Downloaded 122 times
Uploaded byDonald E. Hester
Introduction to NIST’s Risk Management Framework (RMF)
The document discusses the methodology of certification and accreditation aimed at ensuring security controls for information systems, highlighting their importance in protecting information system integrity, confidentiality, and availability. It defines the management decision to authorize system operation while accepting associated risks and proposes the need for robust security measures. The content reflects on the vulnerabilities agencies face against cyber threats, emphasizing the significance of implementing agreed-upon security controls.
More Related Content
Similar to Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
- 11.
- 12. “Certification and accreditationis the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)
- 13. Measures that protectand defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
- 18. “The official managementdecision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1
- 22. Why are Agenciesriddled with security holes?
- 24.
- 28. //// Trainers Underground//// The session will begin shortly. Open/close Chat Mute / unmute Share Video See attendees Share/view presentation You may need an microphone plugged in to join the Lync call
Editor's Notes
- #2 © 2013 Maze & Associates Revision 9 (December 2013) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved
- #3 Picture: Fiori di Como, Bellagio Hotel, Las Vegas, NV, Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 Introduction
- #4 Introduction Background A Risk Based Approach What is Certification and Accreditation What is the NIST Risk Management Framework What is Authorization Systems Security Approach Benefits External Drivers
- #5 History There is an obligation for each agency (or organization) to properly secure information. Computer Security Act 1987 OMB A-130 appendix III, implemented the act National Computer Security Center (NCSC) NCSC-TG-029 Introduction to Certification and Accreditation by NSA in 1994 DoD, DITSCAP NSA, NIACAP in 2000 FISMA made law for Public Agencies Federal Information Security Management Act 2002 (FISMA) NIST created standards and guidelines for implementation DoD, DIACAP DoD Instruction 8510.01 in 2007 Coming soon: Department of Defense Information Assurance Risk Management Framework (DIARMF)
- #6 Standards and Guidelines Public Law Compulsory and binding Federal information Processing Standards (FIPS) Compulsory and binding High level objectives NIST Special Publications (SP) OMB requires federal agencies to follow certain SP Lower specific objectives Some flexibility in how agencies apply guidance NISTIR and ITL are mandatory only when specified by OMB OMB polices, directives and memoranda DoD and CNSS Instructions
- #7 What is FISMA? E-Government Act (Public Law 107-347) passed and signed into law in December 2002 Title III of the E-Government Act, Federal Information Security Management Act (FISMA) (44 USC § 351) Required for all government agencies To develop, document, and implement an agency-wide information security program To provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources
- #8 A Risk Based Approach Emphasize a risk-based policy for cost-effective security FISMA The Paperwork Reduction Act of 1995 The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) Supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources OMB defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
- #9 FISMA Goals Security Federal Government Systems Understand Risk to the Mission at the organization-wide level Consistent Comparable Repeatable Complete Reliable Trustworthy
- #10 Common Foundation Collaboration National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Department of Defense (DoD) Committee on National Security Systems (CNSS) Public (review and vetting) Common Foundation Uniform and consistent risk management Strong basis for reciprocal acceptance Defense, Intelligence and Civil sectors State, local and tribal governments As well as contractors and private organizations Joint Task Force Transformation Initiative Interagency Working Group is made up of: National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Department of Defense (DoD) Committee on National Security Systems (CNSS)
- #12 Risk Management Framework (RMF) NIST SP 800-37 Rev 1, § 2.1 It is a lifecycle
- #13 Certification and Accreditation “Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)
- #14 Information Assurance Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
- #15 Recent Changes Recent changes transform the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF) Revised process emphasizes Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
- #16 Term Transition From NIST SP 800-37 to NIST SP 800-37 Rev 1 concepts remain the same but the words change. You will also see that different sectors use different terminology.
- #17 Certification (now Assessment) Detailed security review of an information system Comprehensive assessment of Management security controls Operational security controls Technical security controls To determine the extent to which the controls are Implemented correctly Operating as intended Producing the desired outcome Providing the factual basis for an authorizing official to render a security accreditation decision
- #18 Accreditation (now Authorization) Security accreditation is the official management decision to operate Given by a senior agency official (management) The official should have the authority to oversee the budget and business operations of the information system Explicitly accept the risk to Operations Assets Individuals Accepts responsibility for the security of the system Fully accountable for the security of the system
- #19 Authorization (new term) “The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1
- #20 Multi-tiered Approach NIST SP 800-37 Rev 1, § 2.1
- #21 Graphic correction “Bravo” not “Brovo” System Security Approach Security not at the application, device, data or user level Security that encompasses a system made up of applications, devices, data and users. Easier and more cost effect to define ‘systems’ with boundaries and perimeters Implement controls based upon the system and not the entire enterprise
- #22 Benefits Information security visibility Management involvement Management due diligence Integrate security Consistent implementation Common goal Ensure minimum security Ensure proper controls in place Ensure risk-based controls Efficient use of resources and funds
- #23 Discussion Why are Agencies riddled with security holes? Picture Source: <http://www.fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx>
- #24 External Drivers Security Incidents Financial scandals Terrorist attacks Natural disasters Sarbanes-Oxley Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act Clinger-Cohen FISMA PCI
- #25 Example of external drives http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
- #26 Review What is the official management decision to operate? Certification Authorization Risk Assessment Responsibility
- #27 Review What is a comprehensive assessment of management, operational, and technical security controls? Certification Accreditation Risk Assessment Authorization