Doc:NIST SP 800-37r1 Appendix H
APPLYING THE RISK MANAGEMENT FRAMEWORK IN DIFFERENT ENVIRONMENTS
Managing risk to information from the operation and use of information systems in modern computing environments with a diverse set of potential business relationships can be challenging for organizations. Relationships are established and maintained in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, lines of business arrangements, interagency and intra-agency agreements), licensing agreements, and supply chain arrangements. The Risk Management Framework (RMF) applies only to federal information systems. There are two distinct types of operational scenarios that affect how organizations address the RMF steps and associated tasks:
- Information systems used or operated by federal agencies; and
- Information systems used or operated by other organizations on behalf of federal agencies.
SCENARIO 1: For an information system that is used or operated by a federal agency, the system boundary is defined by the agency. The agency conducts all RMF tasks to include information system authorization. The agency maintains control over the security controls employed within and inherited by the information system.
SCENARIO 2: For an information system that is used or operated by another organization on behalf of a federal agency, the system boundary is defined by the agency in collaboration with the other organization and one of the following situations applies:
- If the organization is contracted to a federal agency, the contractor can conduct all RMF tasks except those tasks which must be carried out by the federal agency as part of its inherent governmental responsibilities. The agency provides RMF-related inputs to the contractor, as needed, and maintains strict oversight on all contractor-executed RMF tasks. The contractor provides appropriate evidence in the security authorization package for the authorization decision by the authorizing official from the federal agency.
- If the organization is a federal agency, the organization can conduct all RMF tasks to include the information system authorization. The information system authorization can also be a joint authorization if both parties agree to share the authorization responsibilities. In situations where a federal agency uses or operates an information system on behalf of multiple federal agencies, the joint authorization can include all participating agencies.
- 87 NIST Special Publication 800-53 provides additional guidance on the application and use of security controls in external environments to include relationships with external service providers.
- 88 References to federal agencies include organizations that are subordinate to those agencies.
- 89 Organizations that use or operate an information system on behalf of a federal agency or one of its subordinate organizations can include, for example, other federal agencies or their subordinate organizations, state and local government agencies, contractors, and academic institutions.
- 90 Organizations ensure that requirements for conducting the specific tasks in the RMF are included in appropriate contractual vehicles, including requirements for independent assessments, when appropriate.