Presenter

Presentation Notes

© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter

Presentation Notes

RMF Step 6 Monitor Security Controls Information System and Environment Changes Ongoing Security Control Assessments Ongoing Remediation Actions Key Updates Security Status Reporting Ongoing Risk Determination and Acceptance Information Systems Removal and Decommissioning

Presenter

Presentation Notes

Picture: Empire Mine, Nevada City, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 7

Categorize

Select

Implement

Assess

Authorize

Monitor

“The ultimate objective is to achieve a state of ongoing authorization where the authorizing official maintains sufficient knowledge of the current security state of the information system (including the effectiveness of the security controls employed within and inherited by the system) to determine whether continued operation is acceptable based on ongoing risk determinations, and if not, which step or steps in the Risk Management Framework needs to be re-executed in order to adequately mitigate the additional risk.” – NIST SP 800-37 Rev 1

Presenter

Presentation Notes

ISCM “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” “It is important to understand and appreciate the need to assess the effectiveness of all security controls, particularly nontechnical security controls, periodically.” NIST SP 800-137

Presenter

Presentation Notes

ISCM Information Security Continuous Monitoring (ISCM) NIST Special Publication 800-137 September 2011 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations CAESARS Framework Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) NIST Interagency Report 7756 (Draft) CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture (Draft)

Presenter

Presentation Notes

ISCM Strategy Risk Based Have some type of metrics Ongoing control assessment Compliance verification Visibility Understanding changes to environment Understanding changes to the threat landscape

Presenter

Presentation Notes

Other Strategies Monitor Security Controls (Ongoing Assessment) Configuration Management (Monitor) Environmental Changes (Monitor) Impact of Changes (Continuous Risk Management) Reporting (Dashboard and continuous reporting to AO) Renewal (restart the RMF, new authorization) End of Life (decommissioning system)

Presenter

Presentation Notes

Organization-wide ISCM NIST SP 800-137

Presenter

Presentation Notes

ISCM Lifecycle NIST SP 800-137

Presenter

Presentation Notes

Roles and Responsibilities Head of Agency Participate Risk executive function Oversight Review Status Reports Facilitate sharing of security related information Promote collaboration and cooperation Ensure risk is considerer for continuous monitoring CIO Leads the ISCM Establish expectations and requirements Work closely with Authorizing Officials

Presenter

Presentation Notes

Roles and Responsibilities (cont) SISO Establish, implement and maintains ISCM program Provide support to system owners and common control providers Develops configuration management guidance Consolidates and analyzes POA&M AO Assumes responsibility Ensures security posture is maintained Reviews security status Determines if risk remains acceptable Determine if significant changes require reauthorization

Presenter

Presentation Notes

Roles and Responsibilities (cont) Information System Owner Establish process and procedure and system level Participate in configuration management process Maintain inventory Security impact analysis of changes Common Control Provider Same thing as a Information System Owner With the addition of notifying systems that rely on the common controls

Presenter

Presentation Notes

Roles and Responsibilities (cont) Information System Security Officer Supports the organizations ISCM program Assist the ISO Participate in configuration management process Security Control Assessor Provide input on type of data to gather Assess the related security controls Develop assessment plan Other roles Organization my establish additional roles such as ISCM program manager

Presenter

Presentation Notes

Continuous Monitoring Review controls periodically or use automated tools Review configuration periodically or use automated tools Measure the effectiveness of controls over time Use data in decision make process in the future Measure the efficiency over time Use data in decision make process in the future

Presenter

Presentation Notes

Performance Monitoring NIST SP 800-55 Rev 1 Performance Measurement Guide for Information Security Source: NIST SP 800-55 Rev 1

Anytime there is a change to the system there is a change to the risk to that system Is the change material?

Identify Change

Evaluate Request

DecisionImplement

Monitor

Evaluate change in risk

Presenter

Presentation Notes

Ongoing Security Control Assessments Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy The level of effort and frequency of assessment is determined by the criticality and sensitivity of the system Initial and subsequent independence requirements remain the same If controls are found to not be working as intended or do not produce the desired outcome the risk to the system increases (the assumption of risk of operation to the system is based upon controls that are in place)

Presenter

Presentation Notes

Ongoing Remediation Actions Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones There should be continuous progress on items in the POA&M Control failures should be added to the POA&M for remediation Progress with remediation efforts

Presenter

Presentation Notes

Key Updates Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process Updated the key authorization documents In order to have near real-time risk management the key authorization documents need to be updated continuously A workflow database with reporting dashboards would be the best solution AO should have ready access to the current state of the system “In accordance with the near real-time risk management objectives of the security authorization process, the security plan is updated whenever events dictate changes to the security controls employed within or inherited by the information system.” NIST SP 800-37 Rev 1

Presenter

Presentation Notes

Security Automation Domains Security automation domains that support continuous monitoring Each one of these areas are discussed in NIST SP 800-137 Appendix D

Presenter

Presentation Notes

SCAP Security Content Automation Protocol (SCAP) SCAP is a suite of specifications that standardizes the format and nomenclature by which security software products communicate security flaw and security configuration information. NIST DRAFT SP 800-126, as amended, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1.

Presenter

Presentation Notes

Monitoring Frequencies Considerations Security Control Volatility System Categorization Critical Control Functions Controls with Identified Weakness Organizational Risk Tolerance Threat Information Vulnerability Information Risk Assessment Monitoring Reviews Reporting Requirements

Presenter

Presentation Notes

National Security Systems NSS have special organization-defined parameters See CNSSI 1253 Appendix J (15 March 2012)

Presenter

Presentation Notes

Tools for Aggregation and Analysis Security Information and Event Management (SIEM) “SIEM tools are a type of centralized logging software that can facilitate aggregation and consolidation of logs from multiple information system components.” NIST SP 800-137 Management Dashboards “A security management dashboard (or security information management console) consolidates and communicates information relevant to the organizational security status in near real-time to security management stakeholders. “NIST SP 800-137

Presenter

Presentation Notes

Security Status Reporting Report the security status of the information system to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy Including the effectiveness of security controls employed within and inherited by the system Report the ongoing control assessment Report can be Event-driven Time-driven Event and time-driven Real-time

Presenter

Presentation Notes

Continuous Risk Management Review the reported security status of the information system on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable Including the effectiveness of security controls employed within and inherited by the system

Presenter

Presentation Notes

Ongoing Risk Determination and Acceptance Threats changes almost daily New vulnerabilities are found daily Systems constantly change Controls fail All of these lead to a change in the risk to the system We must determine if the change to the system is material (significant) A material change in risk requires corrective actions to lower that risk to an acceptable level Various inputs to the continuous risk assessment process

Continuous Risk

Management

Control Failure

Assessment Results

Incidents System Changes

Industry Advisories

Business Objective Change

Presenter

Presentation Notes

Continuous Risk Analysis – Security Impact Analysis (SIA)

Presenter

Presentation Notes

Information System Removal and Decommissioning Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service Update Inventory Sanitize Media Notify other systems that rely upon controls of the decommissioning system

Presenter

Presentation Notes

Ongoing Reporting: CyberScope Replace the existing insecure paper or e-mail based reporting Handle manual and automated inputs of agency data for FISMA reporting Streamlines the process by providing a standard format for reporting Ultimately CyberScope will be a cybersecurity dashboard for the entire Federal Government Designed by Department of Justice Managed by the Department of Homeland Security Collaboration with NIST for SCAP interoperability http://scap.nist.gov/use-case/cyberscope/index.html

Presenter

Presentation Notes

2011 Reporting “…agencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information -delivered more quickly than ever before.” OMB Memorandum 11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.

Presenter

Presentation Notes

Source: NIST SP 800-137

Presenter

Presentation Notes

Assurance and Trustworthiness Does the light switch do anything else besides what it is supposed to do? What does the light switch look like from behind the wall? What types of components were used to construct the light switch and how was the switch assembled? Did the switch manufacturer follow industry best practices in the development process? NIST SP 800-53 Rev 4 pg 26

Presenter

Presentation Notes

The Compelling Argument for Assurance Organizations specify assurance-related controls to define activities performed to generate relevant and credible evidence about the functionality and behavior of organizational information systems and to trace the evidence to the elements that provide such functionality/behavior. This evidence is used to obtain a degree of confidence that the systems satisfy stated security requirements—and do so while effectively supporting the organizational missions/business functions while being subjected to threats in the intended environments of operation. NIST SP 800-53 Rev 4 pg 22

NIST SP 800-53 Rev 4 pg 24

Presenter

Presentation Notes

Class Discussion: Continuous Monitoring Do you think agencies monitor security controls in a meaningful way? If not, why don’t agencies monitor in meaningful ways? What are some of the difficulties in implementing automated monitoring? Why is inventory so important to the continuous monitoring step? Is continuous monitoring going to be an easy problem to solve? If not, why not?

Presenter

Presentation Notes

Picture: Empire Mine, Nevada City, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 7

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter

Presentation Notes

Multi-tiered Approach NIST SP 800-37 Rev 1, § 2.1

NIST

Categorize

Select

Implement

Assess

Authorize

Monitor

TASK 1-1 Security Categorization

TASK 1-2 Information System Description

TASK 1-3 Information System Registration

TASK 2-1 Common Control Identification

TASK 2-2 Security Control Selection

TASK 2-3 Monitoring Strategy

TASK 2-4 Security Plan Approval

TASK 3-1 Security Control Implementation

TASK 3-2 Security Control DocumentationTASK 4-1 Assessment Preparation

TASK 4-2 Security Control Assessment

TASK 4-3 Security Assessment Report

TASK 4-4 Remediation Actions

TASK 5-1 Plan of Action and Milestones

TASK 5-2 Security Authorization Package

TASK 5-3 Risk Determination

TASK 5-4 Risk Acceptance

TASK 6-1 Information System and Environment Changes

TASK 6-2 Ongoing Security Control Assessments

TASK 6-3 Ongoing Remediation Actions

TASK 6-4 Key Updates

TASK 6-5 Security Status Reporting

TASK 6-6 Ongoing Risk Determination and Acceptance

TASK 6-7 Information System Removal and Decommissioning