The Risk Management Framework (RMF) Assessment and Authorization (A&A)

The RMF is the full life cycle approach to managing federal information systems' risk should be followed for all federal information systems. The RMF comprises six (6) phases, with Assessment and Authorization (A&A) being steps four and five in the life cycle. To read more about the RMF, please refer to NIST Special Publication 800-37 rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

  1. Categorizing the system;
  2. Selecting security controls; 
  3. Implementing security controls;
  4. Assessing controls;
  5. Authorizing systems; and
  6. Monitoring security controls


The following general information is intended to help you generally understand the risk management framework, and prepare you to conduct the SA&A for your federal information system or application.

Step 1. Categorize the System

Once you have established that yours is a federal information system, the first step is to categorize the information system.  Use the NCI Security Starter Kit for templates and guidance on completing the Federal Information Processing Standard 199 (FIPS-199) form, the e-Authentication Threshold and Risk Analysis (eTA/eRA) form, the Privacy Impact Assessment (PIA), and the Business Impact Analysis (BIA). All four forms are required to ensure that you properly define the risk rating for your system, and will allow you to select the proper security controls (from NIST 800-53) for your application and will help you design the application to meet security, privacy, and availability needs.  This first step is consistent across all federal information systems whether they are hosted internally, externally, or in the cloud.

Step 2. Select Security Controls

Once you have categorized your application you can determine which security controls apply to your system.  Controls are technical, managerial, or operational in nature and help ensure adequate security and assurance for your system.  There are three ways controls can be applied and managed:

  1. Common controls are those that are fully inherited by a system from a higher-level system or environment (i.e., an organization-wide network or service like email);
  2. Hybrid controls are those that are partially inherited from a common control provider but still require the system owner to take some responsibility for implementing and managing; and
  3. System-specific controls are entirely the system's or system owner's responsibility to implement, operate, manage, and monitor.

This control selection matrix is a tool that can help you determine which controls to implement (based on your rating) and will help you determine which are common, hybrid, or system-specific.   

Step 3. Implement Security Controls

As part of the system's design process, you will need to ensure that system-specific and hybrid portions of controls are properly designed and implemented.  By incorporating security control requirements into your overall system design and development process, and continuously throughout the system's life cycle, you should realize cost savings when compared to implementing security to an existing system or retrofitting the application to meet security requirements.  You may even find that security ends up driving or altering some of your functional and design requirements, which is why it is best to integrate security early in the system's life cycle instead of later. However, if the cost of developing or implementing a new security control is not possible, causes undue hardship, or is not cost-effective then you may be able to apply for a security waiver to the NIH chief information security officer (CISO). All waiver requests must be vetted first with your Contracting Officer Representative (COR), and then with the NCI ISSO (link sends email). All final waivers must be approved by the NIH CISO.

Step 4. Conduct the Security Assessment

During this phase a qualified – and usually an independent, 3rd party – security assessor will evaluate the effectiveness of your application's security controls. The cost and burden of identifying and paying for the assessor varies based on where the application resides or operates, but the general rules of thumb at NCI are:

NOTE: All final A&A packages must contain the minimum set of artifacts required by NIH.

The preliminary package that includes the System Security Plan, Security Assessment Report, and Plan of Action and Milestones must be provided to the AO or her designated reviewing official to assess the quality and completeness of the package, and to review the findings. This gives the system owner and the system operator a chance to correct invalid findings, and to address any that can quickly and easily be closed before the authorization request is made. Once this review has been completed and the business owner is satisfied that the package is ready for review, it is sent to the authorizing official. 

Step 5. Authorize the Application (System)

Once the system's security assessment has been completed and the POA&M has been finalized, the final and complete authorization package is submitted to the authorizing official (AO) for a decision.  The authorizing official will make the final decision if residual risks are acceptable and if the remediation plan (POA&M) to address them is adequate.  The AO varies based on the hosting solution, as follows:

Step 6. Conduct Continuous Monitoring and Reauthorization