Downloaded 206 times
Uploaded byDonald E. Hester
RMF Roles and Responsibilities (Part 1)
The document outlines the roles and responsibilities of various officials in managing information security within an agency, emphasizing the importance of a centralized security program, timely certifications, and clear delegation of authority. Key positions include the Chief Information Officer, Information System Security Officer, and certification agents who assess security controls and automate compliance. It highlights the need for strategic cooperation among senior management to maintain effective security measures against vulnerabilities.
More Related Content
Similar to RMF Roles and Responsibilities (Part 1)
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
RMF Roles and Responsibilities (Part 1)
- 7. “The Chief Information Officer,with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37
- 10. “A senior management officialor executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP 800-37
- 12. “Official responsible forthe overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)
- 13. “Individual responsible forthe installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009
- 14. “The information systemsecurity officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37
- 18. The certification agentis an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37
- 28. “At the discretionof senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37
- 29.
- 30. IG IA SCA SISO ISSM ISSO CIO SO SA BUM IO EU Program Level System Level Audit Security IT Business Unit Middle-Tier Independence AO Risk Executive Function Head of Agency (CEO) SOD SOD Mission
- 31. DoDI 8510.01 &8500.2 SP 800-37 Rev 1 Head od DoD Components Head of Agency (CEO) Principle Accrediting Authority (PAA) Risk Executive Function and/or Approving Authority (AA) Senior Information Assurance Officer (SIAO) Senior Information Security Officer (SISO) Designated Accrediting Authority (DAA) Approving Authority (AA) Systems Manager Common Control Provider and/or Systems Owner Program Manager Common Control Provider and/or System Owner Information Assurance Manager (IAM) ISSO and/or SISO Information Assurance Officer (IAO) Information Systems Security Officer (ISSO) Certification Agent Security Control Assessor
- 43. CISSP CISM CISSP ISSMP CAP CISA GSNA SSCP CASP Security+ CISSP ISSEP/ ISSAP CSSLP Management / RiskAudit Software Dev Network / Communications
- 52. Level Qualifying Certifications CNDAnalyst GCIA, CEH CND Infrastructure Support SSCP, CEH CND Incident Responder GCIH, GSIH, CEH CND Auditor CISA, CEH, GSNA CN-SP Manager CISM, CISSP-ISSEP
- 59. “The CNSS isdirected to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”
Editor's Notes
- #2 © 2013 Maze & Associates Revision 9 (December 2013) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved
- #3 Picture: Empire Mine, Nevada City, CA; Photo by Donald E. Hester all rights reserved Read: NIST SP 800-37 Rev 1, Appendix D Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 49-62 Read: DoDI 8500.2 Read: NSTISSI No. 4009 RMF Roles and Responsibilities
- #4 Roles and Responsibilities Head of Agency or CEO Risk Executive (function) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Information Owner/Custodian Information System Owner (System Owner) Information Systems Security Officer (ISSO) Security Control Assessor (Certifying Agent) Authorizing Official (AO) Approving Authority (AA) Common Control Provider Approving Authority Designated Representative Different C & A frameworks use different names e.g. NIST, DCID 6/3, DITSCAP, DIACAP, NIACAP, ISO See NIST SP 800-37 Rev 1 Appendix D and CNSS Instruction No. 4009
- #5 Roles and Responsibilities Auditor System Administrator/Manager Business Unit Manager Project Manager Risk Analyst Facility Manager Executive Management Authorization Advocate User Representative Information Security Architect Information Systems Security Engineer Different C & A frameworks use different names e.g. NIST, DCID 6/3, DITSCAP, DIACAP, NIACAP, ISO See NIST SP 800-37 Rev 1 Appendix D and CNSS Instruction No. 4009
- #6 Head of Agency Head of Agency or Chief Executive Officer (CEO) Highest level senior official or executive Overall responsibility to provide information security Ensure security is commensurate with risk to organization Responsible for security of 3rd party use or operation of systems Responsible to ensure security is integrated into strategic and operational planning Responsible to ensure personnel are trained sufficiently Establish appropriate accountability and commitment to create a climate that promotes due diligence NIST SP 800-37 Rev 1 Appendix D The agency head ultimately is responsible for deciding the acceptable level of risk for their agency. System owners, program officials, and CIOs provide input for this decision. Such decisions must reflect policies from OMB and standards and guidance from NIST (particularly FIPS 199 and FIPS 200). An information system’s Authorizing Official takes responsibility for accepting any residual risk, thus they are held accountable for managing the security for that system. OMB M-10-15 - FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
- #7 Risk Executive Function Looks at risk from the program level Organization-wide perspective Overall strategic goals and objectives Risk to the organization’s mission Creates a consistent risk management approach (organization-wide) Addresses the organization’s risk tolerance (risk appetite) Provides oversight Provides sharing of risk related information NIST SP 800-37 Rev 1 Appendix D
- #8 Chief Information Officer (CIO) Overall responsibility for organization’s security Delegates authority to SISO Provision resources Provide oversight Maintain visibility Develop and maintain policies Assists executive level officials concerning security responsibilities CIO and AO allocate appropriate resources to the system Government employee only “The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37
- #9 Senior Information Security Officer (SISO) AKA: Senior Agency Information Security Officer (SAISO) Chief Information Security Officer (CISO) Senior manager in charge of Information Security Accountable for most aspects of security within an organization Liaison between CIO and other roles Security is primary duty Head of the RMF program within the organization Establish the program Enforce the program Responsible for the success of a RMF program Government employee only May serve as AO Designated Representative or security control assessor
- #10 Information Owner / Steward Agency official with statutory management or operational authority for specific information Establish rules of behavior for that information Establish polices and procedures for Generation Collection Processing Dissemination Disposal Retention Provide input to information system owners on protect requirements NIST SP 800-37 Rev 1 Appendix D; FIPS 200; CNSSI-4009 You may have seen Data Owner or Custodian as a title for this role in the past “The information owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.” NIST SP 800-37 Information owner typically owns business process Aware of the required protection for the data Establish impact level on the business process
- #11 Authorizing Official (AO) Also Known As Designated Approving Authority (DAA or DAO) Senior management Formally accepts responsibility for operating an information system and accepts residual risk to the system Must be a Government Employee May have a designated representative that can do everything but sign or decide Accreditation Typically have budgetary oversight Responsible for the mission and/or business operations supported by the system Accountable for security of system A system may have multiple AOs “A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP 800-37 NIST SP 800-37 Rev 1 Appendix D; NIST IR 7298; CNSSI-4009; FIPS 200 You may see a number of different names for this role: Designated Approving Authority (DAA) Designated Accrediting Authority (DAA) Approving Authority (AA) Principal Accrediting Authority (PAA)
- #12 Authorizing Official Designated Representative Acts on behalf of an Authorizing Official Handles day to day activities Can be empowered for certain decisions Approve system security plans Approve monitoring Implement Plan of Action and Milestones (POA&M) Complete authorization package The only thing the designated representative cannot do is make the authorization decision and sign the authorization document NIST SP 800-37 Rev 1 Appendix D;
- #13 Information System Owner Also Known As System Owner or IT Manager Coordinate with information owner on user access Primary responsibility for the system Full lifecycle of the system Often it is the IT department Ensuring compliance with policies “Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)
- #14 System Administrator (SA) In charge of the day-to-day operation and administration Implements technical and operational controls IT administrators Separation of duties from ISSO Implement hardware changes Implement software changes Backups Monitoring Maintenance “Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009
- #15 Information Systems Security Officer (ISSO) Principal advisor to the AO Serves as an agent to the information system owner Monitors day to day security on the system Coordinate with physical security, personal, incident handling and security awareness. May not actually touch the system Close collaboration with Information system owner Assess security impact of changes to the system “The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37 NIST SP 800-37 Rev 1 Appendix D;
- #16 Auditor Provides independent (unbiased) Assess controls Assess program Ensures documentation is adequate Weaknesses identified Corrective actions specified Example: Security Control Assessor Inspector General
- #17 Inspector General (IG) Program level audit Ensure compliance with FISMA and other government policies Provides independent (unbiased) assessment of the RMF program Looks at individual program components Ensures documentation is adequate Weaknesses identified Corrective actions specified “In the United States, an Inspector General (IG) is a type of investigator charged with examining the actions of a government agency, military organization, or military contractor as a general auditor of their operations to ensure they are operating in compliance with general established policies of the government, to audit the effectiveness of security procedures, or to discover the possibility of misconduct, waste, fraud, theft, or certain types of criminal activity by individuals or groups related to the agency's operation, usually involving some misuse of the organization's funds or credit. In the United States, there exist numerous Offices of Inspector General (OIGs) at the federal, state, and local levels.” Retrieved 22-JUN-2010 from http://en.wikipedia.org/wiki/Inspector_General IG evaluations are intended to independently assess if the agency is applying a risk-based approach to their information security programs and the information systems that support the conduct of agency missions and business functions. When reviewing the assessment in support of an individual security authorization, for example, the IG would generally assess whether: 1) the assessment was performed in the manner prescribed in NIST guidance and agency policy; 2) controls are being implemented as stated in any planning documentation; and 3) continuous monitoring is adequate given the system impact level of the system and information. OMB M-10-15 - FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
- #18 IG findings may get press
- #19 Security Control Assessor AKA: Certification Agent or Certifying Agent Independent authority Impartial and unbiased (separation of duties) Measures effectiveness and completeness of controls at the system level Level of independence based upon risk to system The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37 NIST SP 800-37 Rev 1 Appendix D; FIPS 200; CNSSI-4009 AKA Security Control Assessor Certifier Certification Analyst Certification Agent Certifying Agent Assessor Certifying Authority
- #20 Other Roles Common Control Provider Individual or group responsible for the development implementation, monitoring and assessment of common controls Agency-wide, center-wide, campus-wide, building-wide Information Security Architect Ensures security has been adequately addresses in all aspects on enterprise architecture Information Systems Security Engineer Ensures security requirements are effectively integrated in to information technology NIST SP 800-37 Rev 1 Appendix D; CNSSI-4009
- #21 IT Security Program Steering Committee Provides high-level oversight Provides direction Indirect supervision Advisory group to the program Does not exercise authority
- #22 Business Unit Manager Note this term is not used by NIST but the role and function is alluded too. Responsible for the mission and/or business operations Often function as information owner or AO Might be a higher level manager or director Disseminate security information to subordinates Report security incidents to higher management Respond to security incidents Determine resources Set priorities Generally not an ‘IT’ person
- #23 Project Manager May work for the system owner for complex system security plans May aid the CIO or CISO in the overall program implementation
- #24 Facility Manager Responsible for physical security Responsible for environmental controls
- #25 Executive Management Crucial Role Establish Policy Enforce Policy Allocate Resources Maintain visibility of program
- #26 User Representative Represents a user group or community Looks out for the interests of users “The person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.” CNSS Instruction No. 4009
- #27 DoD Specific Roles Information Assurance Manager Individual responsible for the information assurance of a program, organization, system, or enclave. AKA: Information Systems Security Manager (ISSM) Information Assurance Officer Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program. AKA: Information Systems Security Officer (ISSO)
- #28 CIRT Computer Incident Response Team Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. AKA Cyber Incident Response Team (CIRT) Computer Security Incident Response Team (CSIRT) Computer Incident Response Center (CIRC) Computer Incident Response Capability (CIRC) Source: CNSSI 4009
- #29 Delegation of Roles “At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37
- #30 Support Hierarchy The Business Unit attempts to accomplish their part of the agencies mission. The IT infrastructure supports the business unit in reaching its mission objectives. Further the Security and Audit support IT.
- #31 Role Relationships IG = Inspector General IA = Internal Audit SCA = Security Control Assessor / CA Certification Authority / Certifying Agent CISO = Chief Information Security Officer / Senior Information Security Officer (SISO) / Senior Agency Information Security Officer (SAISO) SM = Security Manager / ITSM IT Security Manager / ISSM Information systems security manager ISSO = Information Systems Security Manager CIO = Chief Information Officer SO = System Owner / IT Manager SA = System Admin BUM = Business Unit Manager (Director, Deputy Director) Business Unit = Directorate IO = Information Owner EU = End User AO = Authorizing Official SOD = Separation of Duties Each directorate or business unit will have it’s own mission The agency or organization will have an overall mission as well. Each business units mission will in turn support the overall mission of the agency or organization.
- #32 DoD and NIST
- #33 Discussion Who is best suited for the roll of Authorization Official? The best suited person to determine the risk the system has to the sensitivity and criticality to the operations of the business unit (division, directorate etc…) would be someone in management within that business unit. The CIO who seems like a good choice to be Authorization Official is actually detrimental. How is the CIO qualified to assess and accept risks to the operations of a business unit? For example, the business unit has a mission to accomplish and know better than anyone in IT how much down time they can withstand and still meet their mission. Shouldn’t it be management in the business unit that makes that determination? After all it is their mission. In addition, who could best get the end user to “buy in” and follow policy, the CIO or their boss? Business unit managers make the case that this is an IT problem and that the best person to understand the “IT risk” is the CIO or IT manager. Therefore they often support the CIO as the Authorization Official. However, the purpose of an independent security assessment (audit) is to give the AO factual information about security posture of the information systems. This way the AO does not have to determine for themselves if the security is adequate. This frees the AO for having to understand IT security concepts. The independent assessor (auditor) who does understand the IT security concepts can determine if it is adequate and what level of risk the system would operate at.
- #35 Documenting roles and responsibilities Document contact information for each role In other documents, refer to the roles not the person Letters of appointment May create contact database Picture: Sample System Security Plan from Centers for Disease Control and Prevention
- #36 Job descriptions Describe responsibilities Don’t forget the C & A responsibilities Outline expectations of performance Used for accountability
- #37 Position sensitivity designations
- #38 Personnel transitions Make sure individuals have adequate replacements before they leave, if possible Overlapping smooth transition Acclimatize the individual with the C & A process and organizational specifics Make sure they understand their new roles and responsibilities
- #39 Time requirements RMF duties do not require full time, unless you dedicate the tasks Collateral duties to normal ones Dedicated employee help with consistency Size of the organization Number of systems
- #40 Expertise requirements Skills and abilities Project management System development life-cycle Technical controls Operational controls IT terminology Security terminology Clear background Administrative skills – technical writing skills Certifications like CAP, CISSP, CISA, CISM
- #41 Using contractors Want to have stability in the following positions, thus employees are preferred CIO, CISO System Owner AO ISSO Need for independence, often contractors used for certifying agent Contractors can make for effective partners Need to have background checks, statements of work, contracts and timetables
- #42 Routine duties Scheduling Reporting Providing advice Meetings Quality control Monitor compliance Intermediary Offer solutions Educate and train Systems development Explain technical issues to non-technical management
- #43 Organizational skills Well organized Proficient in RMF and C & A Project management skills Scheduling Task lists Meeting notes Manage email
- #44 Certifications See Also Top 5 IT Security Certifications for 2011 Employers, Recruiters Identify the Most Valued Infosec Certifications December 30, 2010 - Upasana Gupta, Contributing Editor http://www.govinfosecurity.com/articles.php?art_id=3222
- #45 (ISC)2 Certifications (ISC)2 International Information Systems Security Certification Consortium, Inc. Website: www.isc2.org Certifications Associate of (ISC)² SSCP: Systems Security Certified Practitioner CAP: Certified Authorization Professional CSSLP: Certified Secure Software Lifecycle Professional CISSP: Certified Information Systems Security Professional CISSP Concentrations: ISSEP, ISSAP, ISSMP Professional Certification (ISC)2 certifications require ongoing continuing education to maintain certification. Associate of (ISC)²: Pass the SSCP or CISSP exam but do not have the required work experience. SSCP: Covers seven areas of practice or domains: Access Controls, Cryptography, Malicious Code and Activity, Monitoring and Analysis, Networks and Communications, Risk, Response and Recovery, Security Operations and Administration CAP: Covers seven domains of knowledge aligned with NIST Risk Management Framework CSSLP: Covers seven domains of knowledge concerning secure software development CISSP: Cover 10 broad domains of information systems security. The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024:2003. CISSP Concentrations ISSAP: Information Systems Security Architecture Professional ISSEP: Information Systems Security Engineering Professional ISSMP: Information Systems Security Management Professional (ISC)², CISSP, CAP, ISSAP, ISSEP, ISSMP, SSCP and CBK are registered certification marks of (ISC)², Inc.
- #46 ISACA Certifications Information Systems and Control Association (ISACA) Certifications CISA: Certified Information Systems Auditor CISM: Certified Information Systems Manager CGEIT: Certified in the Governance of Enterprise IT CRISC: Certified in Risk and Information Systems Control Website www.isaca.org Professional Certification ISACA certifications require ongoing continuing education to maintain certification. CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. CRISC recognizes a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor and maintain IS controls to mitigate such risk. The CGEIT certification program was designed specifically for professionals charged with satisfying the IT governance needs of an enterprise. The American National Standards Institute (ANSI) has accredited the CISA & CISM certification under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organization, accredits other organizations to serve as third-party product, system and personnel certifiers CISA, CISM, CGEIT, CRISC and ISACA are registered certification marks of ISACA
- #47 CompTIA Certifications CompTIA certifications Website: www.comptia.org Certifications A+ - Computer Support Technician Network+ - Network Support Technician Security+ - Entry level security certification CASP - CompTIA Advanced Security Practitioner RFID+ - RFID professionals CTT+ - Certified Technical Trainer Project+ - IT Project Management Others: Server+, Linux+, CTP+, CDIA+, PDI+ The CompTIA A+ certification is the industry standard for computer support technicians. The international, vendor-neutral certification proves competence in areas such as installation, preventative maintenance, networking, security and troubleshooting. The CompTIA Network+ certification is the sign of a competent networking professional. It is an international, vendor-neutral certification that proves a technician’s competency in managing, maintaining, troubleshooting, installing and configuring basic network infrastructure. CompTIA Security+ is an international, vendor-neutral certification that proves competency in system security, network infrastructure, access control and organizational security. CompTIA RFID+ is an international, vendor-neutral certification for IT professionals with six to 24 months of experience in RFID technologies. CompTIA CTT+ is an international, vendor-neutral certification that covers core instructor skills, including preparation, presentation, communication, facilitation and evaluation in both a classroom and virtual classroom environment The CompTIA Project+ certification is an international, vendor-neutral certification that covers the entire project life cycle from initiation and planning through execution, acceptance, support and closure
- #48 SANS Institute Certifications Website: www.giac.org Certifications GIAC (Global Information Assurance Certification) GSNA (GIAC Systems and Network Auditor) G7799 (GIAC Certified ISO-17799 Specialist) GCFE (GIAC Certified Forensics Examiner) GCFA (GIAC Certified Forensic Analyst) GREM (GIAC Reverse Engineering Malware) GLEG (GIAC Legal Issues) GISP (GIAC Information Security Professional) GCPM (GIAC Certified Project Manager Certification) GISF (GIAC Information Security Fundamentals)
- #49 SANS Institute Certifications (cont.) Website: www.giac.org Certifications GIAC (Global Information Assurance Certification) GSEC (GIAC Security Essentials Certification) GWAPT (GIAC Web Application Penetration Tester) GCED (Certified Enterprise Defender) GCFW (GIAC Certified Firewall Analyst) GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) GCWN (GIAC Certified Windows Security Administrator) GCUX (GIAC Certified UNIX Security Administrator) GPEN (GIAC Certified Penetration Tester) GAWN (GIAC Assessing Wireless Networks)
- #50 SCP Certifications Security Certified Program (SCP) Website: www.securitycertified.net Certifications: SCNS - Security Certified Network Specialist SCNP - Security Certified Network Professional SCNA - Security Certified Network Architect
- #51 Inspector General Institute Association of Inspectors General Website: http://inspectorsgeneral.org Certifications: Certified Inspector General (CIG) Certified Inspector General Auditor (CIGA) Certified Inspector General Investigator (CIGI) Is recognized by the National Association of State Boards of Accountancy (NASBA)
- #52 DoDD 8570 All IA (Information Assurance) jobs require certification. IAT Information Assurance Technical IAM Information Assurance Management IASAE Information Assurance System Architecture and Engineering
- #53 DoDD 8570 (cont.) All IA (Information Assurance) jobs will require certification. CND Computer Network Defense
- #54 Organizational placement of RMF function Where it will be able to be the most effective? Reach the highest and lowest parts of the organizational chart As wide as the enterprise CISO may work for the CIO or COO for whistle blower
- #55 Key Agencies & Organizations The U.S. Government Accountability Office (GAO) is known as "the investigative arm of Congress" and "the congressional watchdog." GAO supports the Congress in meeting its constitutional responsibilities and helps improve the performance and accountability of the federal government for the benefit of the American people. Source: www.gao.gov The management side of OMB oversees and coordinates the Federal procurement policy, performance and personnel management, information technology (e-Government) and financial management. In this capacity, OMB oversees agency management of programs and resources to achieve legislative goals and Administration policy. Source: www.whitehouse.gov/omb/ Office of Management and Budget (OMB) Department of Homeland Security (DHS) National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Depart of Defense (DoD) Defense Information Systems Agency (DISA) Committee on National Security Systems (CNSS) National Security Council (NSC) National Security Telecommunication and Information Systems Security Committee (NSTISSC) U.S. Government Accountability Office (GAO) Office of the Inspector General (OIG) CIO.gov
- #56 Department of Homeland Security (DHS) Oversees critical infrastructure protection Operates the United States Computer Emergency Readiness Team (US-CERT) Oversees implementation of the Trusted Internet Connection initiative Has primary responsibility within the executive branch for the operational aspects of Federal agency cybersecurity (FISMA) Subject to general OMB oversight See OMB M-10-28
- #57 DHS FISMA Activities Overseeing: the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report the agencies’ cybersecurity operations and incident response and providing appropriate assistance annually reviewing the agencies’ cybersecurity programs See OMB M-10-28
- #58 Office of Management and Budget (OMB) Leads the interagency process for cybersecurity strategy and policy development (Cybersecurity Coordinator) Responsible for the submission of the annual FISMA report to Congress Responsible for the development and approval of the cybersecurity portions of the President’s Budget Provide oversight See OMB M-10-28
- #59 Cyber Command Mission USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
- #60 CNSS The Committee on National Security Systems Been in existence since 1953 Formerly named the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Establishes requirements pertaining to National Security Systems “The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.” http://www.cnss.gov/history.html
- #61 Summary People are the most important part of the process The right people make the program
- #62 Class Discussion: Roles & Responsibility What are some of the biggest challenges within your current role? How would you respond to a BUM, information owner or AO who says RMF is an IT issue and that he/she does not need to be involved? If staffing is an issue, what roles would you combine? Which roles would you not combine? In order to have a successful RMF program you have been tasked to make an education system for your organization. What are some key features you would include? Why are certifications important for staff with roles and responsibilities in the RMF?