CategorizeSelectImplementAssessAuthorizeMonitor

“Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC) 2 Guide to the CAP CBK (1 st ed.)

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009

“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP rev 1

Why are Agencies riddled with security holes?

Need consistent management support Without management support people will not fulfill their obligations to the project Without management support you will not have access to needed resources and funding The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management

Reference:

Life-cycle for the development of the documentation for the RMF process Awareness Monitoring Enforcement Maintenance Retirement Communication Compliance Exceptions Creation Review Approval DevelopmentImplementation MaintenanceDisposal

“The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP

“A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” - NIST SP

“Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP )

“Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009

“The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP

The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP

“At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP

MissionBusiness UnitITSecurityAudit

IGIASCASISOISSMISSOCIOSOSABUMIOEU Program Level System Level AuditSecurity IT Business Unit Middle- Tier Independence AO Risk Executive Function Head of Agency (CEO) SOD Mission

DoDI & SP Rev 1 Head od DoD ComponentsHead of Agency (CEO) Principle Accrediting Authority (PAA)Risk Executive Function and/or Approving Authority (AA) Senior Information Assurance Officer (SIAO) Senior Information Security Officer (SISO) Designated Accrediting Authority (DAA) Approving Authority (AA) Systems ManagerCommon Control Provider and/or Systems Owner Program ManagerCommon Control Provider and/or System Owner Information Assurance Manager (IAM)ISSO and/or SISO Information Assurance Officer (IAO)Information Systems Security Officer (ISSO) Certification AgentSecurity Control Assessor

CISSP CISM CISSP ISSMP CAPCISA GSNA SSCP CASP Security+ CISSP ISSEP/ ISSAP CSSLP Management / Risk Audit Software Dev Network / Communications

LevelQualifying Certifications CND AnalystGCIA, CEH CND Infrastructure Support SSCP, CEH CND Incident ResponderGCIH, GSIH, CEH CND AuditorCISA, CEH, GSNA CN-SP ManagerCISM, CISSP-ISSEP

“The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”

You got to be careful if you don’t know where you’re going, because you might not get there. -- Yogi Berra

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144 Use some method of prioritizing risk posed by each category of threat and its related methods of attack To manage risk, you must identify and assess the value of your information assets Risk assessment assigns comparative risk rating or score to each specific information asset Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

167

168

169

170

171

172

173

174

175

176 “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary  Risk assessments  Risk treatment

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

Connectivity Complexity

The Generalized Model Common Information Security Requireme nts Unique Information Security Requiremen ts The “Delta” Foundational Set of Information Security Standards and Guidance Standardized risk management process Standardized security categorization (criticality/sensitivity) Standardized security controls (safeguards/countermeasures) Standardized security assessment procedures Standardized security authorization process Intelligenc e Communit y Departme nt of Defense Federal Civil Agencies National security and non national security information systems

Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

Security Life Cycle SP Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP CATEGORIZ E Information System Starting Point Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP / SP A MONITOR Security State SP AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP FIPS 200 / SP SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment.

“Building information security into the infrastructure of the organization… so that critical enterprise missions and business cases will be protected.”

FIPS 199 LOWMODERATEHIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Example: An Enterprise Information System Mapping Information Types to FIPS 199 Security Categories SP

Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Master Security Control Catalog Complete Set of Security Controls and Control Enhancements Baseline #1 Selection of a subset of security controls from the master catalog— consisting of basic level controls Baseline #2 Builds on low baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements Baseline #3 Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements

Minimum Security Controls Low Impact Information Systems Minimum Security Controls High Impact Information Systems Minimum Security Controls Moderate Impact Information Systems Tailored Security Controls Low Baseline Moderate Baseline High Baseline Enterprise #1 Operational Environment #1 Enterprise #2 Operational Environment #2 Enterprise #3 Operational Environment #3 Cost effective, risk-based approach to achieving adequate information security…

 System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component.  Security assessment procedures tailored for the security controls in each subsystem component and for the combined system-level controls.  Security assessment performed on each subsystem component and on system-level controls not covered by subsystem assessments.  Security authorization performed on the information system as a whole. Authorization Boundary Subsystem Component Local Area Network Alpha Subsystem Component System Guard Subsystem Component Local Area Network Bravo Organizational Information System

Applying the Risk Management Framework to Information Systems Risk Management Framework Authorizat ion Package Artifacts and Evidence Near Real Time Security Status Information SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES Output from Automated Support Tools INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE Information System IMPLEMENT Security Controls MONITOR Security State SELECT Security Controls

POAM SAR SP Authorization Decision Extending the Risk Management Framework to Organizations RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management Policy Guidance INFORMATION SYSTEM INFORMATION SYSTEM Common Security Controls (Infrastructure-based, System-inherited) INFORMATION SYSTEM INFORMATION SYSTEM Security Requirements RMF RISK MANAGEMENT FRAMEWORK Authorization Decision POAM SAR SP POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision POAM SAR SP Authorization Decision

 Establish organizational information security priorities.  Allocate information security resources across the organization.  Provide oversight of information system security categorizations.  Identify and assign responsibility for common security controls.  Provide guidance on security control selection (tailoring and supplementation).  Define common security control inheritance relationships for information systems.  Establish and apply mandatory security configuration settings.  Identify and correct systemic weaknesses and deficiencies in information systems. Managing Risk at the Organizational Level RISK EXECUTIVE FUNCTION Coordinated policy, risk, and security-related activities Supporting organizational missions and business processes Information system-specific considerations Information System Mission / Business Processes

Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk. The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems. Organization One INFORMATION SYSTEM Plan of Action and Milestones Security Assessment Report System Security Plan Business / Mission Information Flow Security Information Plan of Action and Milestones Security Assessment Report System Security Plan Organization Two INFORMATION SYSTEM Determining risk to the organization’s operations and assets, individuals, other organizations, and the Nation; and the acceptability of such risk.

 Information security requirements must be considered first order requirements and are critical to mission and business success.  An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.

 Provides a common language for discussing information security in the context of organizational missions, business processes, and performance goals.  Defines a collection of interrelated reference models that are focused on lines of business including Performance, Business, Service Component, Data, and Technical.  Uses a security and privacy profile to describe how to integrate the Risk Management Framework into the reference models.

 The Risk Management Framework should be integrated into all phases of the SDLC.  Initiation (RMF Steps 1 and 2)  Development and Acquisition (RMF Step 2)  Implementation (RMF Steps 3 through 5)  Operations and Maintenance (RMF Step 6)  Disposition (RMF Step 6)  Reuse system development artifacts and evidence (e.g., design specifications, system documentation, testing and evaluation results) for risk management activities.

Information System Producing evidence that supports the grounds for confidence in the design, development, implementation, and operation of information systems. Trust Relationshi p Trustworthiness IT Product IT Product IT Product Information System Functionality and Assurance Trustworthiness IT Product IT Product IT Product Information System Functionality and Assurance Operational Environment