NIST Risk Management Framework (RMF)


Published on

Overview of the NIST Risk Management Framework (RMF)

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NIST Risk Management Framework (RMF)

  1. 1. RISK Management Framework Risk Management Framework Description Phase 1: Certification Step 1: Categorize Information System Categorize Information System Categorize the impact rating of the information system using FIPS 199. Determine the high water mark impact rating for information types processed by the information system as specified in NIST SP 800-60 Rev. 1. Initial Risk Determination Determine whether selected security controls reduce risk to an acceptable level based on known vulnerabilities and potential threats. Review SSP Security Categorization Conduct an independent review of the SSP security categorization. Confirm that a contingency plan exists or is in the process of being created. System Security Plan (SSP) Update Update the SSP with any findings from independent reviews. Threat Identification Confirm that the Threat Statement identifies potential threats for the system boundary and also accounts for interconnections between other systems. Risk Assessment (RA) Confirm that the Risk Assessment (RA) identifies risks to the information system. Privacy Impact Assessment (PIA) Confirm that the Privacy Impact Assessment (PIA) identifies risks to the information system. Step 2: Select Security Controls Risk Approval Letter Verify the existence of a Risk Approval Letter. SSP Analysis Perform an SSP Analysis to determine the effectiveness of implemented or planned security controls in reducing risk to an acceptable level. System Security Plan Develop the SSP in accordance with NIST Guidance, OMB Memoranda and Circulars, FISMA Law, and Presidential Directives and Executive Orders. Ensure that the SSP adheres to Agency policies, the PCSP and the Program Security Plan if applicable. Step 3: Implement Security Controls Security Control Implementation Status Report Generate a Security Control Implementation Status Report to analyze security control effectiveness. SSP Document Maintenance Ensure that the SSP reflects information system changes. Step 4: Assess Security Controls Deviation Risk Assessment Report Issue a Deviation Risk Assessment Report that lists ST&E security control failures such as poorly implemented security controls or omissions. Findings & Recommendations Recommend corrective actions to reduce or eliminate vulnerabilities mentioned in the SAR. Identify Deviations in an Updated Risk Assessment Update the Risk Assessment to include any proposed or approved deviations. Deviations include waivers, exceptions and variances. The deviation process is typically described in the PCSP. Prepared by Jim W. DeRienzo Cloudburst Security, LLC
  2. 2. RISK Management Framework Risk Management Framework Plan of Actions and Milestones (POA&M) Description Update the POA&M Report to reflect progress in applying countermeasures that address weaknesses mentioned in the SAR. Project Plan Define the level of effort and resource requirements for conducting the ST&E: 1)Identify scope of effort (e.g., # of physical and virtual servers; Operating systems involved; # of applications; Geographic location of IT assets; Geographic location of security control staff). 2) Schedule demands (e.g., Reauthorization deadlines; POA&M deadlines). 3)Personnel/skills availability (e.g., Who is the Security Authorization Agent? Is an independent testing team available?). 4)Security Control Assessment (e.g., Evaluate security controls to verify that the controls are implemented correctly, operating as intended, and meeting the requirements of the SSP). Rules of Engagement Remain independent of system development and operations teams, as well as those responsible for correcting security deficiencies. Security Assessment Plan Conduct a comprehensive assessment of the management, operational and technical security controls for each General Support System (GSS) and Major Application (MA). Conduct technical assessments using a combination of automated tools and manual checks (e.g. vulnerability scans, packet analysis, pen tests and social engineering). Security Assessment Report (SAR) Using the approved ST&E test case procedures, assess each control and prepare the Security Assessment Report (SAR). A SAR is less than 10 pages and shows residual risk such as major issues or red flags to the system owner (i.e., % of management, operational and technical controls passed) ST&E Procedures Select or develop ST&E test cases to perform an assessment of each security control. Ensure that the DAA approves all selected ST&E test case procedures. ST&E Report Using the approved ST&E test case procedures, assess each control and prepare the ST&E Report. An ST&E Report is hundreds of pages based on individual test cases and artifacts (i.e., Contingency Plan). Prepared by Jim W. DeRienzo Cloudburst Security, LLC
  3. 3. RISK Management Framework Risk Management Framework Submit Security Authorization (SA) Package to DAA Description Assemble the final SA Package and submit to the DAA. The SA Package contains: Security Risk Assessment (RA) Approves System Security Plan (SSP) Completed Privacy Impact Assessments (PIA) Configuration Management Plan (CMP) Contingency Plan (CP) Security Test & Evaluation Report (ST&E Rpt.) Plan of Action and Milestones (POA&M) Security Assessment Report (SAR) Accreditation Decision letter (ATO) Interconnection Security Agreement (ISA) Memorandum of Understanding (MOU) / Memorandum of Agreement (MOA) Update Security Authorization Package Determine that the DAA has authorized any deviation from the baseline image prior to forwarding the Security Authorization Package to the DAA. Update the SSP and Risk Assessment based on the SAR. Vulnerability Assessment Provide an Executive Summary Report and a Technical Summary Report that shows vulnerabilities by IP Address, Open TCP/UDP Port and Common Vulnerability Enumeration (CVE). Include network devices, hosting providers, ISA partners, and local host checks for systems, applications and database servers. Local host checks must include credentialed scan results. Provide a Compliance Failure Report for USGCB, CIS, STIG, CAG 4.0, OWASP Top 10 or PII. Software code reviews are available upon request. Phase 2: Accreditation Step 5: Authorize Information System Accreditation Decision Letter Verify that the DAA has issued an Approval to Operate (ATO) based on the residual risks identified in the RA, and that the ATO includes any special conditions that apply. Accreditation Documentation Authority to Operate (ATO) - The system is authorized to operate under conditions outlined in the ATO letter. Interim Authority to Operate (IATO) - The system may operate, but has deficiencies that must be corrected within a specified time period. Denial/Revocation - The DAA denies or removes authorization to operate. Briefing materials Provide briefing materials to justify the risk decision. Recommendation Report Provide recommendations to correct, eliminate or reduce any deficiencies or vulnerabilities specified in the SAR. Prepared by Jim W. DeRienzo Cloudburst Security, LLC
  4. 4. RISK Management Framework Phase 3: Continuous Monitoring Step 6: Monitor Security Controls Configuration Management and Control Document Information System Changes - Determine that information system changes are documented. Security Impact Analysis - Analyze the security impact of proposed and actual system changes. Security Control Monitoring Security Control Selection - Selects controls for continuous monitoring assessment. Example: MA-4 (Remote Maintenance), SC-7 (Boundary Protection), SI-3 (Malicious Code Protection) Selected Security Control Assessment - Assess controls designated for continuous monitoring. Example: check VPN/remote access logs daily; check firewall rule set daily; update A/V daily. Status Report and Documentation Update System Security Plan - Periodically review and update the SSP Update POA&Ms - Review and update the POA&Ms Report Security Status to DAA - Report the security status of the information system to the System Owner, who in turn reports to the DAA. Prepared by Jim W. DeRienzo Cloudburst Security, LLC