What term is used to evaluate operational information systems against the RMF to determine the security controls in place and the requirements to mitigate risk at an acceptable level?

Focusing on what’s needed to bring a system up to the RMF requirements is about identifying gaps between what is currently in place and what the RMF requires to reduce risk to an acceptable level. This process examines the operational information system, compares its controls to the RMF’s standards, and highlights exactly what is missing or insufficient. Once those gaps are known, you can determine the additional controls or mitigations needed to achieve an acceptable risk posture. That’s why the term best fitting this scenario is gap analysis. It centers on mapping the current state to the target RMF state and delineating the changes required to close those gaps. In contrast, risk assessment evaluates potential threats and impacts given known controls, but doesn’t inherently chart which RMF controls are missing. Certification is the formal decision to authorize operation after controls are assessed, not the activity of identifying what’s lacking. Audit is about verifying compliance after-the-fact, rather than planning to meet RMF requirements.