More Related Content Similar to Guide to Risk Management Framework (RMF) (20) Guide to Risk Management Framework (RMF)2. © 2017 MetroStar Systems, Inc. - Proprietary 2
GOVERNMENT IT SECURITY FRAMEWORKS
GUIDE TO RISK MANAGEMENT FRAMEWORK
With the speed of today's innovation, your organization’s information
technology system is in constant evolution. So are cyber threats. Modern
cyber threats are capable of breaking through any barrier. The effect? There
now exists a call for persistence: the continuous effort to implement strong
measures to protect IT systems from the risk of being compromised by ever-
evolving cybersecurity threats.
Governance, Risk, and Compliance (GRC) are the foundational elements that
allow organizations to accomplish their missions. For Federal agencies, a
unified security framework is necessary, not just to ensure standard operations
across the entire government, but to deliver continuous, consistent, and
secure information and information system services. The Risk Management
Framework (RMF) was created to achieve just that.
Developed by the National Institute of Standards and Technology (NIST), RMF
is the living wall built around government IT systems. It exists to help agencies
gain a better understanding of their individual IT systems and organizational
risks, while simultaneously monitoring and responding to threats in a
consistent, integrated manner.
Executing the RMF is
not merely a
compliance exercise.
The framework’s
inherent flexibility
drives security
solutions.
3. © 2017 MetroStar Systems, Inc. - Proprietary 3
CHANGING LANDSCAPE DRIVES SECURITY
GUIDE TO RISK MANAGEMENT FRAMEWORK
A security program must
keep pace with the evolving
threat landscape. It must
become an intrinsic part of
the enterprise that grows
along with it.
The RMF helps build or
augment a security program
that equips the enterprise to
keep pace with constantly
evolving threats by:
Harmonizing cybersecurity
approaches and providing a
common language
Establishing the right level
of security for your
environment
Informing cybersecurity
budget planning
Communicating cyber risks
comprehensively to Senior
Leadership
Data Aggregation &
Amount of Valuable
Data
Regulatory
Compliance
Virtualization
Private & Public Cloud Number of Connected
People
Explosion of Internet
Devices
Complexity of the IT
Model
Consumerization of
the IT Model
Escalating Threat
Agent Landscape
Challenges are increasing in size, intensity, and complexity
over time.
4. © 2017 MetroStar Systems, Inc. - Proprietary 4
FEDERAL AGENCIES AND RMF
GUIDE TO RISK MANAGEMENT FRAMEWORK
RMF is the unified information security framework for the entire federal
government.
RMF is mandated by, and constitutes an integral part of, FISMA
implementation. It is based on publications of NIST and the Committee on
National Security Systems (CNSS).
For the past 10 years, Federal agencies have leveraged RMF to take a more
dynamic approach to identifying and mitigating vulnerabilities and threats and
achieving their mission objectives. RMF also continuously monitors chosen
and implemented security measures to avoid, counteract, or minimize those
risks.
With the RMF, there’s no one-size-fits-all approach. Each individual
information system can be triaged according to its value to the enterprise, and
security controls can be specifically selected. These control are then
monitored year by year, month by month, day by day or even hour by hour,
depending on the criticality of the system, the organization’s risk tolerance,
and the threats posed to the organization and the system.
“The principal goal of an organization’s risk management approach is to
protect the organization and its ability to perform its mission, not just its
information assets…”
CNSSP 22
RMF allows
organizations to
drive security
solutions that are
most appropriate for
their security
requirements and
threat environment
5. DIMENSIONS OF CYBERSECURITY RISK
GUIDE TO RISK MANAGEMENT FRAMEWORK
In-Depth Deliberate Time Critical
Strategic
Tactical
Enterprise
Mission
System
TIME HORIZON
Reputation,
Legal Risk
Operational RiskProgram Risk
CYBERSECURITY
RISK
RMF addresses
numerous threats
across each of the
dimensions of
cybersecurity risk
© 2017 MetroStar Systems, Inc. - Proprietary 5
6. © 2017 MetroStar Systems, Inc. - Proprietary 6
THE DoD TRANSITION FROM DIACAP
Until 2014, the Department of Defense Information
Assurance Certification Process (DIACAP) served as
the standard framework for government IT security.
DIACAP focused on certifying and accrediting DoD
information systems using a predetermined set of
prescribed security requirements, which varied by
agency.
RMF, introduced in 2007, does not prescribe
requirements, but instead provides steps each agency
can act upon and shape according to their unique
needs and missions. The selection of security controls
also varies depending on the technologies being used.
RMF’s procedures go beyond system-based
assessments. They take into consideration the man-
made risks and other external factors that pose a
threat to the system.
DoD’s decision to adopt the RMF with its patterned
flexibility and granular precision, and mandate its
exclusive use in conducting security authorization
activities means that, for the first time, all defense,
intelligence, and federal civilian agencies will be
working from the same risk management framework. A
decision that will have a far-ranging impact.
GUIDE TO RISK MANAGEMENT FRAMEWORK
RMF replaces the legacy
DoD Certification &
Accreditation processes
applied to information
systems
7. A STEP TOWARDS
IMPROVED
CYBERSECURITY
RMF is a required and key component in the implementation
of the Federal Information Security Management Act (FISMA).
Government IT systems that earn FISMA-compliance when
they are able to protect their information and assets against
natural and man-made threats. RMF helps agencies lay the
groundwork to achieve FISMA-compliance and other policy
directives by strengthening information security through the
six-step life cycle process.
© 2017 MetroStar Systems, Inc. - Proprietary 7
8. © 2017 MetroStar Systems, Inc. - Proprietary 8
SIX STEPS OF RMF
GUIDE TO RISK MANAGEMENT FRAMEWORK
Architecture Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
ARCHITECTURAL INPUTS
Categorize the system in
accordance with the CNSSI 1253
Initiate the Security Plan
Register the system with DoD
Component Cybersecurity
Program
Assign qualified personnel to RMF
roles
STEP 1
CATEGORIZE
SYSTEM
Common control
identification
Select security controls
Review and approve Security
Plan and continuous
monitoring strategy
Apply overlays and tailor
STEP 2
SELECT
SECURITY CONTROLS
Implement control solutions
consistent with DoD
Component Cybersecurity
architectures
Document security control
implementation in Security
Plan
STEP 3
IMPLEMENT
SECURITY CONTROLS
Develop and approve
Security Assessment Plan
Assess security controls
SCA prepares Security
Assessment Report (SAR)
Conduct initial remediation
actions
STEP 4
ASSESS
SECURITY CONTROLS
Prepare the POA&M
Submit Security Authorization
Package (Security Plan,
SAR, and POA&M to AO)
AO conducts final risk
determination, and makes
authorization decision
STEP 5
AUTHORIZE
SYSTEM
Determine impact of changes
to system and environment
Assess selected controls
annually
Conduct remediation
Update Security Plan, SAR,
and POA&M
Report security status to AO
AO reviews reported status
Implement system
decommissioning strategy
STEP 6
MONITOR
SECURITY CONTROLS
RMF
PROCESS
WHEEL
Laws, directives, policy guidance
Strategic goals and objectives
Priorities & resource availability
Supply chain considerations
ORGANIZATIONAL INPUTS
RMF is a structured
approach for flexibly
managing risks that may
result from combining
information with agency
business processes.
9. © 2017 MetroStar Systems, Inc. - Proprietary 9
GUIDE TO RISK MANAGEMENT FRAMEWORK
STEP-BY-STEP SECURITY RISK MANAGEMENT
STEP 1: CATEGORIZE
The RMF process starts off with
categorization, which is the foundation for
the next five steps. Systems and
applications are assigned values based on
a risk assessment and the resulting
security impact determination (high,
moderate, low), in accordance with FIPS
199, NIST 800-60, and CNSSI 1253 (for
DoD and IC agencies).
STEP 2: SELECT
Once the systems have been categorized,
security controls can be assigned.
Security controls are countermeasures
used to detect and avoid security risks to
the agency’s information system. At the
simplest level, one example of a security
control is when an agency uses an
automation protocol—a group policy, for
instance—to identify and deter certain
types of applications from being
downloaded. These security controls can
be tailored to the needs of the systems
and can help facilitate a continuous
monitoring strategy.
STEP 3: IMPLEMENT
When security controls and solutions have
been identified and assigned to the
system, the next step is implementation.
This can be done through cybersecurity
architecture and secure coding
techniques. Implementation should be a
by-product as examples of good security
engineering design and development
practices. Implementation of the security
controls should begin at the design phase
and is grounded in systems theory and the
need to build information systems and
environments able to withstand the
modern day threat environment.
10. STEP 4: ASSESS
In order to determine if the applied
security controls have been effectively
implemented and are managing risks, the
agency must examine their performance,
reliability, and efficiency. Are the risk
levels decreasing or being kept at a
manageable level? A security assessment
report will be the basis of the next step in
RMF.
© 2017 MetroStar Systems, Inc. - Proprietary 10
STEP 5: AUTHORIZE
Based on the findings and
recommendations of the security
assessment, a plan of action—including
projected milestones—must be put
together. The agency assembles the
security authorization package and
submits it to an Authorizing Official (AO)
who would provide the necessary
authorization to operate. Before official
authorization, the AO needs to conduct a
final risk determination and identify if the
risks are acceptable.
STEP 6: MONITOR
Continuous monitoring is key to keeping the
RMF life cycle alive. The agency determines
the impact of the selected security controls,
which results in creating a strategy that
balances system performance and risks.
The strategy is then realigned to Step 1 of
the RMF life cycle, and new categories are
identified based on all findings and the
overall management of operational risks.
Each organization defines and documents
their continuous monitoring strategies, the
frequency of security control monitoring and
the rigor with which the monitoring is
conducted—one size does not fit all.
Continuous monitoring is most effective if
conducted on information technology
infrastructures that have been strengthened
and are more resilient. Build it right, then
continuously monitor.
GUIDE TO RISK MANAGEMENT FRAMEWORK
STEP-BY-STEP SECURITY RISK MANAGEMENT
11. ALIGNING SDLC & RMF
GUIDE TO RISK MANAGEMENT FRAMEWORK
The system development
life cycle (SDLC) is the
process for developing,
implementing, and
retiring an IS. Aligning
RMF to SDLC allows
agencies to identify
critical assets, operations,
and vulnerabilities. This
integration allows
agencies to:
Identify and mitigate
security vulnerabilities
Reduce development
costs and improve the
IS’s security posture
Allow for informed
decision making
Document security
considerations through
each stage of
development
© 2017 MetroStar Systems, Inc. - Proprietary 11
12. © 2017 MetroStar Systems, Inc. - Proprietary 12
GUIDE TO RISK MANAGEMENT FRAMEWORK
CRITICAL RMF ROLES & RESPONSIBILITIES
AUTHORIZING OFFICIAL (AO)
Ensures RMF tasks are initiated and completed
Ensures appropriate documentation
Monitors and tracks system-level execution
INFORMATION SYSTEM
OWNER (ISO)
Categorizes systems and documents them in the Joint Capabilities Integration &
Development Systems (JCIDS)
INFORMATION SYSTEM
SECURITY MANAGER (ISSM)
Maintains and reports systems assessments, authorization status, and issues
Ensures issues affecting overall security are addressed
Develops and updates the System Security Plan (SSP)
FACILITY SECURITY
OFFICER (FSO)
Oversees environmental & physical protection, personnel security, incident handling, and
training
INFORMATION SYSTEM
SECURITY OFFICER (ISSO)
Configures and manages security posture for IS
SECURITY CONTROL
ASSESSOR (SCA)
Conducts security control assessments
INFORMATION OWNER
Establishes rules of behavior for information they have operational authority over
Provides input to IS owners to protect requirements
13. © 2017 MetroStar Systems, Inc. - Proprietary 13
GUIDE TO RISK MANAGEMENT FRAMEWORK
RMF ROLE ALIGNMENT
Information System View
14. © 2017 MetroStar Systems, Inc. - Proprietary 14
YOUR FIRST STEP TO RMF
ABOUT METROSTAR SYSTEMS:
For over 18 years, MetroStar Systems has provided innovative
information technology services to its commercial and
government clients. The Reston-based IT company specializes in
the practice of cybersecurity, which covers cyber operations and
training, data protection, cybersecurity program design and
management , and risk and vulnerability assessment. MetroStar’s
cybersecurity team consists of experts with decades-spanning
experience in a vast array of Federal cybersecurity practices,
including the implementation of and training for Risk Management
Framework (RMF) adoption.
Get in touch with MetroStar Systems’ cybersecurity experts at
info@metrostarsystems.com.
ABOUT THE AUTHOR:
With decades-spanning experience and expertise, Dr. Julie E.
Mehan, PhD, CISSP, is a recognized leader in the field of
cybersecurity. Earlier in her career, she served as a program
manager for the Department of Defense’s DIACAP cybersecurity
framework. Until today, she is regarded as a subject matter expert
on Federal cybersecurity, recognized and respected by NIST. Dr.
Mehan continues to be at the forefront of creating a secure cyber
landscape by providing Federal cybersecurity training and
expertise, including her deep, strategic knowledge on RMF. Dr.
Mehan is currently the Director of Cybersecurity Strategy &
Alignment at MetroStar Systems.
Julie can be reached by email at info@metrostarsystems.com.
GUIDE TO RISK MANAGEMENT FRAMEWORK
ADDITIONAL RESOURCES
• National Institute of Standards and Technology (NIST)
Website
• National Industrial Security Program Operating Manual
(NISPOM)
• NIST SP 800-137: Information Security Continuous
Monitoring (ISCM) for Federal Systems and Organizations
• NIST 800-53 Revision 4: Security and Privacy Controls for
Federal Information Systems and Organizations
• NIST SP 800-53A Revision 4: Assessing Security &
Privacy Controls in Federal Information Systems and
Organizations, Building Effective Assessment Plans
• CNSSI 1253: Security Categorization and Control
Selection for National Security Systems
• FIPS 199: Standards for Security Categorization of Federal
Information and Information Systems
• DoDI 8510.01: Risk Management Framework (RMF) for
DoD Information Technology (IT)
15. 1856 Old Reston Avenue, Suite 100, Reston, VA 20190 | 703.481.9581 | www.metrostarsystems.com | info@metrostarsystems.com