SlideShare a Scribd company logo

Guide to Risk Management Framework (RMF)

MetroStar
MetroStar

Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.

Technology
1 of 15
Download to read offline
RISK MANAGEMENT FRAMEWORK Guide To Building Secure & Compliant Information Infrastructures
© 2017 MetroStar Systems, Inc. - Proprietary 2 GOVERNMENT IT SECURITY FRAMEWORKS GUIDE TO RISK MANAGEMENT FRAMEWORK With the speed of today's innovation, your organization’s information technology system is in constant evolution. So are cyber threats. Modern cyber threats are capable of breaking through any barrier. The effect? There now exists a call for persistence: the continuous effort to implement strong measures to protect IT systems from the risk of being compromised by ever- evolving cybersecurity threats. Governance, Risk, and Compliance (GRC) are the foundational elements that allow organizations to accomplish their missions. For Federal agencies, a unified security framework is necessary, not just to ensure standard operations across the entire government, but to deliver continuous, consistent, and secure information and information system services. The Risk Management Framework (RMF) was created to achieve just that. Developed by the National Institute of Standards and Technology (NIST), RMF is the living wall built around government IT systems. It exists to help agencies gain a better understanding of their individual IT systems and organizational risks, while simultaneously monitoring and responding to threats in a consistent, integrated manner. Executing the RMF is not merely a compliance exercise. The framework’s inherent flexibility drives security solutions.
© 2017 MetroStar Systems, Inc. - Proprietary 3 CHANGING LANDSCAPE DRIVES SECURITY GUIDE TO RISK MANAGEMENT FRAMEWORK A security program must keep pace with the evolving threat landscape. It must become an intrinsic part of the enterprise that grows along with it. The RMF helps build or augment a security program that equips the enterprise to keep pace with constantly evolving threats by:  Harmonizing cybersecurity approaches and providing a common language  Establishing the right level of security for your environment  Informing cybersecurity budget planning  Communicating cyber risks comprehensively to Senior Leadership Data Aggregation & Amount of Valuable Data Regulatory Compliance Virtualization Private & Public Cloud Number of Connected People Explosion of Internet Devices Complexity of the IT Model Consumerization of the IT Model Escalating Threat Agent Landscape Challenges are increasing in size, intensity, and complexity over time.
© 2017 MetroStar Systems, Inc. - Proprietary 4 FEDERAL AGENCIES AND RMF GUIDE TO RISK MANAGEMENT FRAMEWORK RMF is the unified information security framework for the entire federal government. RMF is mandated by, and constitutes an integral part of, FISMA implementation. It is based on publications of NIST and the Committee on National Security Systems (CNSS). For the past 10 years, Federal agencies have leveraged RMF to take a more dynamic approach to identifying and mitigating vulnerabilities and threats and achieving their mission objectives. RMF also continuously monitors chosen and implemented security measures to avoid, counteract, or minimize those risks. With the RMF, there’s no one-size-fits-all approach. Each individual information system can be triaged according to its value to the enterprise, and security controls can be specifically selected. These control are then monitored year by year, month by month, day by day or even hour by hour, depending on the criticality of the system, the organization’s risk tolerance, and the threats posed to the organization and the system. “The principal goal of an organization’s risk management approach is to protect the organization and its ability to perform its mission, not just its information assets…” CNSSP 22 RMF allows organizations to drive security solutions that are most appropriate for their security requirements and threat environment
DIMENSIONS OF CYBERSECURITY RISK GUIDE TO RISK MANAGEMENT FRAMEWORK In-Depth Deliberate Time Critical Strategic Tactical Enterprise Mission System TIME HORIZON Reputation, Legal Risk Operational RiskProgram Risk CYBERSECURITY RISK RMF addresses numerous threats across each of the dimensions of cybersecurity risk © 2017 MetroStar Systems, Inc. - Proprietary 5
© 2017 MetroStar Systems, Inc. - Proprietary 6 THE DoD TRANSITION FROM DIACAP Until 2014, the Department of Defense Information Assurance Certification Process (DIACAP) served as the standard framework for government IT security. DIACAP focused on certifying and accrediting DoD information systems using a predetermined set of prescribed security requirements, which varied by agency. RMF, introduced in 2007, does not prescribe requirements, but instead provides steps each agency can act upon and shape according to their unique needs and missions. The selection of security controls also varies depending on the technologies being used. RMF’s procedures go beyond system-based assessments. They take into consideration the man- made risks and other external factors that pose a threat to the system. DoD’s decision to adopt the RMF with its patterned flexibility and granular precision, and mandate its exclusive use in conducting security authorization activities means that, for the first time, all defense, intelligence, and federal civilian agencies will be working from the same risk management framework. A decision that will have a far-ranging impact. GUIDE TO RISK MANAGEMENT FRAMEWORK RMF replaces the legacy DoD Certification & Accreditation processes applied to information systems
A STEP TOWARDS IMPROVED CYBERSECURITY RMF is a required and key component in the implementation of the Federal Information Security Management Act (FISMA). Government IT systems that earn FISMA-compliance when they are able to protect their information and assets against natural and man-made threats. RMF helps agencies lay the groundwork to achieve FISMA-compliance and other policy directives by strengthening information security through the six-step life cycle process. © 2017 MetroStar Systems, Inc. - Proprietary 7
© 2017 MetroStar Systems, Inc. - Proprietary 8 SIX STEPS OF RMF GUIDE TO RISK MANAGEMENT FRAMEWORK  Architecture Reference Models  Segment and Solution Architectures  Mission and Business Processes  Information System Boundaries ARCHITECTURAL INPUTS  Categorize the system in accordance with the CNSSI 1253  Initiate the Security Plan  Register the system with DoD Component Cybersecurity Program  Assign qualified personnel to RMF roles STEP 1 CATEGORIZE SYSTEM  Common control identification  Select security controls  Review and approve Security Plan and continuous monitoring strategy  Apply overlays and tailor STEP 2 SELECT SECURITY CONTROLS  Implement control solutions consistent with DoD Component Cybersecurity architectures  Document security control implementation in Security Plan STEP 3 IMPLEMENT SECURITY CONTROLS  Develop and approve Security Assessment Plan  Assess security controls  SCA prepares Security Assessment Report (SAR)  Conduct initial remediation actions STEP 4 ASSESS SECURITY CONTROLS  Prepare the POA&M  Submit Security Authorization Package (Security Plan, SAR, and POA&M to AO)  AO conducts final risk determination, and makes authorization decision STEP 5 AUTHORIZE SYSTEM  Determine impact of changes to system and environment  Assess selected controls annually  Conduct remediation  Update Security Plan, SAR, and POA&M  Report security status to AO  AO reviews reported status  Implement system decommissioning strategy STEP 6 MONITOR SECURITY CONTROLS RMF PROCESS WHEEL  Laws, directives, policy guidance  Strategic goals and objectives  Priorities & resource availability  Supply chain considerations ORGANIZATIONAL INPUTS RMF is a structured approach for flexibly managing risks that may result from combining information with agency business processes.
© 2017 MetroStar Systems, Inc. - Proprietary 9 GUIDE TO RISK MANAGEMENT FRAMEWORK STEP-BY-STEP SECURITY RISK MANAGEMENT STEP 1: CATEGORIZE The RMF process starts off with categorization, which is the foundation for the next five steps. Systems and applications are assigned values based on a risk assessment and the resulting security impact determination (high, moderate, low), in accordance with FIPS 199, NIST 800-60, and CNSSI 1253 (for DoD and IC agencies). STEP 2: SELECT Once the systems have been categorized, security controls can be assigned. Security controls are countermeasures used to detect and avoid security risks to the agency’s information system. At the simplest level, one example of a security control is when an agency uses an automation protocol—a group policy, for instance—to identify and deter certain types of applications from being downloaded. These security controls can be tailored to the needs of the systems and can help facilitate a continuous monitoring strategy. STEP 3: IMPLEMENT When security controls and solutions have been identified and assigned to the system, the next step is implementation. This can be done through cybersecurity architecture and secure coding techniques. Implementation should be a by-product as examples of good security engineering design and development practices. Implementation of the security controls should begin at the design phase and is grounded in systems theory and the need to build information systems and environments able to withstand the modern day threat environment.
STEP 4: ASSESS In order to determine if the applied security controls have been effectively implemented and are managing risks, the agency must examine their performance, reliability, and efficiency. Are the risk levels decreasing or being kept at a manageable level? A security assessment report will be the basis of the next step in RMF. © 2017 MetroStar Systems, Inc. - Proprietary 10 STEP 5: AUTHORIZE Based on the findings and recommendations of the security assessment, a plan of action—including projected milestones—must be put together. The agency assembles the security authorization package and submits it to an Authorizing Official (AO) who would provide the necessary authorization to operate. Before official authorization, the AO needs to conduct a final risk determination and identify if the risks are acceptable. STEP 6: MONITOR Continuous monitoring is key to keeping the RMF life cycle alive. The agency determines the impact of the selected security controls, which results in creating a strategy that balances system performance and risks. The strategy is then realigned to Step 1 of the RMF life cycle, and new categories are identified based on all findings and the overall management of operational risks. Each organization defines and documents their continuous monitoring strategies, the frequency of security control monitoring and the rigor with which the monitoring is conducted—one size does not fit all. Continuous monitoring is most effective if conducted on information technology infrastructures that have been strengthened and are more resilient. Build it right, then continuously monitor. GUIDE TO RISK MANAGEMENT FRAMEWORK STEP-BY-STEP SECURITY RISK MANAGEMENT
ALIGNING SDLC & RMF GUIDE TO RISK MANAGEMENT FRAMEWORK The system development life cycle (SDLC) is the process for developing, implementing, and retiring an IS. Aligning RMF to SDLC allows agencies to identify critical assets, operations, and vulnerabilities. This integration allows agencies to:  Identify and mitigate security vulnerabilities  Reduce development costs and improve the IS’s security posture  Allow for informed decision making  Document security considerations through each stage of development © 2017 MetroStar Systems, Inc. - Proprietary 11
© 2017 MetroStar Systems, Inc. - Proprietary 12 GUIDE TO RISK MANAGEMENT FRAMEWORK CRITICAL RMF ROLES & RESPONSIBILITIES AUTHORIZING OFFICIAL (AO) Ensures RMF tasks are initiated and completed Ensures appropriate documentation Monitors and tracks system-level execution INFORMATION SYSTEM OWNER (ISO) Categorizes systems and documents them in the Joint Capabilities Integration & Development Systems (JCIDS) INFORMATION SYSTEM SECURITY MANAGER (ISSM) Maintains and reports systems assessments, authorization status, and issues Ensures issues affecting overall security are addressed Develops and updates the System Security Plan (SSP) FACILITY SECURITY OFFICER (FSO) Oversees environmental & physical protection, personnel security, incident handling, and training INFORMATION SYSTEM SECURITY OFFICER (ISSO) Configures and manages security posture for IS SECURITY CONTROL ASSESSOR (SCA) Conducts security control assessments INFORMATION OWNER Establishes rules of behavior for information they have operational authority over Provides input to IS owners to protect requirements
© 2017 MetroStar Systems, Inc. - Proprietary 13 GUIDE TO RISK MANAGEMENT FRAMEWORK RMF ROLE ALIGNMENT Information System View
© 2017 MetroStar Systems, Inc. - Proprietary 14 YOUR FIRST STEP TO RMF ABOUT METROSTAR SYSTEMS: For over 18 years, MetroStar Systems has provided innovative information technology services to its commercial and government clients. The Reston-based IT company specializes in the practice of cybersecurity, which covers cyber operations and training, data protection, cybersecurity program design and management , and risk and vulnerability assessment. MetroStar’s cybersecurity team consists of experts with decades-spanning experience in a vast array of Federal cybersecurity practices, including the implementation of and training for Risk Management Framework (RMF) adoption. Get in touch with MetroStar Systems’ cybersecurity experts at info@metrostarsystems.com. ABOUT THE AUTHOR: With decades-spanning experience and expertise, Dr. Julie E. Mehan, PhD, CISSP, is a recognized leader in the field of cybersecurity. Earlier in her career, she served as a program manager for the Department of Defense’s DIACAP cybersecurity framework. Until today, she is regarded as a subject matter expert on Federal cybersecurity, recognized and respected by NIST. Dr. Mehan continues to be at the forefront of creating a secure cyber landscape by providing Federal cybersecurity training and expertise, including her deep, strategic knowledge on RMF. Dr. Mehan is currently the Director of Cybersecurity Strategy & Alignment at MetroStar Systems. Julie can be reached by email at info@metrostarsystems.com. GUIDE TO RISK MANAGEMENT FRAMEWORK ADDITIONAL RESOURCES • National Institute of Standards and Technology (NIST) Website • National Industrial Security Program Operating Manual (NISPOM) • NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations • NIST 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP 800-53A Revision 4: Assessing Security & Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans • CNSSI 1253: Security Categorization and Control Selection for National Security Systems • FIPS 199: Standards for Security Categorization of Federal Information and Information Systems • DoDI 8510.01: Risk Management Framework (RMF) for DoD Information Technology (IT)
1856 Old Reston Avenue, Suite 100, Reston, VA 20190 | 703.481.9581 | www.metrostarsystems.com | info@metrostarsystems.com

Recommended

Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

Recommended

Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
Muhammad Mazhar
 
Bluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdfBluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdf
tom termini
 

More Related Content

What's hot

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 

What's hot (20)

NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 

Similar to Guide to Risk Management Framework (RMF)

Bluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdfBluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdf
tom termini
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
JAYANT RAJURKAR
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
lanagore871
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
ebonyman0007
 
Derek J Mezack Resume 2015-AppSec_k
Derek J Mezack Resume 2015-AppSec_kDerek J Mezack Resume 2015-AppSec_k
Derek J Mezack Resume 2015-AppSec_k
Derek Mezack
 

Similar to Guide to Risk Management Framework (RMF) (20)

5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Bluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdfBluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdf
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
Cybersecurity Software Development Services.
Cybersecurity Software Development Services.Cybersecurity Software Development Services.
Cybersecurity Software Development Services.
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprise
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Derek J Mezack Resume 2015-AppSec_k
Derek J Mezack Resume 2015-AppSec_kDerek J Mezack Resume 2015-AppSec_k
Derek J Mezack Resume 2015-AppSec_k
 

Recently uploaded

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Guide to Risk Management Framework (RMF)

  • 1. RISK MANAGEMENT FRAMEWORK Guide To Building Secure & Compliant Information Infrastructures
  • 2. © 2017 MetroStar Systems, Inc. - Proprietary 2 GOVERNMENT IT SECURITY FRAMEWORKS GUIDE TO RISK MANAGEMENT FRAMEWORK With the speed of today's innovation, your organization’s information technology system is in constant evolution. So are cyber threats. Modern cyber threats are capable of breaking through any barrier. The effect? There now exists a call for persistence: the continuous effort to implement strong measures to protect IT systems from the risk of being compromised by ever- evolving cybersecurity threats. Governance, Risk, and Compliance (GRC) are the foundational elements that allow organizations to accomplish their missions. For Federal agencies, a unified security framework is necessary, not just to ensure standard operations across the entire government, but to deliver continuous, consistent, and secure information and information system services. The Risk Management Framework (RMF) was created to achieve just that. Developed by the National Institute of Standards and Technology (NIST), RMF is the living wall built around government IT systems. It exists to help agencies gain a better understanding of their individual IT systems and organizational risks, while simultaneously monitoring and responding to threats in a consistent, integrated manner. Executing the RMF is not merely a compliance exercise. The framework’s inherent flexibility drives security solutions.
  • 3. © 2017 MetroStar Systems, Inc. - Proprietary 3 CHANGING LANDSCAPE DRIVES SECURITY GUIDE TO RISK MANAGEMENT FRAMEWORK A security program must keep pace with the evolving threat landscape. It must become an intrinsic part of the enterprise that grows along with it. The RMF helps build or augment a security program that equips the enterprise to keep pace with constantly evolving threats by:  Harmonizing cybersecurity approaches and providing a common language  Establishing the right level of security for your environment  Informing cybersecurity budget planning  Communicating cyber risks comprehensively to Senior Leadership Data Aggregation & Amount of Valuable Data Regulatory Compliance Virtualization Private & Public Cloud Number of Connected People Explosion of Internet Devices Complexity of the IT Model Consumerization of the IT Model Escalating Threat Agent Landscape Challenges are increasing in size, intensity, and complexity over time.
  • 4. © 2017 MetroStar Systems, Inc. - Proprietary 4 FEDERAL AGENCIES AND RMF GUIDE TO RISK MANAGEMENT FRAMEWORK RMF is the unified information security framework for the entire federal government. RMF is mandated by, and constitutes an integral part of, FISMA implementation. It is based on publications of NIST and the Committee on National Security Systems (CNSS). For the past 10 years, Federal agencies have leveraged RMF to take a more dynamic approach to identifying and mitigating vulnerabilities and threats and achieving their mission objectives. RMF also continuously monitors chosen and implemented security measures to avoid, counteract, or minimize those risks. With the RMF, there’s no one-size-fits-all approach. Each individual information system can be triaged according to its value to the enterprise, and security controls can be specifically selected. These control are then monitored year by year, month by month, day by day or even hour by hour, depending on the criticality of the system, the organization’s risk tolerance, and the threats posed to the organization and the system. “The principal goal of an organization’s risk management approach is to protect the organization and its ability to perform its mission, not just its information assets…” CNSSP 22 RMF allows organizations to drive security solutions that are most appropriate for their security requirements and threat environment
  • 5. DIMENSIONS OF CYBERSECURITY RISK GUIDE TO RISK MANAGEMENT FRAMEWORK In-Depth Deliberate Time Critical Strategic Tactical Enterprise Mission System TIME HORIZON Reputation, Legal Risk Operational RiskProgram Risk CYBERSECURITY RISK RMF addresses numerous threats across each of the dimensions of cybersecurity risk © 2017 MetroStar Systems, Inc. - Proprietary 5
  • 6. © 2017 MetroStar Systems, Inc. - Proprietary 6 THE DoD TRANSITION FROM DIACAP Until 2014, the Department of Defense Information Assurance Certification Process (DIACAP) served as the standard framework for government IT security. DIACAP focused on certifying and accrediting DoD information systems using a predetermined set of prescribed security requirements, which varied by agency. RMF, introduced in 2007, does not prescribe requirements, but instead provides steps each agency can act upon and shape according to their unique needs and missions. The selection of security controls also varies depending on the technologies being used. RMF’s procedures go beyond system-based assessments. They take into consideration the man- made risks and other external factors that pose a threat to the system. DoD’s decision to adopt the RMF with its patterned flexibility and granular precision, and mandate its exclusive use in conducting security authorization activities means that, for the first time, all defense, intelligence, and federal civilian agencies will be working from the same risk management framework. A decision that will have a far-ranging impact. GUIDE TO RISK MANAGEMENT FRAMEWORK RMF replaces the legacy DoD Certification & Accreditation processes applied to information systems
  • 7. A STEP TOWARDS IMPROVED CYBERSECURITY RMF is a required and key component in the implementation of the Federal Information Security Management Act (FISMA). Government IT systems that earn FISMA-compliance when they are able to protect their information and assets against natural and man-made threats. RMF helps agencies lay the groundwork to achieve FISMA-compliance and other policy directives by strengthening information security through the six-step life cycle process. © 2017 MetroStar Systems, Inc. - Proprietary 7
  • 8. © 2017 MetroStar Systems, Inc. - Proprietary 8 SIX STEPS OF RMF GUIDE TO RISK MANAGEMENT FRAMEWORK  Architecture Reference Models  Segment and Solution Architectures  Mission and Business Processes  Information System Boundaries ARCHITECTURAL INPUTS  Categorize the system in accordance with the CNSSI 1253  Initiate the Security Plan  Register the system with DoD Component Cybersecurity Program  Assign qualified personnel to RMF roles STEP 1 CATEGORIZE SYSTEM  Common control identification  Select security controls  Review and approve Security Plan and continuous monitoring strategy  Apply overlays and tailor STEP 2 SELECT SECURITY CONTROLS  Implement control solutions consistent with DoD Component Cybersecurity architectures  Document security control implementation in Security Plan STEP 3 IMPLEMENT SECURITY CONTROLS  Develop and approve Security Assessment Plan  Assess security controls  SCA prepares Security Assessment Report (SAR)  Conduct initial remediation actions STEP 4 ASSESS SECURITY CONTROLS  Prepare the POA&M  Submit Security Authorization Package (Security Plan, SAR, and POA&M to AO)  AO conducts final risk determination, and makes authorization decision STEP 5 AUTHORIZE SYSTEM  Determine impact of changes to system and environment  Assess selected controls annually  Conduct remediation  Update Security Plan, SAR, and POA&M  Report security status to AO  AO reviews reported status  Implement system decommissioning strategy STEP 6 MONITOR SECURITY CONTROLS RMF PROCESS WHEEL  Laws, directives, policy guidance  Strategic goals and objectives  Priorities & resource availability  Supply chain considerations ORGANIZATIONAL INPUTS RMF is a structured approach for flexibly managing risks that may result from combining information with agency business processes.
  • 9. © 2017 MetroStar Systems, Inc. - Proprietary 9 GUIDE TO RISK MANAGEMENT FRAMEWORK STEP-BY-STEP SECURITY RISK MANAGEMENT STEP 1: CATEGORIZE The RMF process starts off with categorization, which is the foundation for the next five steps. Systems and applications are assigned values based on a risk assessment and the resulting security impact determination (high, moderate, low), in accordance with FIPS 199, NIST 800-60, and CNSSI 1253 (for DoD and IC agencies). STEP 2: SELECT Once the systems have been categorized, security controls can be assigned. Security controls are countermeasures used to detect and avoid security risks to the agency’s information system. At the simplest level, one example of a security control is when an agency uses an automation protocol—a group policy, for instance—to identify and deter certain types of applications from being downloaded. These security controls can be tailored to the needs of the systems and can help facilitate a continuous monitoring strategy. STEP 3: IMPLEMENT When security controls and solutions have been identified and assigned to the system, the next step is implementation. This can be done through cybersecurity architecture and secure coding techniques. Implementation should be a by-product as examples of good security engineering design and development practices. Implementation of the security controls should begin at the design phase and is grounded in systems theory and the need to build information systems and environments able to withstand the modern day threat environment.
  • 10. STEP 4: ASSESS In order to determine if the applied security controls have been effectively implemented and are managing risks, the agency must examine their performance, reliability, and efficiency. Are the risk levels decreasing or being kept at a manageable level? A security assessment report will be the basis of the next step in RMF. © 2017 MetroStar Systems, Inc. - Proprietary 10 STEP 5: AUTHORIZE Based on the findings and recommendations of the security assessment, a plan of action—including projected milestones—must be put together. The agency assembles the security authorization package and submits it to an Authorizing Official (AO) who would provide the necessary authorization to operate. Before official authorization, the AO needs to conduct a final risk determination and identify if the risks are acceptable. STEP 6: MONITOR Continuous monitoring is key to keeping the RMF life cycle alive. The agency determines the impact of the selected security controls, which results in creating a strategy that balances system performance and risks. The strategy is then realigned to Step 1 of the RMF life cycle, and new categories are identified based on all findings and the overall management of operational risks. Each organization defines and documents their continuous monitoring strategies, the frequency of security control monitoring and the rigor with which the monitoring is conducted—one size does not fit all. Continuous monitoring is most effective if conducted on information technology infrastructures that have been strengthened and are more resilient. Build it right, then continuously monitor. GUIDE TO RISK MANAGEMENT FRAMEWORK STEP-BY-STEP SECURITY RISK MANAGEMENT
  • 11. ALIGNING SDLC & RMF GUIDE TO RISK MANAGEMENT FRAMEWORK The system development life cycle (SDLC) is the process for developing, implementing, and retiring an IS. Aligning RMF to SDLC allows agencies to identify critical assets, operations, and vulnerabilities. This integration allows agencies to:  Identify and mitigate security vulnerabilities  Reduce development costs and improve the IS’s security posture  Allow for informed decision making  Document security considerations through each stage of development © 2017 MetroStar Systems, Inc. - Proprietary 11
  • 12. © 2017 MetroStar Systems, Inc. - Proprietary 12 GUIDE TO RISK MANAGEMENT FRAMEWORK CRITICAL RMF ROLES & RESPONSIBILITIES AUTHORIZING OFFICIAL (AO) Ensures RMF tasks are initiated and completed Ensures appropriate documentation Monitors and tracks system-level execution INFORMATION SYSTEM OWNER (ISO) Categorizes systems and documents them in the Joint Capabilities Integration & Development Systems (JCIDS) INFORMATION SYSTEM SECURITY MANAGER (ISSM) Maintains and reports systems assessments, authorization status, and issues Ensures issues affecting overall security are addressed Develops and updates the System Security Plan (SSP) FACILITY SECURITY OFFICER (FSO) Oversees environmental & physical protection, personnel security, incident handling, and training INFORMATION SYSTEM SECURITY OFFICER (ISSO) Configures and manages security posture for IS SECURITY CONTROL ASSESSOR (SCA) Conducts security control assessments INFORMATION OWNER Establishes rules of behavior for information they have operational authority over Provides input to IS owners to protect requirements
  • 13. © 2017 MetroStar Systems, Inc. - Proprietary 13 GUIDE TO RISK MANAGEMENT FRAMEWORK RMF ROLE ALIGNMENT Information System View
  • 14. © 2017 MetroStar Systems, Inc. - Proprietary 14 YOUR FIRST STEP TO RMF ABOUT METROSTAR SYSTEMS: For over 18 years, MetroStar Systems has provided innovative information technology services to its commercial and government clients. The Reston-based IT company specializes in the practice of cybersecurity, which covers cyber operations and training, data protection, cybersecurity program design and management , and risk and vulnerability assessment. MetroStar’s cybersecurity team consists of experts with decades-spanning experience in a vast array of Federal cybersecurity practices, including the implementation of and training for Risk Management Framework (RMF) adoption. Get in touch with MetroStar Systems’ cybersecurity experts at info@metrostarsystems.com. ABOUT THE AUTHOR: With decades-spanning experience and expertise, Dr. Julie E. Mehan, PhD, CISSP, is a recognized leader in the field of cybersecurity. Earlier in her career, she served as a program manager for the Department of Defense’s DIACAP cybersecurity framework. Until today, she is regarded as a subject matter expert on Federal cybersecurity, recognized and respected by NIST. Dr. Mehan continues to be at the forefront of creating a secure cyber landscape by providing Federal cybersecurity training and expertise, including her deep, strategic knowledge on RMF. Dr. Mehan is currently the Director of Cybersecurity Strategy & Alignment at MetroStar Systems. Julie can be reached by email at info@metrostarsystems.com. GUIDE TO RISK MANAGEMENT FRAMEWORK ADDITIONAL RESOURCES • National Institute of Standards and Technology (NIST) Website • National Industrial Security Program Operating Manual (NISPOM) • NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations • NIST 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP 800-53A Revision 4: Assessing Security & Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans • CNSSI 1253: Security Categorization and Control Selection for National Security Systems • FIPS 199: Standards for Security Categorization of Federal Information and Information Systems • DoDI 8510.01: Risk Management Framework (RMF) for DoD Information Technology (IT)
  • 15. 1856 Old Reston Avenue, Suite 100, Reston, VA 20190 | 703.481.9581 | www.metrostarsystems.com | info@metrostarsystems.com