NIST presentation on RMF 2.0 / SP 800-37 rev. 2

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Kelley Dempsey
NIST IT Laboratory
Computer Security Division
NIST SP 800-37 Revision 2
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
(Final Public Draft)
Department of Commerce, October 2018
RMFRISK MANAGEMENT FRAMEWORK
2.0

NIST/ITL/CSD Public Comment Process
 All publications produced by CSD go through the public
comment process
 Your voice will be heard!!
 Receive notifications of newly posted drafts (and more) by
subscribing at http://csrc.nist.gov/publications/subscribe.html
 There may be one or more drafts of a given publication
 Drafts are published at
http://csrc.nist.gov/publications/PubsDrafts.html
 Lengths of public comment periods vary

Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will
lose fewer toothbrushes and more
diamonds.”
-McGeorge Bundy, National Security Advisor to U.S.
Presidents Kennedy and Johnson

Risk can never be eliminated and so it must be
MANAGED!!
Managing risk doesn’t mean
fixing everything,
nor does it mean
not fixing anything…
Risk Management
is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx

RMF Roles and Responsibilities
 Senior Accountable Official for Risk Management
and Risk Executive (Function)
 Senior Agency Official for Privacy
 Authorizing Official (AO) and Designated Rep
 Senior Information Security Officer
 Common Control Provider
 System Owner
 Information Owner/Steward
 System Security/Privacy Officer
 Control Assessor

SP 800-37 Rev 2 Timeline So Far
 Federal interagency working group review during spring 2017
 Extensive discussion sessions with OMB OIRA throughout
winter/spring 2017/2018
 JTF Review
 Initial Public Draft released 9 May 2018 with six week
comment period
 NIST adjudicated ~400 comments and developed FPD
 OIRA review and approval
 FPD released 2 October 2018

 Public comment period through 31 October 2018
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
 NIST and OIRA adjudicate FPD public comments
 NIST develops final publication
 Review by JTF
 Review and approval by OIRA
 Final publication planned for December 2018*
SP 800-37 Rev 2 Final Timeline
*Publication date dependent on OMB OIRA review and approval

RMF 2.0
CATEGORIZE
FIPS 199
SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR
SP 800-137/137A
NISTIR 8011
NISTIR 8212 & Tool
PREPARE
SP 800-18
SP 800-30
SP 800-39
SP 800-160
IMPLEMENT
Many NIST Pubs
SELECT
FIPS 200
SP 800-53

Authorization Boundaries (Section 2.5/App G)
 Defines the scope of protection for systems (i.e.,
what is included with the system to be authorized
WRT information, components, people, etc.)
 Includes system hardware, software, firmware,
processes, and technologies needed to support
organizational missions/business processes
 May or may not include the environment of operation
 Is established before system security categorization
and the development of security plans

Improvements in RMF 2.0
 Addition of organization and system level
Prepare Step and associated tasks
 Integrates privacy risk management
 Integrates supply chain risk management
 Expansion of Authorization options
 Aligns RMF with CSF
 Aligns RMF with security engineering
processes

RMF 2.0 Task Outcomes
Tasks Outcomes
Task I-1
CONTROL IMPLEMENTATION
 Controls specified in the security and privacy plans
are implemented.
[Cybersecurity Framework: PR.IP-1]
 Systems security and privacy engineering
methodologies are used to implement the controls
in the system security and privacy plans.
Task I-2
BASELINE CONFIGURATION
 The configuration baseline is established.
 The security and privacy plans are updated based on
information obtained during the implementation of
the controls.
[Cybersecurity Framework: Profile]

RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing
basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat
information; system-level risk assessment results; previous organization-level risk assessment
results; security- and privacy-related information from continuous monitoring; information
sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business
objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process
Level); NIST SP 800-161; NIST IR 8062.
New

Privacy is Fully Integrated into RMF
 In accordance with OMB Circular A-130
 Privacy in the RMF addressed in section 2.3
 Privacy called out in task text as appropriate
(e.g., Task P-3 is to assess security and
privacy risk)
 Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
 Privacy-specific detail in task discussions

RMF and CSF Alignment
 Inputs and Outputs reference CSF as
applicable, e.g., CSF profile as potential
output from Task P-4
 Task Outcome tables reference CSF
sections, categories, or sub-categories as
applicable
 References for tasks list applicable CSF
sections

Security Engineering and RMF Alignment
 Task references list related 800-160 process as
applicable
 Section 2.4 discusses system elements/enabling
systems and tasks focus on stakeholder
requirements

Supply Chain and RMF Alignment
 Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
 SCRM addressed in Task discussions as applicable
 SCRM artifacts included in task Inputs and Outputs
as applicable
 SCRM responsibilities noted in Appendix D
 Supply chain risk is addressed as part of security risk

Prepare Step: Organization Level
 Task P-1: ID and assign people to RM roles
 Task P-2: Establish an org-wide RM strategy
 Task P-3: Assess organization-wide risk
 Task P-4: Org-wide tailored baselines (optional)
 Task P-5: Common Control identification
 Task P-6: Prioritize within impact level (optional)
 Task P-7: Organization-wide ISCM strategy

Prepare Step: System Level (1 of 2)
 Task P-8: ID missions/business functions and
processes to be supported by the system
 Task P-9: ID system stakeholders
 Task P-10: ID assets that require protection
 Task P-11: Determine authorization boundary
 Task P-12: ID information types

Prepare Step System Level (2 of 2)
 Task P-13: ID information lifecycle
 Task P-14: Assess system-level risk
 Task P-15: Define security and privacy
requirements for system and environment
 Task P-16: Determine placement within EA
 Task P-17: System registration IAW org policy

New/Revised Tasks in Existing Steps (1 of 2)
 Categorize, Task C-2: Review and approve
categorization results and decision
 Select, Task S-1: Allocate requirements
(expanded from identify common controls)
 Select, Task S-3: Tailor selected controls
 Select, Task S-4: Document planned
implementation details in plans
 Implement, Task I-2: Document implementation
details different from planned (config baseline)

New/Revised Tasks in Existing Steps (2 of 2)
 Assess, Task A-1: Select appropriate assessor
 Assess, Task A-6: POA&M (moved from Authorize)
 Authorize, Task R-2: Risk analysis added to risk
determination by AO
 Authorize, Task R-3: Respond to risk
 Authorize, Task R-5: Report the authorization
decision and significant risk as required

Authorization Options
 Authorization to Operate
 System Authorization (Traditional or Joint)
 Type Authorization
 Facility Authorization
 Common Control Authorization
 Authorization to Use
 Denial of Authorization
Note: Ongoing authorization supplemental guidance
(June 2014) incorporated into Appendix F

SP 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations
As of October 2018

 Call for pre-comments spring 2016
 Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
 Federal interagency working group baseline review
during late winter/early spring 2017
 Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
 IPD published 15 August 2017
 Adjudicated ~2000 public comments as above
 FPD currently under development
800-53 Rev 5 Timeline So Far

 Final Public Draft (FPD) next steps:
 Review by JTF
 Review and approval by OMB OIRA
 FPD publication planned for January 2019*
 Final publication next steps:
 Adjudicate public comments on the FPD
 NIST develops final publication
 Reviews and approvals as above
 Final publication planned for Spring 2019*
800-53 Rev 5 Timeline for FPD and Final
*Publication date dependent on OMB OIRA review and approval

 Complete integration of privacy controls (removal
of Appendix J with App J mapping in FPD)
 Two new Privacy Control families in IPD changed
to different new Privacy Control family in FPD
 New Supply Chain control family in FPD
 Incorporated Program Management family into
main control set
 Complete control set in Chapter 3
800-53 Rev 5 Changes Summary (1 of 4)

 Baselines and tailoring guidance will be placed
in new volume, SP 800-53B
 Some changes to all baselines, mostly in
accordance with suggestions from working group
 Revised/clarified/added control language and
supplemental guidance
 Streamlined front matter to focus only on the
control set and how to use it

 Removed lead-in entities to each control
 Focus on outcomes
 Align with security engineering
 Align with Cybersecurity Framework
 Retained entity info in a column in table (App ?)
 Reduced the federal focus
 More usable and welcoming for all sectors
 More usable and applicable for all system types
 More usable for security engineering in all sectors

 Rearranged appendices
 Removed priority codes
 Keywords appendix added in IPD to be removed
in FPD and provided as supplemental material
 Thorough scrub of:
 Related Controls
 References
 Glossary
 ISO 27001 Mapping

Security Control Structure – Revision 5
AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit
log processing requirements when allocating audit log storage capacity. Allocating
sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded
and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems
with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log
storage is used only in a transitory fashion until the system can communicate with the secondary or alternate
system allocated to audit log storage, at which point the audit logs are transferred. This control
enhancement is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the
primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records.
Organizations can select either enhancement to obtain the dual benefit of increased audit log storage
capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.

Security Controls are Technology Neutral
 Security controls are intentionally not focused
on any specific technologies
 Security control implementations &
assessment methods will likely vary based
on the technology to which the control is
being applied, e.g.:
 Cloud-based systems
 Mobile systems
 Applications
 Sensors
 “IoT”

800-53B Rev 5 BaselinesCNTL
NO. CONTROL NAME
PRIVACY-
RELATED
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14

800-53 Rev 5 Appendix Excerpt
CONTROL NAME
CONTROL ENHANCEMENT NAME
WITHDRAWN
PRIVACY-
RELATED
IMPLEMENTED
BY
ASSURANCE
PL-1 Planning Policy and Procedures P O A
PL-2 Security and Privacy Plans P O A
PL-2(1) Concept of operations W Incorporated into PL-7.
PL-2(2) Functional architecture W Incorporated into PL-8.
PL-2(3) Plan and coordinate with other organizational
entities
P O A
PL-3 System Security Plan Update W Incorporated into PL-2.
PL-4 Rules of Behavior P O A
PL-4(1) Social media and networking restrictions O A
PL-5 Privacy Impact Assessment W Incorporated into RA-8.
PL-6 Security-Related Activity Planning W Incorporated into PL-2.
PL-7 Concept of Operations P O
PL-8 Security and Privacy Architectures P O A
PL-8(1) Defense-in-depth O A
PL-8(2) Supplier diversity P O A
PL-9 Central Management P O A
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O
Note: Privacy-related controls and control enhancements are not allocated to baselines in this table. See XXX for control selection and
implementation guidance

 Privacy fully integrated throughout Rev 5
 Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set
 Privacy controls added in existing families
 Most in Program Management family
 Some in other families (SA, SI)
 “Sharing” existing controls
 New privacy family: Processing Permissions (PP)
 Privacy Appendix to include:
 Mappings to OMB requirements and controls from App J
 Summary tables
800-53 Rev 5 Privacy Integration

800-53 Rev 5 FPD Control Families
ID FAMILY ID FAMILY
AC Access Control PE Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA System and Services
Acquisition
IR Incident Response SC System & Communications
Protection
MA Maintenance SP Supply Chain Protection*
MP Media Protection SI System and Information
Integrity
*New families in Rev 5 FPD

 Purpose: Increase agility and reduce effort and angst due
to significant change every 3-5 years
 Web application operational immediately after R5 final
 Provides workflows for:
 Customers to propose changes to all aspects of controls
 NIST staff to review proposals and push to SMEs if necessary
 Public comments on proposed changes
 Saving approved changes in a sandbox until next version
 JTF review, OIRA review/approval, Editorial Review Board
 Versions:
 Minor (to include errata) – planned for quarterly
 Major – planned for annually
800-53 Update Automation Application

Status of Other FISMA Publications
 SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
 SP 800-47 Rev 1, Managing System Information Exchanges (working title):
In progress, IPD early CY 2019 (Current version title is Security Guide for
Interconnecting Information Technology Systems)
 SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA to
incorporate CUI - Temporarily on hold
 SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
 NIST SP 800-160*, Systems Security Engineering: Volume 1 published 11-
16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
 NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
 NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned

Contact Information
Comments: sec-cert@nist.gov (goes to all of the above)
Web: csrc.nist.gov/sec-cert
Position Name
Project Leader and NIST Fellow Dr. Ron Ross
Team Lead and Senior Information
Security Specialist
Victoria Pillitteri
Senior Information Security Specialist Kelley Dempsey
Information Security Specialists Ned Goren, Jody Jacobs
Administrative Support Jeff Brewer

NIST presentation on RMF 2.0 / SP 800-37 rev. 2

More Related Content

What's hot

Similar to NIST presentation on RMF 2.0 / SP 800-37 rev. 2

More from NetLockSmith

Recently uploaded

NIST presentation on RMF 2.0 / SP 800-37 rev. 2