infosecforce risk management framework transition plan
Post on 20-Jul-2015
116 Views
Preview:
TRANSCRIPT
1
DIARMF and Continuous Monitoring
BILL ROSS
INFOSECFORCE
“ Balancing security controls to business requirements “
RMF Overview
RMF History
12 March 2014, DoD mandates 6 month migration
plan to transition from DIACAP to NIST-based
Risk Management Framework (DIARMF)
RMF aligns DoD with Executive Branches of
government for system assurance and complies
with FISMA
DoD Certification and Accreditation (C&A) concept
replaced by assessment and authorization (A&A)
More detailed and comprehensive risk
management process
eMASS is documentation and process tool
What is the RMF?
The Risk Management Framework (RMF) is the
“common information security framework” for
federal government and its information and
information systems. The goals of the RMF are:
To improve information security
To strengthen the risk management processes
To encourage reciprocity among federal
agencies
Provide a control continuous monitoring service
DIACAP – DIARMF Process Comparison
References
(a) DoD Instruction 8510.01 of 12 March 2014, Risk
Management Framework (RMF) for DoD Information Technology
(IT)
(b) National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-37 Guide for Applying the Risk
Management Framework to Federal Information System of
February 2010, as amended
(c) Committee on National Security Systems Instruction 1253 of
March 27, 2014, Security Categorization and Control Selection
for National Security Systems as amended
(d) NIST SP 800-53 Security and Privacy Controls for Federal
Information Systems and Organizations, of 30 April 2013, as
amended
(e) DoD Instruction 8500.01 of 14 March 2014, DoD
Cybersecurity
Automated Tools
such as the
Enterprise
Mission
Assurance
Support Service
(eMASS) and the
Ports, Protocols,
and Services
Management
(PPSM) registry
enable agile
deployment
DoD
Cybersecurity
Policy
Cybersecurity
Policy
DoDI 8500.01
DoDI 851 0.01
Implementation
Guidance
RMF Knowledge
Service
Automated
Implementation
Guidance
eMass
The RMF
Knowledge Service
is the authoritative
source for
information,
guidance,
procedures, and
templates on how
to execute the Risk
Management
Framework
DoD Cybersecurity
Policies provide
clear, adaptable
processes for
stakeholders that
support and secure
missions and align
with Federal
requirements
Initiate the DIARMF A&A procedure
Deliver the DIARMF A&A package
System Security Plan (SSP) – NIST SP 800-18
Security Assessment Report
Risk Assessment – NIST SP 800-30
Plan of Action and Milestones
Transmittal and Decision Letters (ATO, IATT, DATO)
Conduct DIARMF continuous control
monitoring operations
RMF operational mechanics
DIARMF
OPS
DIARMF Lifecycle
Continuous Monitoring within the Risk Management Framework
Control management• Security Control Selection Documentation Control
selection
• Continuous control monitoring
• Creating the PSSP
• Defining and categorizing system based on controls
• Ensuring controls are put into the PSSP.
• Ensuring controls are considered in the SDLC
• Continuous control assessment
• Ensure that the NIC vulnerability assessment program
is reporting on the controls
• Ensuring control weaknesses are remediated
• Tracking control inheritance against all the PCI related
systems
• Enter control management data into CFT
• Ensure that control deficiencies in all IT areas are
POA&Med
• Ensure that the proper controls are examined in the
IRAF
• Ensuring that if controls are added or the system is re-
categorized that the proper control updates occur
• Determine teaming relationships with other parts of the
NIC PCI effort
“ During the security control selection process, organizations may begin planning for the continuous monitoring process by
developing a monitoring strategy. The strategy can include, for example, monitoring criteria such as the volatility of specific security
controls and the appropriate frequency of monitoring specific controls. Organizations may choose to address security control
volatility and frequency of monitoring during control selection as inputs to the continuous monitoring process.” DoDI 8510.01
An effective continuous monitoring program
• Configuration management and control processes for
organizational information systems;
• Security impact analyses on proposed or actual changes to
organizational information systems and environments of operation;
• Assessment of selected security controls (including system-
specific, hybrid, and common controls) based on the organization-
defined continuous monitoring strategy
• Security status reporting to appropriate organizational officials
• Active involvement by authorizing officials in the ongoing
management of information system-related security risks.
The continuous monitoring test plan identifies the plans for testing
a subset of the security controls (including management,
operational, and technical controls) on an ongoing basis
subsequent to the initial authorization. The selection of appropriate
security controls to monitor and the frequency of monitoring are
defined in the plan and approved by the authorizing official and
senior information security officer. The use of automation to support
security control assessments facilitates a greater frequency and
volume of assessments that is consistent with the continuous
monitoring strategy established by the organization.
• RMF is highly control centric with numerous control functions to accomplish
• Continuous monitoring within the RMF is a framework of its own that includes a detailed
technical approach, specific goals and expected outcomes.
• Structured control management requires continuous monitoring to measure success.
top related