of Defense (DoD) Risk Management
Framework (RMF) Step 2 Process
– RMF Step 2 Roles & Responsibilities
– RMF Step 2 Select Controls Process Breakdown
– ISCM Strategy Initiation
– Develop SAP
– RMF Step 2 Review and Checkpoint Process
– ECH II Triage Checklist
– Step 2 Concurrence Form

39
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Questions

• Please email RMF Process questions to:

FCC_NAO_RMF_FAQ@navy.mil
• Please email eMASS questions to:
eMASS@navy.mil
• Specific Question and Answer sessions are
schedule to address questions on all of the
training modules
• A list of Frequently Asked Questions will be
available on the FCC ODAA Portal following the
completion of all training sessions:
https://usff.portal.navy.mil/sites/fcc-c10f/odaa/default.aspx

UNCLASSIFIED 40
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 RMF References

• Department Of Defense Instruction (DODI) 8500.01 – Cybersecurity, implements

Cybersecurity and cancels the DODI 8500.02 and DODI 8500.01E
• DODI 8510.01 – Risk Management Framework (RMF), directs DOD to use the NIST RMF
• Committee on National Security Systems Instruction (CNSSI) No. 1253 – Security
Categorization and Control Selection for National Security Systems, used for categorizing
all DOD IS and PIT and contains the DOD Specific Security Control Baselines
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 –
Guide for Conducting Risk Assessments
• NIST SP 800-37 – Guide for Applying RMF
• NIST SP 800-53 – Catalog of Security Controls, this is the Security controls Catalog the
CNSSI 1253 is based on the
• NIST SP 800-53 – Guide for Assessing the Security Controls in Federal Information
Systems and Organizations, contains the assessment procedures for DOD IT
• NIST SP 800-60 (Vol I & II) – Guide for Mapping Types of Information and Information
Systems to Security Categories
• Federal Information Processing Standards Publication 199 (FIPS-199) – Standards for
Security Categorization of Federal Information and Information Systems
• CNSSI 4009 – National Information Assurance (IA) Glossary
• RMF Knowledge Service – The authoritative source for RMF documentation, guidance, and
updates https://rmfks.osd.mil/rmf/Pages/default.aspx (CAC Required)
• Security Overlays are located at: https://www.cnss.gov/CNSS/issuances/Instructions.cfm

UNCLASSIFIED 41
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 
 Additional RMF Training Opportunities

• DISA RMF Training – online training and supporting documentation

http://iase.disa.mil/rmf/Pages/rmf-training.aspx

• National Institute of Standards and Technology (NIST) RMF Training –

online training
http://csrc.nist.gov/groups/SMA/fisma/rmf-training.html

• Defense Acquisition University (DAU) DIACAP to RMF Transition Training

– online training
https://dap.dau.mil/daustream/Pages/AssetList.aspx?Asset-id=2070318

• DISA Instructor led eMASS training (Arlington VA only)

http://www.disa.mil/Services/Information-Assurance/SCM/EMASS/Training

• DISA Information Assurance Support Environment (IASE) eMASS Training

– online training
https://powhatan.iiie.disa.mil/emass/training.html
42
 U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET 