Risk Management Framework

- An Introduction

Mark L. Spencer, CISSPISSA Distinguished Fellow

Agenda

HistoryDoD Risk Management Framework ProcessStep 1 – Categorize the SystemStep 2 – Select Security ControlsStep 3 – Implement Security ControlsStep 4 – Assess Security ControlsStep 5 – Authorize SystemStep 6 – Monitor Security Controls

2

HistoryPrevious environmentFederalDoD Intelligence Community (IC)Consensus on standardsFederal uses NIST Special Publication (SP) 800-53DoD uses NIST SP 800-53 and CNSSI 1253 IC uses NIST SP 800-53 and CNSSI 1253 Overlays for specific implementation needs

3

Introduction to RMF

Risk Management FrameworkNot a modification of DIACAPBest to look at the change as that was then...this

is nowNew TermsReferences changingNew requirements

4

ReferencesDoDI 8500.01, “Cybersecurity”DoDI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology (IT)”CNSSI 1253, “Security Categorization and Control Selection for National Security Systems”NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”

5

Information Assurance Is Now Cybersecurity

Old DoDD 8500.01E Information Assurance (IA) Measures that protect and

defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

New DoDI 8500.01 Cybersecurity Prevention of damage to,

protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

6

New TermsOld Term New Term

Certification and Accreditation (C&A) Process Risk Management Framework (RMF)

Certification Security Control Assessment

Accreditation Authorization

System Security Authorization Agreement (SSAA) System Security Plan (SSP)

Certification Test and Evaluation (CT&E) /Security Test and Evaluation (ST&E) Report

Security Assessment Report (SAR)

Designated Accrediting Authority (DAA) Authorizing Official (AO)

DAA Rep Delegated Authorizing Official (DAO)

Information Assurance  Manager (IAM) Information System Security Manager (ISSM)

Information Assurance Officer (IAO) Information System Security Officer (ISSO)

Program Manager Information System Owner (ISO)*

7

DoD RMF Process8

Step 1 – Categorize the System

DoDI 8510.01 provides detailed guidance on the RMF process for DoDDirects use of CNSSI 1253

Initiate the Security PlanRegister the system with the DoD Component

Cybersecurity Program Assign qualified personnel to RMF roles

9

Categorization Method Based on FIPS 199LowModerateHighImpact on organizations or individuals

10

Does not equate to MAC levels or Confidentiality levels from previous systems

Information TypesAn information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management), defined by an organization or, in some instances, by a public law, executive order, directive, policy, or regulation. [See NIST SP 800-60 (Volumes I and II) for example methodology to determine information types.]

11

Applying Information Types

The generalized format for expressing the security category (SC) of an information type is:SC information type = {(confidentiality, value),

(integrity, value), (availability, value)}

where the acceptable values are low, moderate, or high.

12

Categorization ValuesBoth FIPS 199 and NIST 800-53 apply the concept of a high-water mark (HWM) when categorizing information systems using the worst-case potential impact of a loss of confidentiality, integrity, or availability of information or of an information system as the basis for categorization.

CNSSI 1253 does not use HWM.

13

Categorization Process2 PartsDetermine impact values:

(i) for the information type(s)processed, stored, transmitted, or protected by the information system; and (ii) for the information system

14

Information Type Identification - 1

1. Identify all the types of information processed, stored, or transmitted by an information system, determine their provisional security impact values, and adjust the information types’ provisional security impact values.

15

Information Type Identification - 22. Determine the security category for the

information system (see FIPS 199) and make any necessary adjustments (see NIST SP 800-60, Volume I, Section 4.4.2).

The security category of a system should not be changed or modified to reflect management decisions to allocate more stringent or less stringent security controls.

16

NSS Impact Categorization

For NSS categorize in context of: Organization Overall National Interest

17

All DoD systems apply the NSS control set

Essential Items to Consider

Federal

SC=(conf=H, Int=M, Avail= L)SC=(conf=M, Int=M, Avail=L)SC=(conf=M, Int=L, Avail=L)

SC= HIGH

NSSSC=(conf=H, Int=M, Avail= L)SC=(conf=M, Int=M, Avail=L)SC=(conf=M, Int=L, Avail=L)

SC=(conf=H, Int=M, Avail=L)

Impact categories do not equate to classifications Different treatment of information system

categorization from Federal RMF

18

Low ImpactThe potential impact is Low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.

19

Low Impact - AmplificationA limited adverse effect means that the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectivenessof those functions is noticeably reduced; (ii) result in minor damage to organizational, critical infrastructure, or national security assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

20

Moderate ImpactThe potential impact is Moderate if the loss of confidentiality, integrity, or availability could be expected to have a seriousadverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.

21

Moderate Impact - AmplificationAMPLIFICATION: A serious adverse effect means

that the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to performits primary functions, but the effectiveness of those functions is significantly reduced; (ii) result in significant damage to organizational, critical infrastructure, or national security assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals exceeding mission expectations.

22

High ImpactThe potential impact is High if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.

23

High Impact - AmplificationAMPLIFICATION: A severe or catastrophic

adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational, critical infrastructure, or national security assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals exceeding mission expectations.

24

Focus of Security ObjectivesFocus of Confidentiality (C), Integrity (I), and Availability (A). The C and I objectives are largely focused on reading and

writing (disclosure and modification). The I objective is also concerned with the correctness of

actions.The A objective is more concerned with survivability and

ensuring that the resources were there when needed. The A objective is also concerned with consequence

management and countering certain activities aimed at denial of service.

25

Impact Determination - ConfidentialityLook at impacts for loss of confidentialityDoes it expose classified information Is it protected under other statutesHow does it effect YOUR mission capabilityHow does it effect the security of the Nation

26

Impact Determination - IntegrityLook at impacts for loss of integrityDoes loss of correctness effect your missionHow does it effect YOUR mission capabilityHow does it effect the security of the Nation

27

Impact Determination - Availability

Look at impacts for loss of availabilityDoes loss of availability effect your missionHow much loss can you sustain and still

accomplish your missionHow does it effect YOUR mission capabilityHow does it effect the security of the Nation

28

Availability - example29

How long can your system be ineffective before it has an effect on your mission or

missions you support?

Other Step 1 ActionsAssign qualified personnel to RMF rolesAuthorizing Official (AO)Authorizing Official Designated Representative (AODR)Security Control Assessor (SCA) Information System Owners (ISO)Program or System Managers (PM/SM) Information System Security Manager (ISSM) Information System Security Officers (ISSO) Information System Security Engineer (ISSE)User Representative (UR)

30

Other Step 1 ActionsInitiate the Security Plan (eMASS)Register the system with DoD Component Cybersecurity ProgramDITPRSAP

31

Step 2 – Select Security Controls

Use CNSSI 1253 to select the initial security control set

Identify the applicable overlays Overlays may add or subtract security

controls Overlays may provide additional guidance

Tailor (modify) the control set Response to increased risk or changes to risk

tolerance

32

Step 2 – Select ControlsSelect an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions

33

Security ControlsSecurity safeguards/countermeasures prescribed for information systems or organizations(i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements. Security controls serve as a common management language for establishing cybersecurity needs.

34

Key Assumptions for NSS

All users of the systems are cleared for access to the information stored, processed, or transmitted by the system and have formal access approval to all the information stored, processed, or transmitted by the system; some users may not have a need-to-know for all the information.

35

Key Assumptions for NSS

The systems are multi-user (either serially or concurrently) in operation. The systems are housed in a physical complex.

[Systems or environments that diverge from these assumptions may require tailoring of the selected controls and enhancements.]

36

Using CNSSI 1253 CNSSI 1253Select appropriate security controlsBased on impact levels

NIST SP 800-53Use selection of controls from CNSSI 1253Extract text of controls CNSSI 1253Assign parameters when available

37

Security Control BaselineThe process for selecting security controls for a NSS is a four-step process:

1. Select the initial set of security controls.

2. Select and apply security control overlays.

3. Tailor the set of security controls.4. Supplement the tailored set of security

controls.

38

Initial Set of Security ControlsUse the security categorization of the systemConfidentiality levelIntegrity levelAvailability level

39

Initial Control Set Use CNSSI 1253 to select the initial security

control set Identify the applicable overlays Overlays may add or subtract security

controls Overlays may provide additional guidance

Determine the control text from NIST SP 800-53 Tailor (modify) the control set Response to increased risk or changes to risk

tolerance Supplement controls, as necessary

40

CNSSI 1253“X” = Security Controls from NIST Baselines

“+” = Security Controls Added for Protection of NSS

Not all DoD ISs are NSS, however, the same standards and processes under the RMF also apply to ISs that are not NSSs

41

Identify OverlaysNational Security System (NSS) [1253]Space PlatformCross-Domain Solution (CDS)Intelligence (FOUO)Classified InformationPrivacy

42

Apply Overlays

Apply applicable overlays Add controls Delete controls Establish parameters

43

OverlaysMust read each overlay to consider applicabilityOverlays have slightly different formatsMultiple overlays might applyDocument all overlay modifications to initial control set in the SP

44

OverlaysNSS overlay In CNSSI 1253, Appendix D, Table D-1Security Control Parameter Values, CNSSI 1253,

Appendix E

ID Control Text Defined Value for NSS

PE-6 b. [Assignment: organization-defined frequency]

[Assignment: organization-defined events or potential indications of events]

b. At least every 90 days if not otherwise defined in formal organizational policy.

Not appropriate to define at the CNSS level for all NSS.

45

NIST SP 800-53 AC-7 UNSUCCESSFUL LOGON ATTEMPTS Control: The information system: a. Enforces a limit of [Assignment: organization-defined number]

consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

Supplemental Guidance: This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5.

46

Sample Control Extraction

AC-7 UNSUCCESSFUL LOGON ATTEMPTSControl: The information system:a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; andb. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

ID TITLEConfidentiality Integrity Availability

L M H L M H L M H

AC-7 Unsuccessful Logon Attempts X X X X X X X X X

47

Organization-Defined Parameter Values Values for organization-defined parameters in National Security Systems [CNSSI 1253, APPENDIX J]Based on the risk tolerance or threat scenario for an NSS, some authorizing officials may allow or require systems to diverge from this standardAdditional technology may be added, or architectural implementations may be modified to adequately mitigate applicable risks

48

Enhancements

49

Enhancements (con’t)

50

Sample Control Extraction

AC-7 UNSUCCESSFUL LOGON ATTEMPTSControl: The information system:a. Enforces a limit of 3 consecutive invalid logon attempts by a user during a 15 minutes time period; andb. Automatically locks the account/node for at least 15 minutes or until released by an administrator when the maximum number of unsuccessful attempts is exceeded.

ID TITLEConfidentiality Integrity Availability

L M H L M H L M H

AC-7 Unsuccessful Logon Attempts X X X X X X X X X

51

Control Correlation Identifiers AC-7 CCI-000043 - The organization defines the maximum number of consecutive

invalid logon attempts to the information system by a user during an organization-defined time period.

CCI-001423 - The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.

CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

CCI-002236 - The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.

CCI-002237 - The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.

CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded."

52

Common Control Identification

Common controls are security controls that are inheritable by one or more organizational information systems.

53

Tailor Controls Add controls Delete controls Establish parameters

Document all tailoring in the Security Plan

54

Tailoring the Control SetNot a requirementAlign with operational considerations and environmentOnly remove if absolutely necessaryDOCUMENT DOCUMENT DOCUMENT

55

Documenting Tailoring Decisions

Map specific rationale to risk-based decisionsAccount for every selected control and assign to the organization or information system ownerDocument rationale for not implementing any controlDocument scoping of controls and selection or specification of compensating controlsDocument in the SP

56

Supplementing Control SetsBase on risk assessments and local conditionsInclude:environment of operationorganization-specific security requirementsspecific threat informationcost-benefit analysisspecial circumstances

57

SP DocumentationSet of resulting security controlsSupporting rationale for selectionInformation system use restrictionsCommon controls inherited from external providersMinimum requirements for common controls

58

Step ThreeImplement the Security ControlsSpecified in the SPEarly involvement by ISSE to translate security control

requirements into system specifications Integrate the information system security engineering of

cybersecurity requirements and cybersecurity testing considerations into the program’s overall systems engineering processDocument the requirement and testing approach in the

program’s Systems Engineering Plan (SEP)

59

Implement Security ControlsDocument control implementation Status in the SPDescribe the control implementationPlanned inputsExpected behaviorExpected outputs

60

Additional Implementation GuidanceUse the Knowledge Service (KS)DoD recommended security control

implementationsSystem Security DesignAddress in preliminary design reviewsAddress in critical design reviewsUse inheritance where possibleFollow mandatory configuration settingsFederal policiesDoD policies

61

Step 4 Assess ControlsAssess Security ControlsAssessment planAssess security controlsRecord compliance statusAssign severity categoriesPrepare the Security Assessment Report (SAR)Conduct remediation activities on non-compliant controls

62

AssessmentDoD uses ACASNessusChecks compliance against STIGs and SRGs

Verifies SP contains references and artifacts

63

Security Assessment Report (SAR)

DocumentIssuesFindings (C, NC, NA)Assigned severity categoriesRecommendations

64

Step 5 Authorization Decision

Authorize the SystemPOA&MSubmit package (SP, SAR, POA&M) to AORisk determinationDecision

65

Package Contents

SPSARPOA&MInheritance documentation

66

SP DocumentationSet of resulting security controlsSupporting rationale for selectionInformation system use restrictionsCommon controls inherited from external providersMinimum requirements for common controls

67

POA&MIdentifies remediation or mitigation tasksSpecifies resources, milestones and scheduled completion datesPermanent recordItems updated, but not removedLifecycle document

68

Risk DeterminationOrganizational operations (mission, functions, image, or reputation)Organizational assetsIndividualsOther organizationsThe Nation

69

DecisionRisk acceptanceSupporting documentationATO, IATT, DATO

70

Step 6 MonitorMonitor Security ControlsDetermine impact of changes to the system or

environmentAssess selected controls annuallyConduct needed remediationUpdate SP, SAR, and POA&MReport security status to AOAO reviews reported status Implement system decommissioning strategy

71

72