In a previous blog “Why Does the Risk Management Framework Still Matter?” we looked at an overview and the first steps of the NIST Risk Management Framework. In this blog we are continuing the discussion as we look into steps focused on Continuous Monitoring of the NIST RMF.

Of the six steps found within RMF, only the last step is focus on cyber operations, whereas steps 1 – 5 are establishing a baseline of controls, policies and accreditation. To enhance cybersecurity me must monitor and illustrate the viability and health of the security standards deployed. Are you, like the majority of organizations, spending 90% of your time on establishing a baseline of controls and 10% of your time on enhancing your cyber posture, or achieving cyber accountability?

  • Step 1: Categorize the needs to meet DoD cyber needs (FIPS 199/200)
  • Step 2: Design and Implement cyber controls (CNSSI 1253)
  • Step 3: Implement the cyber controls in the environment as the “system” (NIST 800-53A)
  • Step 4: Assess the implementation of the cyber controls and policies (NIST 800-37)
  • Step 5: Authorization of the system which is a collection of cyber controls and policies created for the environment (NIST 800-37)
  • Step 6: Providing continuous monitoring of the system (NIST 800-137)

To simplify how you look at the Framework, we  have broken down the six steps into 3 steps we call the BAP Cyber Steps:

BAP Cyber Step 2: Validate Controls and Policies

This step brings together steps 4-5 of the RMF.  There is no doubt that the most significant collection of cyber controls are found within NIST 800-53. As we discussed in the last blog, using the collection of standards within NIST is extensive, impressive, and a great starting point to implement controls within the requirements of your environment. In Step 2 we focus on validating the implementation language related to the controls before implementing the controls, reducing cyber operations time to adjust existing infrastructure and add new technologies to the environment to meet control needs. The validation criteria can be authored by the cyber policy and cyber operational teams, producing a vetted system security plan (SSP) and a clear path to continuous monitoring and RMF accountability.

Validate the implementation of the controls prior to deployment of any security product and save time and money


To begin, the RMF policy cyber professional enters all controls into the BAP software suite, grouping the controls into policies. The cyber operation team modifies the implementation language associated with each control and implements the control within the environment. The RMF policy and cyber operation teams validate the implementation language used for the controls throughout the process. Following successful validation of the implementation language and controls, steps 1 through 5 are satisfied within RMF, while preparing security operations for successful monitoring of the environment, step 6 within RMF. The groundwork has to be completed for RMF, why not complete the work within BAP, knowing that continuous monitoring and accountability are core attributes of BAPsoftware.

Save time and cost. When building your controls, use the correct tool.

The key to saving time and cost is to develop a set of controls that can be applied to multiple security policies, effortlessly, with a software application like BAP. The objective of the cybersecurity control is a known variable.  Whereas the implementation of the security control will be modified based on the security policy. Providing consistency within the controls, which for many environments will be hundreds of controls, is essential for all systems (a collection of cyber controls to meet a specific business objective: e-mail, database, files) you wish to secure within your environment.
Encryption is important to multiple systems within your organization. Hence the encryption standard will be a constant, whereas the implementation of encryption will vary dependent upon the policy that requires encryption: e-mail and web application.
Validate the accuracy of the implementation language associated with each cyber control and provide a “report card” outlining the strength of the implementation of the security control, typically, before the physical implementation begins.
The ability to share cyber controls and policies with others using the same application, enabling a centralized site to create collections of controls and policies for other sites within their organization.
The ability to share controls and policies should be available for connected and disconnected environments, and should always be free. Maximizing time invested to develop the cyber security controls with the addition and correlation to the real-time threat to your environment.
The ability to inherit a single cyber control to multiple cyber policies. Inheritance should allow for a cascade effect when changes occur to your controls in the future, saving you time and cost.