Exploring CAM
Learn about the CAM benefits and workflows for users.
CAM overview
The CAM application applies a standardized approach to automating NIST's Risk Management Framework (RMF).
CAM users
CAM roles that are required for particular tasks are listed in CAM user roles.
| User / Role | Description |
|---|---|
| System owner | The individual responsible for procuring, developing, integrating, modifying, operating, and maintaining an information system. |
| Authorizing Official (AO) | The individual responsible for accepting an information system into an operational environment at a known risk level. Typically, this person is at the CISO or deputy CISO level. |
| Authorizing Official Designated Representatives (AODR) | One or more AODRs. |
| Security Control Assessors (SCA) | The individuals responsible for conducting a thorough assessment of the controls of an information system. |
| Information System Security Managers (ISSM) | The individuals responsible for conducting information system security management activities as designated by the ISSO. |
| Information System Security Officers (ISSO) | The individuals responsible for ensuring that the appropriate operational security posture is maintained for an information system. |
| Information owners | The individuals responsible for statutory, management, and operational authority. |
| System users | The users responsible for performing the actual work on the system. |
RMF workflow supported by CAM
RMF was mandated by the U.S. Federal government to provide the necessary resiliency to support the economic and national security interests of the United States. CAM employs the seven steps defined by the RMF to allow you to make better-informed decisions about your security posture.
The RMF System Life Cycle consists of seven interconnected phases that work together to provide a comprehensive approach to managing information system security risks. Each phase has a specific focus area and contributes to the overall authorization and continuous monitoring of the system.
RMF phases
| Phase | Phase Name | Scope | Description |
|---|---|---|---|
| 1 | Prepare | Information System | Define the system boundary, assign roles, identify common controls, and prepare for the RMF process. |
| 2 | Categorize | Information System | Define criticality/sensitivity of information system according to potential worse case, adverse impact to mission/business. |
| 3 | Select | System Controls | Select baseline controls; apply tailoring guidance and supplement controls as needed based on risk assessments. |
| 4 | Implement | System Controls | Implement controls within enterprise architecture using sound systems engineering practices; apply configuration settings. |
| 5 | Assess | System Controls | Determine control effectiveness (that is, controls implemented correctly, operating as intended, meeting requirements for information system). |
| 6 | Authorize | Information System | Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. |
| 7 | Monitor | System Controls | Continuously track changes to the information system that may affect security controls and reassess control effectiveness. |
What to explore next
- Configuring CAM
- Risk Management Framework (RMF) step 0 - Prepare the authorization package
- Risk Management Framework (RMF) step 1 - Categorize the authorization package
- Risk Management Framework (RMF) step 2 - Select controls for an authorization package
- Risk Management Framework (RMF) step 3 - Implement controls
- Risk Management Framework (RMF) step 4 - Assess implemented controls and document findings
- Implementing controls and assessment objectives in CAM
- Continuous authorization and monitoring tasks in the CAM Workspace
- CAM reference