ABSTRACT
Before we embark on a discussion of assessment, we should take a moment to address the cyclical nature of the NIST RMF. As information and communication technology (ICT) professionals, we think in terms of life cycles. Every project, whether the intention is to build a brand new system or add a component to an existing system, begins with a feasibility analysis and ends when the resulting system or component moves into the maintenance phase of the life cycle. It is through the activities of maintenance that subsequent projects related to the system or system component are evoked. Unlike the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF), in which it is clear that the intention is not to present the five functions of that framework as a life cycle, we believe NIST had different intentions
for the RMF. This will become even clearer in the discussion we have in Chapter 8 of this book. Nevertheless, many make the mistake of thinking that since Step 4 of the NIST RMF refers to assessment, the framework is cycling back to the activities related to the assessment performed during Step 1 of the NIST RMF, Categorization. It is important to understand that the activities of Step 4, while indirectly related to those performed during the system security categorization, are intended to assess the performance of the control implementation that we discussed in Chapter 5.
