2. WHY RMF??
RISK?
• Risk is a measure of the extent to which an entity is
threatened by a potential circumstance or event, and
is typically a function of: (i) the adverse impacts that
would arise if the circumstance or event occurs; and
(ii) the likelihood of occurrence. Information security
risks are those risks that arise from the loss of
confidentiality, integrity, or availability of information
or information systems and reflect the potential
adverse impacts to organizational operations (i.e.,
mission, functions, image, or reputation),
organizational assets, individuals, other organizations,
and the Nation.
3. WHY RMF??
• Risk assessment
• The process of identifying, estimating, and prioritizing
information security risks. Assessing risk requires the careful
analysis of threat and vulnerability information to determine
the extent to which circumstances or events could adversely
impact an organization and the likelihood that such
circumstances or events will occur.
4. KEY DEFINITIONS
• Threat
• A threat is any circumstance or event with the potential to
adversely impact organizational operations and assets,
individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction,
disclosure, or modification of information, and/or denial of
service.
• Vulnerability
• A vulnerability is a weakness in an information system, system
security procedures, internal controls, or implementation that
could be exploited by a threat source.
5. KEY DEFINITIONS
• Likelihood
• The likelihood of occurrence is a weighted risk factor based on
an analysis of the probability that a given threat is capable of
exploiting a given vulnerability (or set of vulnerabilities)
• Impact
• The level of impact from a threat event is the magnitude of
harm that can be expected to result from the consequences of
unauthorized disclosure of information, unauthorized
modification of information, unauthorized destruction of
information, or loss of information or information system
availability.
6. RISK MANAGEMENT FRAMEWORK (RMF)
• RMF
• The process that ensures that systems and major applications
adhere to formal established security requirements that are
well documented and authorized.
1. Prepare
2. Categorize 5. Asses
3. Select 6. Authorize
4. Implement 7. Monitor
• Federal Information Security Management Act (FISMA) 2002
• FISMA – to force Federal Systems that are implemented that
are secure
7. RMF
• FISMA
• Main reasons:
• Requires all Federal agencies to develop an implement an
agency wide information security program.
• Provided standardization for Security audits/assessments
• Agency’s Implementation
• RMF Handbook
• Templates
• Provided organizations/components to petition Congress for
more money to fix security related issues
• Is the public sector required to do FISMA?
• 90% of Nation’s critical infrastructure is on private networks
8. RMF IS WHAT?
• Provides a repeatable process designed to promote the protection of information and
information systems commensurate with risk;
• Emphasizes organization-wide preparation necessary to manage security and privacy risks;
• Facilitates the categorization of information and systems, the selection, implementation,
assessment, and monitoring of controls, and the authorization of information systems and
common controls;11
• Promotes the use of automation for near real-time risk management and ongoing system and
control authorization through the implementation of continuous monitoring processes;
• Encourages the use of correct and timely metrics to provide senior leaders and managers with
the necessary information to make cost-effective, risk-based decisions for information systems
supporting their missions and business functions;
• Facilitates the integration of security and privacy requirements12 and controls into enterprise
architecture,13 SDLC, acquisition processes, and systems engineering processes;
• Connects risk management processes at the organization and mission/business process levels to
risk management processes at the information system level through a senior accountable official
for risk management and risk executive (function);14 and
• Establishes responsibility and accountability for controls implemented within information
systems and inherited by those systems.
11. RMF
• Prepare to execute the RMF from an organization- and a system-level perspective by
establishing a context and priorities for managing security and privacy risk.
• Categorize the system and the information processed, stored, and transmitted by the
system based on an analysis of the impact of loss
• Select an initial set of controls for the system and tailor the controls as needed to
reduce risk to an acceptable level based on an assessment of risk.
• Implement the controls and describe how the controls are employed within the
system and its environment of operation.
• Assess the controls to determine if the controls are implemented correctly, operating
as intended, and producing the desired outcomes with respect to satisfying the
security and privacy requirements.
• Authorize the system or common controls based on a determination that the risk to
organizational operations and assets, individuals, other organizations, and the Nation
is acceptable.
• Monitor the system and the associated controls on an ongoing basis to include
assessing control effectiveness, documenting changes to the system and
environment of operation, conducting risk assessments and impact analyses, and
reporting the security and privacy posture of the system.
12. HOW DID WE GET HERE?
• Four models
• NIACAP – National Information Assurance Certification and
Accreditation Process. (CNSS or NSI Systems)
• NIST – National Institution of Standards and Technologies.
(SBU Systems)
• DITSCAP – Department of Defense Information Technology
Security Certification and Accreditation Process. Now DIACAP
• DCIS 6/3 – Used by Intelligence Agencies
15. PRIVATE ENTERPRISES
• FISMA
• Do not have to meet it
• But is available
• Defense Contractors sometime have to meet it.
• Examples
• HIPPAA
• Sarbanes-Oxley
16. ROLES AND
RESPONSIBILITIES
• Chief Information Officer
• (i) designating a senior information security officer;
• (ii) developing and maintaining information security
policies, procedures, and control techniques to address
all applicable requirements;
• (iii) overseeing personnel with significant responsibilities
for information security and ensuring that the personnel
are adequately trained;
• (iv) assisting senior organizational officials concerning
their security responsibilities; and
• (v) in coordination with other senior officials, reporting
annually to the head of the federal agency on the overall
effectiveness of the organization’s information security
program, including progress of remedial actions.
17. ROLES AND
RESPONSIBILITIES
• Information Owner
• organizational official with statutory,
management, or operational authority for
specified information and the responsibility for
establishing the policies and procedures
governing its generation, collection, processing,
dissemination, and disposal.
• Senior Information Security Officer
• organizational official responsible for:
• (i) Carrying out the chief information officer security responsibilities
under FISMA; and
• (ii) Serving as the primary liaison for the chief information officer to
the organization’s authorizing officials, information system owners,
common control providers, and information system security officers.
18. ROLES AND
RESPONSIBILITIES
• Authorizing Official
• Senior official or executive with the authority
to formally assume responsibility for
operating an information system at an
acceptable level of risk to organizational
operations and assets, individuals, other
organizations, and the Nation.
• Deputy CIO
• Can be designated
19. ROLES AND
RESPONSIBILITIES
• Common Control Provider
• Individual, group, or organization responsible
for the development, implementation,
assessment, and monitoring of common
controls (i.e., security controls inherited by
information systems).
• Information System Owner
• Organizational official responsible for the
procurement, development, integration,
modification, operation, maintenance, and
disposal of an information system.
20. ROLES AND
RESPONSIBILITIES
• Information System Security Officer (ISSO)
• Individual responsible for ensuring that the appropriate
operational security posture is maintained for an
information system and as such, works in close
collaboration with the information system owner.
• Information Security Architect
• Individual, group, or organization responsible for
ensuring that the information security requirements
necessary to protect the organizational
missions/business functions are adequately addressed in
all aspects of enterprise architecture including reference
models, segment and solution architectures, and the
resulting information systems supporting those missions
and business processes.
21. ROLES AND
RESPONSIBILITIES
• Security Control Assessor
• Individual, group, or organization responsible
for conducting a comprehensive assessment of
the management, operational, and technical
security controls employed within or inherited
by an information system to determine the
overall effectiveness of the controls (i.e., the
extent to which the controls are implemented
correctly, operating as intended, and producing
the desired outcome with respect to meeting
the security requirements for the system).