Applying the first three steps of the Risk Management Framework (RMF) to a legacy system is fundamentally a gap analysis. The process involves categorizing the system (Step 1) and selecting the required baseline security controls (Step 2). Then, this required baseline is compared against the controls already implemented in the legacy system (Step 3). The objective of this comparison is to identify the "gaps"—any necessary controls that are missing, incorrectly implemented, or insufficient. This analysis determines the specific actions needed to bring the legacy system into compliance with the newly established security requirements.

A. Sequential: This describes the procedural order of the RMF steps, not the analytical method used to evaluate a legacy system's control posture against a required baseline.

B. Level of effort: This term refers to the amount of resources and work required for a task, not the specific type of analysis being performed.

D. Common control: This refers to a security control that can be inherited by multiple systems. It is a type of control, not a method of analysis.

1. NIST Special Publication 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. While not using the exact term "gap analysis" in this specific context, the described process is functionally identical. Section 2.3, "Relationship to Existing Processes," explains that for existing systems, organizations apply the RMF steps to ensure compliance, which necessitates comparing the current state to the required state.

2. NIST Interagency Report (NISTIR) 8170, The Cybersecurity Framework: Implementation Guidance for Federal Agencies. This document, which provides guidance on implementing a risk framework closely related to the RMF, explicitly defines this process. Section 3.2, "Step 3: Create a Target Profile," states, "The results of this activity can be used to perform a gap analysis between the Current Profile and the Target Profile to determine what is necessary to meet the cybersecurity risk management requirements." This directly maps to evaluating a legacy system (Current Profile) against an RMF baseline (Target Profile).

3. Carnegie Mellon University, Software Engineering Institute (SEI), CERT Resilience Management Model (CERT-RMM) v1.2. As a reputable academic and research institution, the SEI's work on resilience management aligns with RMF principles. The model emphasizes assessing existing capabilities against required practices, stating, "A gap analysis can reveal weaknesses in practices that an organization can then resolve." (CERT-RMM v1.2, Section 2.4, "Appraisal and Improvement"). This validates the use of gap analysis for evaluating existing systems against a framework.