SlideShare a Scribd company logo

L3 RMF Phase 2 Categorize.pptx

Download as PPTX, PDF
S
StevenTharp2

RMF

Government & Nonprofit
1 of 22
Authorization Boundaries Authorization boundary for a system is established during the RMF Prepare Task – System level, Task P-11 Organizations have flexibility in determining what constitutes the authorization boundary for a system. System Elements Servers Network
Authorization Boundary Determination • Support the same mission or business functions; • Have similar operating characteristics and security and privacy requirements; • Process, store, and transmit similar types of information (e.g., categorized at the same impact level); or • Reside in the same environment of operation (or in the case of a distributed system, reside in various locations with similar operating environments). Revisited during Continuous monitoring
Authorization Boundaries • The authorization boundary establishes the scope of protection for an information system (i.e., what the organization agrees to protect under its direct management or within the scope of its responsibilities). • Includes the people, processes, and information technologies (i.e., system elements) that are part of each system supporting the organization’s missions and business functions. • Authorization boundaries that are too expansive (i.e., include too many system elements or components) make the risk management process unnecessarily complex. • Conversely, authorization boundaries that are too limited (i.e., include too few system elements or components) increase the number of systems that must be separately managed and therefore, may unnecessarily inflate the information security and privacy costs for the organization.
Boundaries How to define a boundary ◦ Same direct management ◦ Controlled under the same budget ◦ Supports the same mission ◦ Same operating environment Types ◦ General Support System (GSS) ◦ Major Application (MA) ◦ Minor Integrated Application (MIA)
Boundaries Examples ◦ GSS ◦ Wider Area Network ◦ Servers ◦ Network Equipment ◦ Workstations ◦ Major Application ◦ Application Infrastructure ◦ MIA – Web Applications
Boundaries Software Applications (MIA) ◦ Hosted on a GSS or MA ◦ MIAs depend on the resources provided by the hosting system ◦ Leverages the security controls of the hosting system ◦ MIA would be part of the hosting SSP ◦ Assessed when the hosting system is C&A ◦ When added during the C&A cycle the application is reviewed prior to being put into production
Boundaries System configuration can change ◦ Configuration Control Board ◦ Boundary revisited ◦ Annually ◦ System Owner/Senior Official
Boundaries Complex System (GSS) ◦ More complex ◦ Consider breaking down into subsystems ◦ Firebird Example ◦ Common Controls ◦ Inheritance ◦ Specific Categorization for each subsystem ◦ Different security categorizations ◦ Examine the flow of information
Phase 2 CATEGORIZE
Phase 2: Categorize
SYSTEM DESCRIPTION Task C-1: Document the characteristics of the system. ◦ Potential Inputs: System design and requirements documentation; authorization boundary information; list of security and privacy requirements allocated to the system, system elements, and the environment of operation; physical or other processes controlled by system elements; system element information; system component inventory; system element supply chain information, including inventory and supplier information; security categorization; data map of the information life cycle for information types processed, stored, and transmitted by the system; information on system use, users, and roles. ◦ Expected Outputs: Documented system description. Discussion ◦ Description of the system characteristics ◦ Version/Release ◦ System Architecture – Network Diagram ◦ Hardware/Software
SECURITY CATEGORIZATION Task C-2: Categorize the system and document the security categorization results. ◦ Potential Inputs: Risk management strategy; organizational risk tolerance; authorization boundary (i.e., system) information; organization- and system-level risk assessment results; information types processed, stored, or transmitted by the system; list of security and privacy requirements allocated to the system, system elements, and environment of operation; organizational authority or purpose for operating the system; business impact analyses or criticality analyses; information about missions, business functions, and mission/business processes supported by the system. ◦ Expected Outputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity, availability); security categorization based on high-water mark of information type impact levels. Discussion ◦ Operational Impact – Loss of CIA ◦ Minimum Security Control Baseline
Security Categorization Information Types ◦ SP800-60 Volume I & II ◦ FIPS -199 ◦ The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels ◦ Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.
Security Categorization FIPS-200 • Provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. • Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).
Security Categorization How much do HHS and American citizens rely on this system? Will HHS be able to accomplish its mission and meet its objectives if this information is compromised? These questions should be asked during the Initiation Phase to help drive selection of the security categories. The answers will determine the impact on HHS in the event data is lost or inappropriately accessed or changed. Assuming the system is not a national security system, a security category for the system must be assigned using FIPS publication 199 and NIST SP 800-60 Volume 2. Based on the results of the security categorization, you assign a Low, Moderate, or High level of security to the three security objectives: Confidentiality, Availability, and Integrity. 16
Security Categorization High Water Mark
Security Categorization Based on FIPS 200, you choose the security controls in NIST SP 800-53 Rev. 5 that correspond to the “high water mark”— the highest score assigned to any of the objectives. For example, if the system has a Low confidentiality, a High integrity, and a Moderate availability categorization, the system will use the High security control guidance. The new system may also affect the existing infrastructure. For example, adding a system with High security categorization into an existing network environment that is currently certified for Low impact systems will require an upgrade to the network controls. Carefully consider how this system will be deployed to ensure it does not adversely impact the environment in which it will operate. 18
Security Categorization Example: ◦ Benefits Management Information Type ◦ Benefits management designs, develops, and implements benefit programs that attract, retain and support current and former agency employees. This sub-function includes: establishing and communicating benefits programs; processing benefits actions; and interacting as necessary with third party benefits providers. The recommended provisional security categorization for benefits management information is as follows: ◦ Security Category ={(confidentiality;Low); (integrity;Low); (availability;Low)}
Security Categorization Based on the Low, Moderate, or High security categorization of your system, you must implement the corresponding prescribed minimum baseline security controls. This set of controls represents a starting point for determining the appropriate safeguards and controls required for HHS systems. Baseline security controls are initially documented in the preliminary risk assessment and are meant to be expanded as additional risks are identified. Security controls commensurate with FIPS 199 and 200 as well as laws and regulations must be selected and employed for every system. Such requirements, along with HHS’ commitment to protecting the confidentiality, integrity, and availability of its information and systems, drive the development of security controls across all IT programs. 20
Security Categorization Data Types Added Later ◦ Bad JUU JUU
SECURITY CATEGORIZATION REVIEW AND APPROVAL Task C-3: Review and approve the security categorization results and decision. ◦ Potential Inputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity, availability); security categorization based on high-water mark of information type impact levels; list of high value assets for the organization. ◦ Expected Outputs: Approval of security categorization for the system. Discussion ◦ Reviewed by the AO ◦ Consistent with the Mission of the Organization

Recommended

INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxINSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxdirkrplav
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxStevenTharp2
 
Data-Classification-Study (1).pptx
Data-Classification-Study (1).pptxData-Classification-Study (1).pptx
Data-Classification-Study (1).pptxMukeshKumar798460
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Information security risk
Information security riskInformation security risk
Information security riskEtsegenet Fisseha
 

Recommended

INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxINSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxdirkrplav
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxStevenTharp2
 
Data-Classification-Study (1).pptx
Data-Classification-Study (1).pptxData-Classification-Study (1).pptx
Data-Classification-Study (1).pptxMukeshKumar798460
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Information security risk
Information security riskInformation security risk
Information security riskEtsegenet Fisseha
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security NextLabs, Inc.
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101Donald E. Hester
 
Information security - 360 Degree Approach
Information security - 360 Degree ApproachInformation security - 360 Degree Approach
Information security - 360 Degree Approachharsh arora
 
L2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxL2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxStevenTharp2
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting AuditsInformation Technology
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assuranceIT2Alcorn
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence SystemJoseph Yosi Margalit
 
ICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and StandardsICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and StandardsMohammad Abdul Matin Emon
 
Untitled document (4).docx
Untitled document (4).docxUntitled document (4).docx
Untitled document (4).docxmconsult141
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkFrom Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkAmazon Web Services
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 

More Related Content

Similar to L3 RMF Phase 2 Categorize.pptx

Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security NextLabs, Inc.
 
Information security - 360 Degree Approach
Information security - 360 Degree ApproachInformation security - 360 Degree Approach
Information security - 360 Degree Approachharsh arora
 
L2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxL2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxStevenTharp2
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assuranceIT2Alcorn
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence SystemJoseph Yosi Margalit
 
ICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and StandardsICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and StandardsMohammad Abdul Matin Emon
 
Untitled document (4).docx
Untitled document (4).docxUntitled document (4).docx
Untitled document (4).docxmconsult141
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkFrom Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkAmazon Web Services
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 

Similar to L3 RMF Phase 2 Categorize.pptx (20)

Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
Information security - 360 Degree Approach
Information security - 360 Degree ApproachInformation security - 360 Degree Approach
Information security - 360 Degree Approach
 
L2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxL2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptx
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assurance
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence System
 
ICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and StandardsICAB - ITA Chapter 5 class 7-8 - Controls and Standards
ICAB - ITA Chapter 5 class 7-8 - Controls and Standards
 
Untitled document (4).docx
Untitled document (4).docxUntitled document (4).docx
Untitled document (4).docx
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkFrom Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 

More from StevenTharp2

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
L6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxL6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxStevenTharp2
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxStevenTharp2
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
L8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxL8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxStevenTharp2
 
L7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxL7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxStevenTharp2
 
L12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxL12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxStevenTharp2
 

More from StevenTharp2 (8)

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
 
L6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxL6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptx
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
L8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxL8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptx
 
L7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxL7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptx
 
L12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxL12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptx
 

Recently uploaded

Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfahcitycouncil
 
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceCunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceHigh Profile Call Girls
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024Energy for One World
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)ahcitycouncil
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28JSchaus & Associates
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCongressional Budget Office
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...Suhani Kapoor
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escortssonatiwari757
 
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
VIP Call Girls Pune Vani 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Vani 8617697112 Independent Escort Service PuneVIP Call Girls Pune Vani 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Vani 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginningsinfo695895
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersCongressional Budget Office
 
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.Christina Parmionova
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTaccounts329278
 
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Hemant Purohit
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...Suhani Kapoor
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...ranjana rawat
 

Recently uploaded (20)

Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdf
 
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceCunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024
 
How to Save a Place: 12 Tips To Research & Know the Threat
How to Save a Place: 12 Tips To Research & Know the ThreatHow to Save a Place: 12 Tips To Research & Know the Threat
How to Save a Place: 12 Tips To Research & Know the Threat
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related Topics
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
 
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service
(DIYA) Call Girls Saswad ( 7001035870 ) HI-Fi Pune Escorts Service
 
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
 
VIP Call Girls Pune Vani 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Vani 8617697112 Independent Escort Service PuneVIP Call Girls Pune Vani 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Vani 8617697112 Independent Escort Service Pune
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists Lawmakers
 
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
 
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CT
 
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
 

L3 RMF Phase 2 Categorize.pptx

  • 1. Authorization Boundaries Authorization boundary for a system is established during the RMF Prepare Task – System level, Task P-11 Organizations have flexibility in determining what constitutes the authorization boundary for a system. System Elements Servers Network
  • 2. Authorization Boundary Determination • Support the same mission or business functions; • Have similar operating characteristics and security and privacy requirements; • Process, store, and transmit similar types of information (e.g., categorized at the same impact level); or • Reside in the same environment of operation (or in the case of a distributed system, reside in various locations with similar operating environments). Revisited during Continuous monitoring
  • 3.
  • 4. Authorization Boundaries • The authorization boundary establishes the scope of protection for an information system (i.e., what the organization agrees to protect under its direct management or within the scope of its responsibilities). • Includes the people, processes, and information technologies (i.e., system elements) that are part of each system supporting the organization’s missions and business functions. • Authorization boundaries that are too expansive (i.e., include too many system elements or components) make the risk management process unnecessarily complex. • Conversely, authorization boundaries that are too limited (i.e., include too few system elements or components) increase the number of systems that must be separately managed and therefore, may unnecessarily inflate the information security and privacy costs for the organization.
  • 5. Boundaries How to define a boundary ◦ Same direct management ◦ Controlled under the same budget ◦ Supports the same mission ◦ Same operating environment Types ◦ General Support System (GSS) ◦ Major Application (MA) ◦ Minor Integrated Application (MIA)
  • 6. Boundaries Examples ◦ GSS ◦ Wider Area Network ◦ Servers ◦ Network Equipment ◦ Workstations ◦ Major Application ◦ Application Infrastructure ◦ MIA – Web Applications
  • 7. Boundaries Software Applications (MIA) ◦ Hosted on a GSS or MA ◦ MIAs depend on the resources provided by the hosting system ◦ Leverages the security controls of the hosting system ◦ MIA would be part of the hosting SSP ◦ Assessed when the hosting system is C&A ◦ When added during the C&A cycle the application is reviewed prior to being put into production
  • 8. Boundaries System configuration can change ◦ Configuration Control Board ◦ Boundary revisited ◦ Annually ◦ System Owner/Senior Official
  • 9. Boundaries Complex System (GSS) ◦ More complex ◦ Consider breaking down into subsystems ◦ Firebird Example ◦ Common Controls ◦ Inheritance ◦ Specific Categorization for each subsystem ◦ Different security categorizations ◦ Examine the flow of information
  • 12. SYSTEM DESCRIPTION Task C-1: Document the characteristics of the system. ◦ Potential Inputs: System design and requirements documentation; authorization boundary information; list of security and privacy requirements allocated to the system, system elements, and the environment of operation; physical or other processes controlled by system elements; system element information; system component inventory; system element supply chain information, including inventory and supplier information; security categorization; data map of the information life cycle for information types processed, stored, and transmitted by the system; information on system use, users, and roles. ◦ Expected Outputs: Documented system description. Discussion ◦ Description of the system characteristics ◦ Version/Release ◦ System Architecture – Network Diagram ◦ Hardware/Software
  • 13. SECURITY CATEGORIZATION Task C-2: Categorize the system and document the security categorization results. ◦ Potential Inputs: Risk management strategy; organizational risk tolerance; authorization boundary (i.e., system) information; organization- and system-level risk assessment results; information types processed, stored, or transmitted by the system; list of security and privacy requirements allocated to the system, system elements, and environment of operation; organizational authority or purpose for operating the system; business impact analyses or criticality analyses; information about missions, business functions, and mission/business processes supported by the system. ◦ Expected Outputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity, availability); security categorization based on high-water mark of information type impact levels. Discussion ◦ Operational Impact – Loss of CIA ◦ Minimum Security Control Baseline
  • 14. Security Categorization Information Types ◦ SP800-60 Volume I & II ◦ FIPS -199 ◦ The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels ◦ Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.
  • 15. Security Categorization FIPS-200 • Provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. • Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).
  • 16. Security Categorization How much do HHS and American citizens rely on this system? Will HHS be able to accomplish its mission and meet its objectives if this information is compromised? These questions should be asked during the Initiation Phase to help drive selection of the security categories. The answers will determine the impact on HHS in the event data is lost or inappropriately accessed or changed. Assuming the system is not a national security system, a security category for the system must be assigned using FIPS publication 199 and NIST SP 800-60 Volume 2. Based on the results of the security categorization, you assign a Low, Moderate, or High level of security to the three security objectives: Confidentiality, Availability, and Integrity. 16
  • 18. Security Categorization Based on FIPS 200, you choose the security controls in NIST SP 800-53 Rev. 5 that correspond to the “high water mark”— the highest score assigned to any of the objectives. For example, if the system has a Low confidentiality, a High integrity, and a Moderate availability categorization, the system will use the High security control guidance. The new system may also affect the existing infrastructure. For example, adding a system with High security categorization into an existing network environment that is currently certified for Low impact systems will require an upgrade to the network controls. Carefully consider how this system will be deployed to ensure it does not adversely impact the environment in which it will operate. 18
  • 19. Security Categorization Example: ◦ Benefits Management Information Type ◦ Benefits management designs, develops, and implements benefit programs that attract, retain and support current and former agency employees. This sub-function includes: establishing and communicating benefits programs; processing benefits actions; and interacting as necessary with third party benefits providers. The recommended provisional security categorization for benefits management information is as follows: ◦ Security Category ={(confidentiality;Low); (integrity;Low); (availability;Low)}
  • 20. Security Categorization Based on the Low, Moderate, or High security categorization of your system, you must implement the corresponding prescribed minimum baseline security controls. This set of controls represents a starting point for determining the appropriate safeguards and controls required for HHS systems. Baseline security controls are initially documented in the preliminary risk assessment and are meant to be expanded as additional risks are identified. Security controls commensurate with FIPS 199 and 200 as well as laws and regulations must be selected and employed for every system. Such requirements, along with HHS’ commitment to protecting the confidentiality, integrity, and availability of its information and systems, drive the development of security controls across all IT programs. 20
  • 21. Security Categorization Data Types Added Later ◦ Bad JUU JUU
  • 22. SECURITY CATEGORIZATION REVIEW AND APPROVAL Task C-3: Review and approve the security categorization results and decision. ◦ Potential Inputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity, availability); security categorization based on high-water mark of information type impact levels; list of high value assets for the organization. ◦ Expected Outputs: Approval of security categorization for the system. Discussion ◦ Reviewed by the AO ◦ Consistent with the Mission of the Organization