CMS Risk Management Framework (RMF): Implement Step

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Implement Step?

The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of a control implementation.

System-level Implement Tasks

System-level Implement tasks also take into consideration mission/business process concerns.

Task I-1: Control implementation

The primary goal of control implementation is to transition security and privacy controls from plan to practice. This involves implementing controls according to the specifications in security and privacy plans, ensuring they are effectively integrated within the organizational and system architecture.

This task aims to establish a secure and privacy-respecting environment that aligns with organizational policies and federal regulations.

When common controls (i.e., controls applied across multiple systems within an organization) are found insufficient for a specific system, Task I-1 involves identifying and implementing compensating or supplementary controls. This might involve enhancing existing controls or adding new ones to fill any gaps. The process ensures the system meets its unique security and privacy requirements, even when inheriting broader organizational controls.

Potential Inputs:

  • The approved security and privacy plans are the blueprints for the security and privacy posture of an organization. They detail the controls selected based on the system's risk assessment and the organization's security requirements. The importance of these plans lies in their role as a guiding document for what needs to be implemented, providing a clear path forward for system security and privacy.
  • System design documents outline the architecture and design of the system, including hardware, software, network configurations, and data flows. Understanding the system design is crucial for implementing controls that are effective and appropriate for the specific system architecture.
  • The organizational security and privacy policies and procedures are overarching guidelines and standard operating procedures for managing security and privacy within the organization. They provide a framework within which specific controls need to be implemented, ensuring consistency and compliance across the organization.
  • Business impact or criticality analyses determines the importance of system components and data, guiding which controls are critical and how resources should be allocated for control implementation. It helps prioritize efforts based on the potential impact of security or privacy breaches.
  • Enterprise architecture information provides a comprehensive view of the organization’s processes, information systems, technologies, and security architecture. It's essential for ensuring that the control implementations are aligned with the broader organizational goals and IT strategy.
  • The security and privacy architecture information is a detailed description of the security and privacy frameworks in use within the organization. This information ensures that control implementations are compatible with and reinforce the existing security and privacy architectures.
  • The list of security and privacy requirements allocated to the system is a detailed list of all security and privacy requirements specific to the system, including federal regulations, industry standards, and organizational policies the system must comply with. This list guides the selection and implementation of appropriate controls.
  • The system elements and environment of operation is detailed information about the system components and the operational environment helps in tailoring control implementations to the system's specific needs and challenges.
  • System Component Inventory is an inventory of all components within the system, essential for ensuring comprehensive control coverage and for managing updates and modifications to the system over time.
  • The organization- and system-level risk assessment results inform the control implementation process by highlighting areas of highest risk and guiding the prioritization of control efforts.
  • Assurance requirements are about ensuring that implemented controls meet a high standard of effectiveness and reliability. These requirements typically involve rigorous testing and documentation to prove that controls are correctly implemented and are operating as expected. They help increase confidence that the controls will effectively mitigate identified risks.

Expected Outputs:

  • An updated security and privacy plan that reflects the implemented controls, including any deviations from the original plan
    • This document should detail the controls in place, how they were implemented, and any adjustments made during the process. It serves as a comprehensive record of the system's security and privacy posture following implementation.

Discussion:

Controls are implemented after they are selected from the Select step of the RMF, which occurs during the Initiate (for new systems) or Operate (for existing systems) of the Target Life Cycle phase.

All CMS controls are established by NIST 800-53 Rev. 5, and the baseline for minimum information security and privacy controls is cataloged in the CMS Acceptable Risk Safeguard (ARS) 5.1 based on security and privacy requirements, risk tolerance, system risk assessment, and system categorization.

The System Security and Privacy Plan (SSPP) is a living collection of information that serves as a guide for implementing controls. The SSPP is in CMS FISMA Continuous Tracking System (CFACTS), and is updated, if necessary, as controls are implemented. The control implementation is also consistent with CMS Technical Reference Architecture (TRA).

The System or Business Owner has primary responsibility for implementing security controls at the system level, and the Information System Owner and System Developer or Maintainer assist in ensuring their proper implementation.

However, CMS has enterprise-level security and privacy controls for inheritance by systems that the Offices of the CIO and CISO provide.

Cybersecurity Framework: PR.IP-1; PR.IP-2.

TLC Cycle Phase:

Task I-2: Update control implementation information

The purpose of Task I-2 is to ensure that security and privacy plans remain accurate and up-to-date as controls are implemented, modified, or updated.

This ongoing revision process ensures that the documentation accurately reflects the current state of security and privacy controls within the system. It is crucial for maintaining transparency, supporting assessments, and facilitating effective risk management and compliance activities.

Potential Inputs:

  • Security and privacy plans are the foundational documents detailing the intended security and privacy controls for the system. Updating these plans as controls are implemented ensures they accurately reflect the system's current security and privacy posture.
  • Information from control implementation efforts is the detailed records of the control implementation process, deviations from the original plans, challenges encountered, and solutions devised. This information is critical for updating the security and privacy plans with accurate, as-implemented details.
  • Updated security and privacy plans accurately reflect the actual state of implemented controls, including any deviations from the original plans. This provides a clear and current reference for internal and external auditors or assessors, facilitating the assessment and authorization processes. It also helps identify gaps or discrepancies between planned and implemented controls, which can then be addressed to strengthen security and privacy postures.
  • A system configuration baseline is a detailed and updated record of the system's configuration, reflecting the current state of control implementations. This baseline is crucial for ongoing system management, risk assessment, and compliance activities. It will allow for the identifying of deviations where the implemented controls differ from the original baseline. Then the deviations can be evaluated to see how they impact the system's security and privacy posture, including any potential risks introduced or mitigated.

Expected Outputs:

  • Updated security and privacy plans that accurately reflect the actual state of implemented controls, including any deviations from the original plans.
  • A system configuration baseline that is a detailed and updated record of the system's configuration, reflecting the current state of control implementations. This baseline is crucial for ongoing system management, risk assessment, and compliance activities.

Discussion:

Accurate security and privacy plans are a critical component of the Implement step, ensuring that security and privacy plans are living documents that accurately reflect the state of the system. This accuracy is essential for effective risk management, compliance, and operational security and privacy.

As controls are initially implemented according to the SSPP, they can be assessed to ensure that they are implemented correctly, operating as intended, and producing the desired outcome.

The control implementation details may be modified and reassessed by the Cybersecurity and Risk Assessment Program (CSRAP) Assessment Team for effectiveness as part of the CMS Cyber Risk Management Plan (CRMP) and Continuous Diagnostics and Mitigation (CDM).

All changes to implemented control details are documented in the SSPP which are completed in CFACTS.

The System or Business Owner is responsible for updating the SSPP, and the Security and Privacy Officer (previously known as the ISSO) is responsible for updating control implementation details.

Cybersecurity Framework: PR.IP-1; Profile.

TLC Cycle Phase:

Short description

Document and implement controls in the security and privacy plans, both baseline configurations and specific instances

Resource Type
Last reviewed
Contact name
ISPG Policy Team
Contact email
CISO@cms.hhs.gov