153 terms

CAP - RMF

STUDY
PLAY

Terms in this set (...)

Security Controls
Assessment
The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Authorization
The official management decision given by a
senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Reciprocity
Mutual
agreement among participating organizations to accept each other's security assessments in order to reuse information system resources, and/or to accept
each other's assessed security posture in order to share information
.
Information
System
A discrete set of information resources
organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information
General
Support System (GSS
)
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people
.
Major
Application
An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources
Minor Application
An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or
unauthorized access to or modification of the information in the application. Minor applications are typically ncluded as part of a general support system.
Adequate
Security
Security commensurate with the risk and the magnitude of
harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Risk Management
-The conduct of a risk assessment;
•The implementation of a risk mitigation strategy; and
•Employment of techniques and procedures
for the continuous monitoring of the security state of the information system
Authorization Boundary/
information system boundary
All components of an information system to be authorized
for operation by an authorizing official and excludes
separately authorized systems, to which the information system is connected
Subsystem
A major subdivision of an information system consisting of information, information technology, and personnel that performs one or more specific functions
Dynamic Subsystem
A subsystem that is not continually present during the execution phase of an information system. Service
-oriented architectures and cloud computing architectures are examples of architectures that employ dynamic subsystems.
External Subsystem
A system that would be considered outside of the direct control of the organization that owns the information system and authorizes its operation.
high water mark
System information must be protected at a level consistent
with the most crucial or sensitive user information
being processed, stored, or transmitted by the information system to ensure confidentiality, integrity, and availability
Management Controls
The security controls for an information system that focus on the management of risk and information system security.
Operational Controls
The security controls for an information system that are primarily implemented and executed by people.
Processes, checklists, manuals, etc.
Technical Controls
The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in
the hardware, software, or firmware components of the system

HW, SW,FW.
Risk management
•Multi-tier Organization-Wide Risk Management
•Implemented by the Risk Executive Function
•Tightly coupled to Enterprise Architecture and Information Security Architecture
•System Development Lifecycle Focus
•Disciplined and Structured Process
•Flexible and Agile Implementation
Risk Management Tier 1
Organization (Governance)
•Addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization
-wide risk management strategy
Risk Management Tier 2
Mission (Business Process)
•Addresses risk from a mission and business process
perspective and is guided by the risk decisions at Tier 1
•Associated with Enterprise Architecture
Risk Management Tier 3
Information System (Environment of Operations)
•Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures at the information system level.
RMF Security Life Cycle
(FIPS 199/SP 800-60)
CATEGORIZE Information System
SELECT Security Controls
IMPLEMENT Security Controls
ASSESS Security Controls
AUTHORIZE Information System
MONITOR Security State
RMF CATEGORIZE IS
(FIPS 199/SP 800-60)
Define criticality/sensitivity of information system according to potential worst
-case, adverse impact to mission/business
Categorize the information and information system
RMF SELECT Security Controls
(FIPS 200/SP 800-53)
Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment

Select an initial baseline of security controls, and tailor and supplement as needed based on risk and local conditions

Deliverable is your PLAN.
RMF IMPLEMENT Security Controls
SP 800-70
Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings

Implement the security controls in the information system.
RMF ASSESS Security Controls
SP 800-53A
Determine security control effectiveness (i.e
., controls implemented correctly, operating as intended, meeting security requirements for information system)

Assess the security controls in the information system

Deliverable is an assessment report
RMF AUTHORIZE Information System
SP 800-37
Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if
acceptable, authorize operation

Authorize with a POA&M because we're going to continually monitor the system and make sure the controls stay in place.

Deliverable is POA&M
RMF MONITOR Security State
SP 800-37/SP 800-53A
Continuously track changes to the
information system that may affect
security controls and reassess
control effectiveness

Monitor and assess the security controls in the
information system
OMB Circular A-130
dictates how federal information systems are protected.
CIO
highest level
Responsible for ensuring
•Information security management processes are integrated with strategic and operational planning processes
•Senior officials, within the organization, provide information security for the information systems that support the operations and assets under their control
•Organization has trained personnel sufficient to assist in complying with the information security requirements in related legislation, policies, directives, instructions, standards, and guidelines

Organizational official responsible for
•Designating a senior agency information security officer
•Developing and maintaining information security policies, procedures, and control techniques to address all requirements
—Training and overseeing personnel with significant responsibilities for information security
•Assisting senior officials regarding their security responsibilities
•Reporting annually to the head of the federal agency on the overall effectiveness of the information security program including progress of remedial actions, in coordination with other senior officials
Risk Executive (Function)
Helps to ensure that risk
-related considerations from individual information systems are viewed from an organization
-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions
•Ensures that risks from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risk in order to ensure mission
and business success
Senior Information Security Officer (SISO)
The head of the organization's information security program office and serves as the CIO's liaison to the Information System Owners, Authorizing Officials, and ISSOsIn many organizations, the SISO is known as the Chief Information Security Officer (CISO)
Authorizing Official (AO)
Responsible for making the final decision on whether or not to authorize a system to operate
•This decision cannot be delegated.
Issues ATO
Authorizing Official Designated
Representative
An individual acting on the authorizing official's behalf in
coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system
Information Owners/Steward
Have stationary, management, or operational authority for specified information
•Responsible for creating the policies and procedures governing its generation, collection, processing, dissemination, and disposal
•Provides input to the information system owners regarding the security requirements and security controls for how information is processed, stored, or transmitted
Information System Owners
Responsible for the overall procurement, development, integration, modification, operation, maintenance, and disposal of an information system
Information System Security Officers
(ISSO)
Helps assure the appropriate operational security posture is maintained for an information system Serves as a principal advisor to their organization on all matters involving the security of an information system
Information System Security Architect
As changes occur in the existing system environment, these security practitioners must support or use the risk
management process to identify and assess new potential
risks and implement new security controls as needed to
safeguard their systems
Information System Security Engineers
Responsible for conducting information system security
engineering activities
Information system security engineering is a process that
captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration
Security Control Assessor
Responsible for conducting a complete assessment of the
management, operational, and technical security controls
utilized within or inherited by an information system
Provide an assessment of the severity of weaknesses
discovered in the information system and
recommend corrective actions to address identified vulnerabilities Prepare the final Security Assessment Report containing the results and findings from the assessment Should be independent of those responsible for correcting
deficiencies
Common Control Providers
An individual, group, or organization responsible for the
development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems)
Common control providers are responsible for
•Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization)
•Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization
•Documenting assessment findings in a security assessment report •
Producing a plan of action and milestones for all controls having weaknesses or deficiencies
Information Technology Security
Practitioners
Responsible for accurate implementation of security requirements in their respective information systems DBs, security consultatints, security analysts)
Benefits of Organizational Risk Management
•Prioritize information security requirements and allocation of
information security resources
•Develop continuous and cost
-effective organization
-wide solutions to
information security problems
•Consolidate and reform security solutions to
—Simplify management
—Enhance interoperability and communication between disseminated IS
•Ensure information security concerns are integrated into the enterprise architecture, the acquisition process and system development life cycles
—Save the organization time and money
Federal Enterprise Architecture (FEA)
created by OMB aimed to facilitate efforts ensuring federal
government mission and business processes are market
-based and help improve citizen services.
The Risk Management Framework (RMF) supports
the FEA incorporating management processes, shared services, conventional solutions, and information sharing to provide a greater degree of security, confidentiality, dependability, and cost effectiveness for core missions
and business functions being carried out by organizations
SDLC
Initiation
Acquisition/Development
Implementation/Assessment
Operations/Maintenance
Sunset (Disposal)
SDLC - RMF
Initiation (RMF Steps 1 &2)
Acquisition/Development (RMF Step 2)
Implementation/Assessment (RMF Steps 3-5)
Operations/Maintenance (RMF Step 6)
Sunset (Disposal) - (RMF Step 6)
SDLC Step 1 (Initiation)
Initial Risk Assessment should be conducted Identification of Information System Security Officer (ISSO) Security Categorization should take place such as applying the provisions of the following Standards
SDLC Step 2 (Acquisition-Development)
Risk Assessment
Security Functional Requirement Analysis
Security Assurance Requirements Analysis
Cost Considerations and Reporting
Security Planning
Security Control Development
Developmental Security Test and
Evaluation

Functional Stmt of Need
Feasibility study
Requirements Analysis
Alternatives Analysis
Cost Benefit Analysis
Risk Management Plan
Acquisition Planning
SDLC Step 3 (Implementation)
Installation
Inspection and Acceptance
System Integration
Security Accreditation decision
User training
Documentation
SDLC Step 4 (Operations/Maintenance)
Performance Measurement
Maintenance
CCM
Continuous MOnitoring
SDLC Step 5 (Disposition)
Information Preservation
Media Sanatization
HW/SW Disposal
Contract Closeout
OMB
OMB makes sure finding exists for congresses' legislationn and says how its going to be implement (sets the standards)
Committee on National Security Systems (CNSS)
National Security Systems. Leverages NIST controls to support reciprocity. Federal and non-national systems use NIST
Executive order 13231
public-private partnerships
OMB increased responsibillity
Created NIPB (national INfrastructure Protection Board) formerly CIPB (Critical)
Created NSTAC (national security telecommunications advisory committee)
CNSS
Provides a forum for the discussion of policy issues
•Sets policy
•Promulgates direction, operational procedures and guidance for National Security Systems (NSS
Committee on National Security Systems Policy
(CNSSP)
This Committee on National Security Systems Policy (CNSSP) establishes the requirements for enterprise IA risk management within the national security community, which requires a holistic view of the IA risks to National Security Systems (NSS) operating within the
enterprise using disciplined processes, methods, and tools.
Committee on National Security Systems
Instruction (CNSSI)
This Committee on National Security Systems Instruction (CNSSI) provides all Federal Government departments, agencies, bureaus, and offices with a process for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit,
or receive National Security Information
Homeland Security Presidential Directive /
HSPD
Policy of the U.S. to enhance the protection of our Nation's
critical infrastructure against terrorist acts... and will continue to serve as a focal point for the security of
cyberspace
FISMA
-
Title III of the e
-
Government Act is the
Federal
Information Security Management Act
requires federal agencies to provide security for the information and information systems that support the organization
FISMA requires:
•Provide information security protections corresponding with the assessed risk
•Ensure senior leaders provide information security for assets under their control
•Ensure the organization has trained personnel to assist in complying with FISMA and related policies
•Ensure the CIO reports annually on the effectiveness of the organization's information security program
•Develop, document, and implement an information security program
•Develop and maintain an inventory of information systems under the control of the organizatio
Office of Management and Budget (OMB) Circular A-130
Requires executive agencies within the federal government to —
Plan for security
—Ensure that appropriate officials are assigned security responsibility
—Review the security controls in their information systems
—Authorize system processing prior to operations and periodically thereafter

Holds senior officials responsible for security, not just security personnel
OMB M-00-13
Agencies are to post clear Privacy Policies on agency
websites.
OMB M-02-01
Guidance for Preparing and Submitting Security Plans of
Action and Milestones (POA&M)
POA&Ms contain
Weaknesses
—POC
—Resources Required
—Scheduled Completion Date
—Milestones with Completion Dates
—Changes to Milestones
—Identified in CFO Audit or Other Review?
—Current Status
Privacy Act of 1974 (Update 2004)
Act focuses on four basic policy objectives
•Restrict disclosure of PII maintained by agencies
•Increase individuals rights of access to agency records
•Grant individuals the right to seek amendment if not accurate
•Establish a code of "fair information practices"
clinger-cohen
paperwork reduction
FIPS
Mandatory standards to be used by all federal agencies
Special Publications (SPs)
-
the SP 800 series
Established in 1990 to provide a separate identity for information technology security publications
FIPS Publication 199
(Standards for Security Categorization of Federal Information and Information Systems)
Security Categorization: (usually based on duration)
Low (limited impact, minor degradation to mission),
Moderate (serious, significant degradation to mission), up to 48 hours outage
High (catastrophic, severe degradation to mission), over 48 hours outage

- Defines the high water mark (highest sensitivity and criticality) and defines overall system security categorization

-Categorization is based on Potential Impact to Security Objectives. (CIA) Highest for any of the C-I-A triad is the categorization level.
FIPS Publication 200
Minimum Security Requirements:Promotes the development, implementation, and operation of more
secure information systems
•Establishes minimum levels of due diligence for information security
•Facilitates a more consistent, comparable, and repeatable approach for selecting and specifying security controls
NIST SP 800
-
18
Security Planning/Guide for Developing Security Plans, System security plan template
NIST SP 800
-
30
Risk Assessment : The purpose of SP 800-30 is now to provide guidance for conducting risk assessments
of federal information systems and organizations, amplifying the guidance in SP 800-39 on risk
management
NIST SP 800
-
37
Risk Management Framework : Guide for Applying the
Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach Guidelines developed
•To ensure that managing information system security risks is consistent with the organization's objectives and overall risk strategy
•To ensure that information security requirements are integrated into the organization's enterprise architecture and SDLC
•To support consistent and ongoing security authorization decisions
•To achieve more secure information and information systems through the implementation of appropriate risk mitigation strategies
NIST SP 800
-
39
Risk Management : Provides guidelines for managing risk
at the organizational, mission/business, and information system level
•Provides a structured, yet flexible approach for managing
risk
•Contains the definitions and the practical guidance for
responding to and monitoring risks
NIST SP 800
-
53
Recommended Security Controls : Provides guidelines for selecting and specifying security controls for information systems
•Helps achieve more secure information systems and effective risk management
•Provides a stable, yet flexible catalog of security controls for information systems
NIST SP 800
-
53A
Security Control Assessment : Provides guidelines for building effective security assessment plans and a set of procedures for assessing the effectiveness of security
controls
•Helps achieve more secure information systems
•Enables more consistent, comparable, and repeatable assessments of security controls
•Used in conjunction with NIST SP 800-53 Rev 4
NIST SP 800
-
59
National Security Systems : Assists agencies in determining which of their systems are national
security systems
•Ensures that agencies receive consistent guidance on the
identification of systems that should be governed by national security system requirements
NIST SP 800-60
(Guide for Mapping Types of Information and Information Systems to Security Categories)
Security Category Mapping : Helps agencies consistently map security impact levels to types of:
•Information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation)
•Information systems (e.g., mission critical, mission support, administrative)

-Determines the type of information and alighn with an potential impact level as defined in FIPS-199
NIST SP 800
-
70
Guidelines for Checklists : Describes security configuration checklists and their benefits
•Explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists
NIST SP 800
-
137
Continuous Monitoring (Information Security
Continuous Monitoring
(ISCM)

•Provides guidance on defining, establishing, and implementing an ISCM program
•Provides guidance on analyzing data and reporting and responding to findings
•Enables organizations to move from compliance
-driven risk management to data-driven risk management
Continuous Monitoring
Determine if the set of deployed security controls
continue to be effective over time in light of change to the information system or environment of operation
•Update authorization documents such as
—Security Plans
—Security Assessment Reports
—Plans of Action and Milestones
•Assist in maintaining the current authorization
•Support decisions on reauthorization
RMF Step 1
-Categorize (Information System Owner/Information Owner)
-Describe the information system and document the description in the SSP. (information system owner)/system boundary
-Register the system with PMO (ISSO)
sensitivity
A measure of the importance assigned to information by its owner for the purpose of denoting its need for protection.
criticality
A measure of the degree to which an organization depends
on the information or information system for the success of a mission or of a business function
Information Inventory and Classification approach
Mission owner/Business Manager,program manager, everyone. ISSO
4 Step Categorization Process
Identify Information Types
Select Provision Impact levels
Review provisional impact levels & adjust/finalize information impact levels
assign system security category
SSP
System Owner Writes, but can delegate to ISSO
Started in RMF Step 1
SSP Contents
Plan Contents (Table of Contents)
System Description - Categorization
Description of Controls
System Security Roles and Responsibilities
System Operational Status and System Types
System Environment
System Interconnections and Sharing
System Certification Level
ROB
Completion and Approval Dates
SSP Appendices
Risk Assessment
PIA (Privacy Officer)
System Interconnection Agreements
Contingency Plan
Security Configurations
Configuration Management Plan
Incident Response Plan
Continuous Monitoring Plan
SSP Plan Approval
Written by system owner
Reviewed and approved through AO or designated representative
Final approval is through AO or designated rep
Normally collaborative back-and-forth relationship
System Registration
Informs parent or governing organization that the system exists, identifies key characteristics, and security implications.
The categorize process includes:
•Prepare for system security categorization
•Identify the system's information types
•Select the impact value for each information type
•Adjust the information type's impact value
•Adjust the system's security category
•Determine the information system's security impact level
•Obtain approval for the system security category and impact level
•Maintain system security category and impact level
Who Identifies Common Controls?
CIO/SISO
Information Security Architect
Common Control Provider
Who selects Controls?
System Owner or Security Architect
Determines the strategy for continuous monitoring and changes to the environment
System Owner or Common Control Provider
security controls
Made up of Safeguards and Countermeasures
Counter Measures
reduce vulnerability
Safeguards
security of physical structures, areas, devices, etc.
Minimum Security Baseline (MSB)
set of standards that are applied enterprise wide to ensure a consistent level of compliance

Not system specific and must be augmented by baseline security configuration standards for all technology components that make up the system.
SP 800-53, r4
"Security and Privacy Controls for Federal Information Systems and Organizations"
Provides guidance for selecting and identifying security controls for information systems.
18 security control families - closely aligned with FIPS 200.
Includes PM family required by FISMA, (appendix G)

No longer devices into Management, Operational, and Technical like FIPS 200.
FIPS 200
"Minimum Security Requirements"
Uses high watermark to to identify baseline security controls to implement.
Low Impact = Low Baseline = Annex 1
etc
Defines 17 security related areas (CM, MS, etc)
Security Control Families
AC : Access Control
AT : Awareness and Training
AU : Audit and Accountability
CA : Security Assessment and Authorization
CM :
CP : Contingency Planning
IA : Identification and Authentication
IR : Incident Response
MA : Maintenance
MP : Media Protection
PE : Physical and Environmental Protection
PL : Planning
PS : Personnel Security
RA : Risk Assessment
SA : System and Services Acquisition
SC : System and Communications Protection
SI : System and Information Integrity
PM : Program Management
PM : Program Management
Organization-wide information security program management controls

Supporting information security program

Not associated with security control baselines Independent of any system impact level, therefore, no control enhancements included
Privacy Controls
NIST SP 800-53 Rev 1 (new to this)
Protect any form of PII
Privacy Control Families
AP
AR
DI
DM
IP
SE
TR
UL
Authority and Purpose (AP)
Ensures that organizations(i)identify the legal bases that authorize a particular personally identifiable information (PII) collection or activity that impacts privacy(ii) specify
in their notices the purpose(s) for which PII is collected
Accountability, Audit, and Risk Management (AR)
Enhances public confidence through effective controls for
governance, monitoring, risk management, and assessment to demonstrate that organizations are complying with applicable privacy protection requirements and minimizing overall privacy risk.
Data quality and Integrity (DI)
Enhances public confidence that any personally identifiable information (PII) collected and maintained
by organizations is accurate, relevant, timely, and omplete for the purpose for which it is to be used, as specified in public notices
Data Minimization and Retention (DM)
Implements the data minimization and retention requirements to collect, use, and retain only personally identifiable information (PII) that is relevant and necessary for the purpose for which it was originally collected
Individual Participation and Redress (IP)
Addresses the need to make individuals active participants in the decision-making process regarding the collection and use of their personally identifiable information (PII
)
Security (SE)
Supplements the security controls in Appendix F to ensure that technical, physical, and administrative safeguards are in place to protect personally identifiable information (PII) collected or maintained by organizations against loss, unauthorized access, or disclosure, and to ensure that planning and responses to privacy incidents comply with OMB policies and guidance
Transparency (TR)
Ensure that organization provide public notice of their information practices and the privacy impact of the their programs and activities.
Use Limitation (UL)
Ensures that organizations only use personally identifiable
information (PII) either as specified in their public notices, in a manner compatible with those specified purposes, or as otherwise permitted by law
800-53 Rev 4 Control Catalog Components
Control section (concise statement of security capabilities required)
supplemental guidance section (additional info, but no requirements)
control enhancements section (additional functionality)
references section (federal laws, EO, directivies, policies, standards, FIPS, OMB, NIS)
priority and baseline allocation section for each security control (the initial allocation of security controls for low, medium, high impact IS)
Rev4 Priority COdes
P1 (highest), P2, P3 (lowest), P0 (security control not required for baseline)
Security Control Tailoring
Organization determine controls do not apply
integrate compensating controls
specify organization defined parameters

800-53
Select Process (for controls)
•Prepare for selecting security controls
•Select the initial security control baseline and minimum assurance requirements
•Apply scoping guidance
•Determine need for compensating controls
•Determine appropriate organization-defined values for the identified
parameters
•Supplement the tailored security control baseline
•Determine if additional minimum assurance requirements are needed for moderate
-and high-impact systems
•Document the selection decisions and update the security plan
•Obtain approval of, and agreement with, the security controls
Select Controls Process Input
System Description
system security category
impact level
800-53
catalog of common controls
Select Controls Process Output
Final, agreed upon set of security controls
SP 800-53 Rev 3
Recommended Security Controls for Federal Information Systems and Organizations
SP 800-53A
Guide for Assessing the Security Controls in Federal Information Systems
SP 800-70
Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers
SP 800-34
Contingency Planning
SP 800-61
Incident Response
SP 800-63
Identification and Authorization
SP 800-16/800-50
Awareness Training
SP 800-40
Patch Management
SP 800-41
Firewall Management
SP 800-115
Provides guidance on basic technical aspects of conducting information security assessments and penetration testing
The assessment determines the extent to which the controls are
• implemented correctly
• operating as intended
• producing the desired results
SP 800-53A
Provides a NIST process for assessing security controls
• Prepare
• Develop
• Conduct
• Analyze
SP 800-53AAppendix F
Provides an assessment strategy for each control listed in
NIST SP 800-53
Security Assessment Report
• The report is one of three key documents in the security authorization package developed for authorizing officials.
• Includes information from the assessor to determine the effectiveness of the security controls employed within or inherited by the information system based upon the assessor's findings
• An important factor in an authorizing official's determination of risk to organizational operations and assets
POA&M document identifies
• Tasks needing to be accomplished
• Resources required to accomplish the elements of the plan
• Any milestones in meeting the tasks
• Scheduled completion dates for the milestones
Security Authorization Package
Documents the results of the security control assessment
Provides the Authorizing Official with essential information needed to make a credible, risk-based decision on information system authorization
Provides the best indication of
• The overall security state of the information system
• The ability of the system to protect, to the degree necessary
RMF Step 6
Determine security impact of proposed or actual changes
Assess subset of changes
Update POAM, SAR, and security plan based on results
Report the status
Review
Implement a decommissioning strategy
CNSS Instruction 1253
...
An effective continuous monitoring program includes
CM and control processes
security impact analysis of changes to IS
Assessment of security controls
secuity status reporting to organizational officials
Realtime risk management is facilitate by revisions to
SSP
SAR
POAM
System Removal and Decommissioning
Organizational tracking and management systems updated
users/application owners notified of security control impact relationships and reviewed/assessed for impact
subsystems also removed
effects on the overall system due to subsystem removal are assessed
Information Security Program
provides ongoing, up-to-date information about security state and risk posture
enables the org to make reliable, risk-based decision
provides a process to update SSP, SAR, and POAM
Monitoring process includes these tasks
develop of strategy for monitoring
evaluate subset
conduct selected remediations
update SSP, SAR, POAM
RMF Task 5 (authorize)
prepare POAM (owner)
assemble security authorization package and submit to AO (owner)
Determine risk (AO/Designated rep)
Risk Acceptance (AO)
Decision SP 800-37
SP 800-30 and 39
Help to make risk determinations
sp 800-37
provides guideline that define the steps for system authorization
Authorization package includes:
SSP
SAR
POAM
S
...
SSP includes:
overview of security requirements
descriptions of controls in place
supporting appendicies : risk assessment, privacy impact assessment, interconnection agreements, contingency plan, security configuration, CM plan, IR plan, Continuous monitoring plan
Security Assessment Report provides:
key info needed for making IS decisions and contains security state and analysis of risk posture
Highlights from the risk assessment
synopsis of key findings
recommendations for addressing weakness and deficiencies
Risk Assessment
the systematic identification and prioritization of risk to IT resources
include : analysis of threats, assessment of vulnerabilities and controls in place, calcualation of risk
SP 800-30 Rev 1
Guide for conducting risk assessments
SP 800-30 Rev 1 : Steps
1 : Prepare for Assessment
2 : Conduct Assessment
- Identify threat sources and events
- identify vulnerabilities
- Likelihood determination (threats x vulnerabilities)
- Magnitude of impact
- determine risk
3 : Communicate Results
4 : Maintain Assessment
Authorization Process
Conduct initial remediation actions
Prepare the POAM
Assemble authorization package and submit to AO
Determine the risks
Determine if risk is acceptable