Free Download: RMF Artifacts Checklist: Every artifact you need for an ATO
Get the free PDF

RMFInsider

RMF Step-by-Step Guide

Published by

Batmunkh N

on

(What Actually Happens in DoD ATOs)

Implementing Risk Management Framework at Mission Speed - ActioNet, Inc.

If you look up the RMF process, you’ll always see the same thing:

Six steps.
Categorize. Select. Implement. Assess. Authorize. Monitor.

Clean. Simple. Easy to memorize.

But if you’ve actually worked an ATO, you already know:

That’s not how it feels in real life.

RMF isn’t a straight line.
It’s back-and-forth, rework, unclear ownership, and a lot of “we thought we had that already.”

This guide isn’t going to repeat definitions.

It’s going to walk you through what actually happens in each step — the way you experience it as an ISSO.

It Always Starts With Categorization… But Nothing Is Stable

On paper, categorization is straightforward.

You define your system, your boundary, and your impact levels using FIPS 199.

In reality, this is one of the hardest parts of the entire process.

Not because it’s complicated —
but because everything is still changing.

In one of my recent systems, we struggled to define the boundary early on because the use cases kept evolving. New integrations were being discussed, architecture wasn’t fully locked in, and decisions were still being made in parallel.

You’re expected to move forward…

…but you don’t actually have a stable system yet.

That’s where most problems start.

If you define the boundary too early:

  • You scope the wrong controls
  • You miss external dependencies
  • You end up reworking everything later

And if you’re working with external organizations — which you usually are — it adds another layer.

You want to maintain a good working relationship.
You want to be collaborative.

But at the same time, you quickly realize:

They may not understand RMF at all.

So now you’re not just doing your system —
you’re guiding another team through a process they’ve never done before.

Control Selection Is Where People Quietly Set Themselves Up to Fail

Once categorization is “good enough,” you move into selecting controls from NIST SP 800-53.

This is where a lot of ISSOs make a mistake that doesn’t show up until much later.

They just… select everything.

No real thought about:

  • What’s inherited
  • What’s hybrid
  • What actually applies

In real DoD environments, you’re rarely building everything from scratch.

You’re inheriting controls from:

  • Tier 1
  • Datacenters
  • Enterprise services

And then you have hybrid controls sitting in the middle.

What helped me was separating this early.

Yes, eMASS labels hybrid controls —
but I didn’t rely on that alone.

I built my own tracker.

Something simple:

  • Fully inherited
  • Hybrid
  • System-owned

That alone gives you clarity that most teams don’t have.

Because if you don’t figure this out early, you’ll feel it later when you’re assigning work and no one knows who actually owns what.

Implementation Is Where Everything Slows Down

This is the phase everyone underestimates.

On paper, it sounds like:
“Apply controls, generate artifacts, configure systems.”

In reality, it’s coordination.

This is where:

  • Engineers are busy with actual system work
  • RMF becomes “extra” work
  • Ownership gets blurry

The biggest issue I’ve seen over and over is this:

The system is configured one way…
But the documentation says something else.

Your implementation narratives say one thing.
Your policies say otherwise.
Your system behaves differently.

That disconnect will destroy you in assessment.

So before anything goes into eMASS, we rely heavily on internal trackers.

Spreadsheets.
Control trackers.
Artifact assignments.

eMASS is the system of record —
but it shouldn’t be where you figure things out.

It should be where things are finalized.

We also assign artifacts based on risk and importance.

Not everything needs the same level of attention.

If you treat all controls equally, you waste time where it doesn’t matter.

Assessment Is Where You Find Out If You Were Actually Ready

This is the phase where reality hits.

You bring in assessors.
They run tools like Nessus.
They start asking questions.

And suddenly, everything that looked “complete” starts falling apart.

Nessus alone gives you more than just vulnerabilities.

It helps validate:

  • What’s actually on your system
  • Hardware/software inventory
  • Gaps you didn’t realize were there

And this is where most teams realize:

They weren’t ready.

Not because they didn’t work hard —
but because things didn’t line up.

Missing artifacts.
Inconsistent narratives.
Configurations that don’t match documentation.

Also, it’s not always the AO you need to worry about.

In my experience, the real pressure comes from:

  • The SCA
  • Validator teams

They will work with you —
but they will challenge everything you submit.

Authorization Is Less About Perfection Than You Think

At this point, everything is submitted for a decision.

And a lot of people think:

“If we’re not perfect, we won’t get authorized.”

That’s not true.

Authorization is about risk.

You need:

  • Solid technical implementation
  • Clear, consistent documentation

Not one or the other — both.

You can have a technically strong system…

…but if your documentation is weak, it raises questions.

And questions slow everything down.

Continuous Monitoring Is Where Discipline Shows

After ATO, most teams relax.

That’s the reality.

They shift focus.
They stop tracking actively.
They wait until the next audit.

Then scramble.

Strong teams don’t do that.

They:

  • Continuously track control status
  • Keep artifacts updated
  • Stay ready at all times

Because rebuilding everything before reassessment is far more painful than maintaining it.

What RMF Actually Feels Like (And Why Timelines Vary So Much)

If you’re expecting a clean timeline, you’ll be disappointed.

RMF looks more like:

  • Start → stop → rework → repeat

Typical timelines:

  • Fast: 3–6 months
  • Normal: 6–12 months
  • Slow: 12–18+ months

What’s interesting is how much this can change with the right approach.

Recently, I’ve been using LLMs to help generate:

  • Implementation narratives
  • Policy drafts

Not to replace the work —
but to speed up the starting point.

That alone has cut timelines significantly, in some cases close to half.

Final Thought

RMF isn’t hard because of the framework.

It’s hard because:

  • Systems evolve
  • People don’t align
  • Documentation lags behind reality

If you can manage those three things well…

You’ll be ahead of most ISSOs working ATOs today.

Link to:

What RMF Actually Is

Discover more from RMFInsider

Subscribe to get the latest posts sent to your email.

Leave a Reply

Hello,

I’m Babux

Welcome to RMFInsider. A focused space dedicated to understanding RMF, compliance, and the cleared cyber economy. Here, we simplify complex frameworks, break down real-world costs, and explore the career and business opportunities hidden inside the system.

Let’s connect

      Get the Weekly RMF Brief

      Practical breakdowns of RMF, cleared cyber careers, and compliance — delivered weekly.

      Recent posts

      Discover more from RMFInsider

      Subscribe now to keep reading and get access to the full archive.

      Continue reading