How does RMF address changes to an information system after authorization?

In RMF, once a system is authorized, it stays in a continuous monitoring state. When a change is made to the information system, you perform a security impact assessment to see if the change affects the security controls or the risk posture. If there is an impact, you update the System Security Plan to reflect the new controls or implementations and revise the Plan of Actions and Milestones with any remediation steps. Depending on how the change shifts risk, you may need a new authorization decision to allow operation under the updated risk level. Changes aren’t ignored, they don’t automatically revoke authorization, and they don’t require re-enrolling all users.