To implement RMF, the system needs to be categorized. Lower-level hardware and software, for example, are for controls. Each category needs to be evaluated for how it influences confidentiality, integrity, and availability. Low-impact involves conditions like a degraded mission, minor damage to the organization, and minor harm to individuals. Moderate impact involves significantly degraded mission capability, significant harm to individuals, or significant financial loss. High impact, meanwhile, involves the inability to perform a mission, loss of life, life-threatening injuries, or major damage to organizational assets.
Examples of impact levels could be a mission computer for a helicopter, which has high confidentiality, high integrity, moderate availability. An autonomous car detect-and-avoid system has moderate confidentiality, high integrity, and high availability. A tank fire-control system has low confidentiality, high integrity, and high availability.
The VPX3-1260 single-board computer (SBC) from Curtiss-Wright Defense Solutions in Ashburn, Va., illustrates how board-level hardware and software can apply to these RMF controls. This what does a computer engineer do contains an onboard solid-state drive for storing application code and data at rest.