i...• t ier 2-m iss o n direction/guida th e do d rm t hree-tie r s . • tie r 3-i n fo r m tie r...

ISA220 Risk Management Framework for Practitioners Lesson 11 - DoDs Approach to Risk Management RESOURCES I PRINT I HELP

Welcome to DoDs Approach to Risk Management

In this lesson you will learn about DoDs holistic approach to risk management focusing on exercising cybersecurity risk management for DoD Information Technology

This will include information on the US government-wide transformation from certification and accreditation of information systems a two-part process to an iterative risk management process and cross functional engagement with cybersecurity program and acquisition resources

We will take a look at guidance for DoD risk management the goals of the Risk Management Framework (RMF) the policies that support the DoD RMF and DoDs transition to the RMF Lets begin with DoD Risk Management

~ I of21 I Back Next


Foundational Risk Management As It Applies to the DoD RMF

The DoD RMF addresses a subset of cybersecurity management of risk within the DoDs overarching acquisition risk management process A foundational and holistic approach occurs at the organization mission and system levels taking into account the organization as a whole to include strategic goals and objectives and relationships between mission business processes and supporting information systems

The principal goal of an organizations risk management approach is to protect the organization and its ability to perform its mission It is a multi-tiered approach that the risk executive function implements

Successful organization-wide risk management programs build information security into the culture and infrastructure of the organization The implementation of a carefully coordinated set of activities is required to ensure that fundamental requirements for information security are addressed within an organizations mainstream management and operational processes

Please select the magnifying glass to the right to view more detail on a holistic approach to managing risk

ii I Page 2 of 21 Back Iii ) Next



The DoD g acquisiti Managing Risk is a Holistic Approach ion mission oals and objectiv bull ms Potential mission or Senior leaderauthorizing

business impact official involvement The prin bull Risk to organizational Allocation prioritization of d its ability t ntsoperations and assets security resources

THE ORGANIZATION individuals other Consideration of other types Success organizations and the of risk and

Strategic Goals and Objectives infrastru Nation sComplex many-to-many relationships amongrequired organizational missionbusiness processorganiza and supporting Information systems

Pleases aging risk

securtty Controll Applied to Information 5Y- and Supporting lnlraatructure





The principal goal of an organizations risk management approach is to protect the organization and its ability to perform its mission It is a multi- tiered approach that the risk executive function implements

Successful organization -wide risk management programs build information security into the culture and infrastructure of the oraanization The imolementation of a carefullv coordinated set of activities is required to ensure ithin an organizations mai Long Descript ion

Managing Risks is a holistic approach Please select the to managing risk bull Potential mission or business impact

bull Risk to organizational operations and assets individuals other organizations and the Nation

bull Senior leader authorizing official involvement bull Allocation prioritization of security resources bull Consideration of other types of risk

Strategic Goals and Objectives are complex and include many- toshymany relationships among organizational mission business process and supporting in formation systems

The arrows represent risk management from the organization through the business processes into from the in formation system



Risk Management Framework (RMF)

The DoDs RMF provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle for the selection implementation management and monitoring of security controls

There is a significant degree of flexibili ty in how organizations employ the risk management processes While it is convenient to portray the risk management approach as hierarchical the reality of project and organization dynamics can be much more complex

The organizational management style may be at one or more points on the continuum from top-down command to consensus among peers For risk management to succeed at all levels of the organization the organization must have a consistent and effective approach that is applied to all risk management processes and procedures

Organizational officials identify the resources necessary to complete the risk management tasks and ensure that those resources are made available to appropriate personnel Resource allocation includes both funding to carry out the risk management tasks and assigning qualified personnel needed to accomplish the tasks

ii I Page 3 of 21 Back lijjji ) Next

ISA220 Risk Management Framework for Practitioners Lesson 11 - DoDs Approach to Risk Management

Tiers of Risk Management

The DoD RMF governance structure implements the three-tiered approach to cybersecurity risk management described in NIST SP 800- 39 The tiers are

bull Tier 1-0rganization provides specific guidance for individual mission areas

bull Tier 2-MissionBusiness Processes implements directionguidance

bull T ier 3-Information System (IS) Platform Information Technology (PIT) Systems implements directionguidance from Tiers 1 and 2 while building and sustaining syst ems with the appropriate amount of cybersecurity to support the missions

The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (eg providing feedback from ongoing authorization decisions to the risk executive and dissemination of updated threat and risk information to authorizing o fficials and information system owners )

RESOURCES I PRINT I HELP

I Paige 4 of 21 I 1Back iii Next



The DoD RMF governance structure implements the three-tiered approach to cybersecurity risk management described in NIST SP 800-39 The tiers are

bull Tier 1-0rganization provides specific guidance for in

Lo ng Descriptio n bull Tier 2-Mission

directionguida The DoD RMF three-tiers

bull Tier 3-In form Tier -Organization

Information Te Tier 2-Mission Business Processes $

implements dir Tier 3-Information System (IS)Pla tform Information and 2 while bu1 Technology (PIT) Systems with the appro

to support the

The RMF operates p1amp-----------------------J-- management hierarchy but can also have interactions at Tiers 1 and 2 (eg providing feedback from ongoing authorization decisions to the risk executive and dissemination of updated threat and risk information to au thorizing officials and information system owners)


I SA 220 Risk Man agem ent Framework fo r Practition e rs Lesson 11 - DoDs Approach to Risk Management RESOURCES I PRINT I HELP

Tier 1-Key Personnel and Resources

Select each item for more information of t he key governance elements in Tier 1

DoD Chief I nformatio n Officer Do D Chief I nformation Officer ( CI O) (CI O)

The DoD CIO direc ts and oversees the cybersecurity risk

DoD Senior management of DoD IT

Information Security Officer (SISO)

Information Security Risk Management Committee (ISRMC)

I Pbullge Sofl l I Back Next




DoD Chief Information Officer CIO)

DoD Senior Information Security Officer SISO

Information Security Risk Management Committee ISRMC)

DoD Senior I nformation Security Officer SI SO)

The DoD SISO in accordance with DoDI 850001 represents the DoD CIO and directs and coordinates the DoD Cybersecurity program which includes the establishment and maintenance of the RMF In addition the DoD SISO

bull Advises and informs the Public Affairs Officer (PAO) and other representatives

bull Oversees the RMF Technical Advisory Group TAG) and online RMF Knowledge Service KS)

bull Assesses and validates Tier 1 common security controls and publishes the list of controls on the RMF KS

I Pbull geSofll I Back Next


Tier I - Key Personnel and Resources


DoD Chief Information Officer (CIO)

DoD Senior Information Security Officer (SISO)

Informatio n Security Risk Management Co mmittee ( ISRMC)

I nform at ion Security Risk Management Committee ( I SRMC)

The Risk Executive function consists of the DoD ISRMC supported by the Defense Information Assurance ( IA)Security Accreditation Working Group (DSAWG)

The DoD ISRMC performs the DoD Risk Executive function as described in NIST SP 800-39 The committee

bull Provides strategic guidance to Tiers 2 amp 3 bull Assesses Tier I risk bull Authorizes information exchanges and connections for

enterprise ISs cross-mission area ISs cross security domain connections and mission partner connections

The DSAWG in support of the DoD ISRMC is the community forum for reviewing and resolving authorization issues related to the sharing of community risk It develops and provides guidance to the AOs for IS connection to the DoD Information Enterprise AOs who disagree with DSAWG decisions may appeal with the ISRMC

I PageSof 21 I Back Next


Tier I - Key Personnel and Resources Cont


OoO Information Enterprise

DoD Cybersecurity Architecture

RMF Technical Advisory Group (T AG)

RMF Knowledge Service (KS)

DoD I nform at ion En t erprise

Enables a new net-centric way of working - constructed from the information itself as well as a set of standards services and procedures that enable information to be widely available to authorized users

The delivered set of services and tools will provide information and capabilities that enable end-user communities to more effectively and efficiently support mission operations Finally the DoD Information Enterprise includes the networks over which information travels and the security protocols that protect it further information

https wwwintelinkgovwiki Portal DoD IE Strategic Plan and Roadmap

I Page6of 21 I Back Next


Tier 1-Key Personnel and Resources Cont


DoD Information Enterprise


RMF Technical Advisory Group (TAG)



The DoD Cybersecuri ty Architec ture consists of strategies standards and plans that have been developed for achieving an assured integrated and survivable information enterprise

I PbullgeGofll I Back Next




DoD In formation Enterprise





The RMF Technical Advisory Group (TAG) provides implementation guidance to the RMF by interfacing with the DoD Component cybersecurity programs cybersecurity communities of interest (COis) and other entities (eg DSAWG) to address issues that are common across all entities


ISA220 Risk Man agement Framework for Practition e rs Lesson 11 - DoDs Approach to Risk Management RESOURCES I PRINT I HELP








The RMF Knowledge Service (KS) is a dynamic online knowledge base It supports RMF implementation planning and execution and functions as the authoritative source for RMF procedures and guidance

https rmfks osd mil logjn htm



Tier 1-0rganization

The benefits of Tier 1 are

bull Organization-wide security policies and DoD Risk Management Tier 1 procedures

bull Oversight practices tailored to organizations mission operations and needs

bull Clear reporting processes for incident reporting resource alloca tion amp Congressional budget

bull Prioritization of information security requirements and allocation o f resources based on risk

bull Development of more consistent and costmiddot effective organization- wide solutions

bull Consolidation and streamlining of security solutions across the organization to improve interoperability

bull Information security considerations are integrated into the system development life cycles to save time and money

I Pbull ge 7ofll I Back Next


Tier 2-MissionBusiness Processes

Tier 2 addresses risk from a mission and business DOD Component (Army Defense Logistics Agency etc ) process perspective and is guided by DoD Risk Management Tier 2the risk decisions at Tier 1 Tier 2 activities are closely associated with en terprise architecture and include

bull Defining the core missions and business processes for the organization ( including any deriva tive or rela ted missions and business processes carried out by subordinate organiza tions)

bull Priori t izing missions and business processes with respect t o the goals and objectives of the organization

I Pbull ge 8of l l I Back Next


Tier 2- Mission Business Processes Cont

T ier 2 activities are closely associated with enterprise architecture and include

bull Defining the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization

bull Developing an organization -wide information protection strategy and incorporating high- level information security requirements into the core missions and business processes

bull Specifying the degree of autonomy for subordinate organizations ( ie organizations within the parent organization) that the parent organization permits for assessing evaluating mitigating accepting and monitoring risk

bull Identifying priorities for the Mission Business and providing guidance on sources of threat event information specific to the mission or line of business

bull Identifying information production flow strategies and linkages to organizational enterprise architecture



Tier 2-MissionBusiness Processes Cont

A Principal Authorizing Official (PAO) is appointed for each of the DoD Mission Areas (MAs) and is a member of the DoD ISRMC PAOs must

bull Represent the interests of the MA as defined in DoDD 811501 and as required issue authorization guidance specific to the MA consistent with DoDI 851001

bull Resolve authorization issues in their MA and work with other PAOs to resolve issues among MAs as needed

bull Designate Authorizing Officials (AOs) for Information and PIT systems in their MA COis specified in DoD 83202-G in coordination with appropriate DoD Component heads if required

bull Designate information security architects or IS security engineers for MA segments or systems of systems as needed

The DoD Component CIO supported by the DoD Component SISO is responsible for

bull Administering the RMF within the DoD Component cybersecurity program bull Participating in the RMF T AG bull Maintaining visibility and sharing of the RMF status of assigned IS and PIT systems bull Enforcing training requirements for persons participating in the RMF

The DoD Component SISO has the authority and responsibility for security controls assessment and must establish and manage a coordinated security assessment process for information technologies governed by the DoD Component cyber security program

Not e All documents mentioned in this course can be found through the OSD Knowledge Service (CAC Enabled) Link h ttps rm fks osd milrm f Si teResources Re ferences P ages Links aspx



Tier 3-IS PIT Sy stems

Tier 3 IS and PIT systems consists of DoD Risk Management Tier 3 Aut horiz ing Officia l OoD Component heads are responsible for the appointment of trained and qualified AOs for all DoD Ss and PIT systems within their Component

AOs should be appointed from senior leadership positions within business owner and mission owner organizations to promote accoun tabili ty in authorization decisions that balance mission and business needs and security concerns

I S or PIT Syst em Cybersecurity Program Consists of the policies procedures and activities of the Information System Owner ( ISO) Program ManagerSystems Manager (PM SM) User Representative (UR) Information System Security Manager (ISSM) and Information System Security Officers (ISSO) at the system level

The Program implements and executes policy and guidance from Tier 1 and Tier 2 and augments them as needed Also the Program is responsible for establishing and maintaining the security of the system including the monitoring and reporting of the system security status

I Pbull ge 11 of 21 I Back Next


Tier 3-ISPIT Systems

Tier 3 IS and PIT systems consists of DoD Risk Management Tier 3 Authorizing Official DoD Component heads are responsible for the appointment of t ra ined and qualified AOs for al l DoD ISs and PIT systems within thei r Component

AOs should be appoi Long Description positions within busi organizations to pro DoD Risk Management Tier 3 authorizat ion decisio business needs and s Tier 3 ISPIT Systems

Authorizi ng Official (AO) System Cybersecuri ty Program IS or PIT System C nd activit ies of the I nformat ion System er Representative (UR I nformation Sy ity Officers (ISSO) at the system level

The Program implements and executes policy and guidance from Tier 1 and Tier 2 and augments them as needed Also the Program is responsible for establishing and maintaining the security of the system including the monitoring and report ing of the system security status

I Page 11 of 21 I Back Next

ISA220 Risk Management Framework for Practition er s Lesson 11 - DoDs Approach to Risk Management RESOURCES I PRINT I HELP

Successful Risk M11m1gement Programs

For acquisition programs and cybersecurity risk management to be successful organizations need to

bull Conduct risk assessments

bull Implement risk mitigation strategies

bull Employ techniques and procedures for continuously monitoring the security state of information systems

An effective Risk Management Program allows balance between cos ts of protective measures and gains in mission capabili ty

~ ~- I Pbullge12of21 I

Back Next

--


Risk Management Guidance As It Relates to the DoD RMF

The DoD leverages several policy and guidance documents to address the Departments focus on risk management Per Department of Defense Instruction (DoDI) 500002 and DoDI 850001 building cybersecurity into the system early and throughout the life cycle is required to enable operational and technical cybersecurity risks to be identified and sufficiently mitigated throughout the acquisition process It will also lead to decreased program costs shortened schedules and improved system performance resilience and trustworthiness

Following are two references cybersecurity professionals and program managers can use for guidance

bull The DoD Risk Issue Opportunitv Management Guide for __ofshyDefense Acquisition Program s

bull The Program Managers Guidebook for Integrating the cybersecurity Risk Management Framework (RMF into the Syst em Acquisition Lifecycle

-----middot

I Page 13of 21 I Back Next







The DoD Risk Issue Opportunity Management Guide for Defense Acquisition Programs dated January 2017 replaces the DoD Risk Issue Opportunity Management Guide for Defense Acquisition Programs -----middot dated June 2015 and the Risk Management Guide for --DoD Acquisition Programs dated 2006 This guide builds from previous editions of the DoD Risk Management Guide but reflects revisions to emphasize managing not only program risks but also issues and opportunities and is complimentary to the Risk Management Framework








The Program Managers Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the Syst em Acquisition lifecycle document is designed to help Program Managers (PMs) understand -----middot how to integrate cybersecurity into their programs -shythroughout the system life cycle This should be done in accordance with the RMF and through collaboration with the Authorizing Official (AO) who ensures that the cybersecurity risk posture of the system is managed and maintained during operations



Knowledge Review 1

The process of managing risks to organizational operations organizational assets individuals other organizations or the nation resulting from the operation or use of an information system includes

conducting a risk assessment

LJ the implementation o f a risk mitigation strategy

documenting the overall risk management program

~ all of the above

Check Answ er

Conducting a risk assessment implementing a risk mitigation strategy and documenting the overall risk management program are the processess of managing risks

I Pbull ge 14of21 I Back Next


Federal-wide Partnership to Establish Single Approach to Risk Management for National Security Systems

In 2009 the Joint Task Force Transformation Initiative lnteragency Working Group was formed with representatives from NIST DoD CNSS and Office of the Director of National Intelligence (ODNI) to produce a unified information risk management framework for the federal government

The move to the RMF aligns the DoD with the Federal governments risk management approach as described in the Joint Task -

OoO -Force Transformation Initiative Interagency Working Group efforts and captured in NIST BOO-series Special Publications on information OoO

security IC

DoD leverages and builds upon numerous JoatTHieFatco middotmiddot existing Federal policies and standards Tr1M11nN1tlon lnltlallre

resulting in less DoD policy to write and ___maintain

DoD participates in CNSS and NIST policy -development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique

CllSSrequiremen ts of DoD Missions and warfighters

I Pbull ge15of21 I Back Next


Federal-w ide Partnership to Establish Single Approach to Risk Management for National Secur ity Systems

In 2009 the Joint Task Force Transformation Initiative Interagency Working Group was formed with representatives from NIST DoD CNSS and Office of the Director of National Intelligence (ODNJ) to produce a unified information risk management framework for the federal government

The move to the ~~lio~i-Long Descript ionFederal governmen

approach as descr The Department of Defense (DOD) JC Civil and the CNSS form the Joint TaskForce Transformati Force Transformation Initiative This initiative provides Risk Management forWorking Group effo the Federal Government DoD Intelligence Community Other GovernmentBOO-series Special

security Agencies CNSS and NIST

DoD leverages and builds upon numerous existing Federal policies and standards resulting in less DoD policy to write and maintain

Joint Tau Ftxct Tr1Mlormation tnitAtl~

DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters

I Page1Sof21 I Back Next


DoDI Policies and Risk Management

DoDI 850001 and 851001 align cybersecurity policy and leverage NIST and NSS policies for commonality across the federal government while addressing DoD specific needs

Please select each box of the framework for an overview of the policy The links to t he policies will be made available in the Resources section

NIST DoD NSS

NIST SP 800-39 CNSSP 22 -tDoOI 850001_r - shyNIST SP 800middot37

CNSSI 1253 )1shyNIST SP 800JO

DoOI 851001 CNSS bull009

NIST SP 80053 1 -r-

NIST SP 80053A lNIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60

NIST SP 800middot160 J t I al -=shy2

I Pbullge16of21 I Back Next



DoDI 8500 0 I and NI ST SP 800_39 across the federa

NIST Special Publication 800-39 Managing Information Securit y Risk- Organization Please select eac

Mission Information System View is the flagship document in the series ofmade ava ilable in

information security standards and guidelines developed by NIST in response to Federal Information Security Management Act (FISMA)

NI The purpose of Special Publication 800-39 is to provide guidance for an integrated organization-wide program for managing information security risk to organizational

=====-I operations ( ie mission functions image and reputation ) organizational assets ( individuals other organizations and the Nation resulting from the operation and use =====-I of federal information systems

Special Publication 800-39 provides a structured yet flexible approach for managing _----I risk that is intentionally broad-based with the specific details of assessing

responding to and monitoring risk on an ongoing basis provided by other supporting r-----1 NIST security standards and guidelines

NIST SP The guidance provided in this publication is not intended to replace or subsume

r-=----1 other risk-related activities programs processes or approaches that organizations NIST SP have implemented or intend to implement addressing areas of risk management

=====-I covered by other legislation directives policies programmatic initiatives or NIST S mission business requirements Rather the risk management guidance described

herein is complementary to and should be used as part of a more comprehensive r_----I Enterprise Risk Management (ERM) program

NISTSP--------------------------------I--------------------------------middot

I Page16of21 I Back Next




Please select each box of t he framework for an overview of t he policy The links to t he policies will be made ava ilable in t he Resources section

OoOI 850001

DoDI 8500 01 Cybersecurit y established a DoD cybersecurity program to protect and defend DoD information and IT It establishes the positions of DoD Principal Authorizing Official (PAO) and the DoD Senior In formation Security Officer (SISO) and continues the DoD In formation Security Risk Management Committee (DoD ISRMC) ( formerly known as the Defense In formation Systems Network (DISN)Global In formation Grid (GIG) Flag Panel )

This policy adopted the term cybersecurity as it is defined in National Securit y Presidential Directive-54 Homeland Securit y Presidential Directive-23 to be used throughout DoD instead of the term In formation Assurance ( IA )

( NIST SP 800-1 37

- I~owlcdgc Serv ice J( NIST SP 800-60

J~-middott 1l a ll~ NIST SP 800-1 60






CNSSP No 22 NSS

CNSSP 22 CNSSP No 22 Policy on I nformation Assurance Risk Management for National Security Systems requires the implementation o f an integrated organization-wide program for managing IA risk to organizational operations ( ie mission functions and reputation) organizational assets individuals ot her organizations and the Nation resulting from the operation and use of NSS Risk

-shy

--shy

CNSSI 1253

CNSS bull009

) management is a comprehensive process that requires organizations to frame risk assess risk respond to risk once determined and monitor risk on an ongoing basis

NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60

al -=shyNIST SP 800middot160




Do DI 8500 O I an NIST S P 800-37

across the feder

NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Please select ea

Information Systems-A Security Life cycle Approach is a common information made ava ilable in

security framework for the federal government and its supporting contractors as part of the Joint Task Force Transformation Initiative and defines the following Risk

NI Management Framework principles

r NISTS bull Ensure management of risk from the operation and use of federal information

systems is consistent with the organizations mission business objectives and overall risk strategy established by the senior leadership through the risk NISTS executive ( function )

bull Ensure that information security requirements including necessary securityNISTS

controls are integrated into the organizations enterprise architecture and system development life cycle processes

NIST S bull Support consistent well - informed and ongoing security authorization decisions ( through continuous monitoring) transparency of security and risk- related information and reciprocity of authorization results

bull Achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies

NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253

CNSSP 22 CNSSI 1253 Security Categorization and Control Selection for -t National Security Systems is a companion document to NIST - shySP 800-53 for organiza tions that employ NSS It establishes CNSSI 1253 )the processes for categorizing NSS and the information they process and for appropriately selecting security controls for

-r- CNSS bull009NSS from NIST SP 800-53

NIST SP 80~3A lNIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60





DoDI 8500 O I an NIST S P 800-30

across the feder

NIST SP 800-30 I nformation Securit y provides guidance for conducting riskPlease select ea

assessments of federal in formation systems and organizations amplifying the guidance made ava ilable in in Special Publication 800-39 Risk assessments carried out at all three tiers in the risk

management hierarchy are part of an overall risk management process- providing NI senior leaders executives with the in formation needed to determine appropriate

courses of action in response to identified risks NISTS

=====-I In particular this document provides guidance for carrying out each of the steps in ( NIST S the risk assessment process ( ie preparing for the assessment conducting the ====-I assessment communicating the results of the assessment and maintaining the

assessment) and how risk assessments and other organizational risk management NISTS processes complement and in form each other

r-----1 NIST S Special Publication 800-30 also provides guidance to organizations on identifying

r------1 specific risk factors to monitor on an ongoing basis so that organizations can determine whether risks have increased to unacceptable levels ( ie exceeding organizational risk tolerance) and different courses of action should be taken

NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001

DoDI 851001 Risk Management Framework (RMF) for DoD Information Technology ( IT) implemented the RMF for DoD IT by establishing associated cybersecurity policy and assigning responsibilities for executing and maintaining the RMF The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life cycle cybersecurity risk to DoD IT It designated the DIACAP Technical Advisory Group (TAG) as the RMF TAG The direct visibility of authorization documentation and reuse of artifacts between and among DoD Components deploying and receiving DoD IT became available Procedural guidance for the reciprocal acceptance of authorization decisions and artifacts within DoD and between DoD and other federal agencies for the authorization and connection of Information Systems ( ISs) became available

DoDI 851001 Risk Management Framework (RMF) for DoD Information Technology ( IT) applies to

bull The Office of the Secretary of Defense the Military Departments the Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff the Combatant Commands the Office of the Inspector General of the Department of Defense (OIG DoD) the Defense Agencies the DoD Field Activities and all other organizational entities within the Department of Defense ( referred to collectively in the instruction as the DoD Components)

bull All DoD IT that receives processes stores displays or transmits DoD information These technologies are broadly grouped as DoD Information Systems ( IS) Platform IT (PIT) IT services and IT products This includes IT supporting research development Test and Evaluation (TampE) and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD

NIST SP 800-160






CNSS 4009

CNSS 4009 National Information Assurance (IA Glossary contains IA terms submitted by the CNSS membership

-t -shy

NSS

CNSSP 22

CNSSI 1253 ) NIST SP 800JO

NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60

NIST SP 800-160 J t I al shy=shy





Please select each box of t he framework for an overview of t he policy The links to t he policies will be made ava ilable in t he Resources section --------------------------------------------------middot NIST S P 800- 53

NI ST NIST SP 800-53 Security and Privacy Controls for Federal Information

NIST SP 800-39 Systems and Organizations provides guidelines for selecting and speci fying

=====-===-I security controls for organizations and in formation systems supporting ther executive agencies of the federal government to meet the requirementsNIST SP 800-37

c=====-===-I of Federal Information Processing Standards (FIPS) 200 Minimum Security NIST SP 800-30 Requirements for Federal Information and Information Systems The

----------bull guidelines apply to all components of an in formation system that process store or transmit federal in formation NIST SP 800-53l

NIST SP 800-53A

NIST SP 800-137 NIST SP 800-60

NIST SP 800-160




DoDI 850001 and 851001 align cybersecurity policy and leverage NIST and NSS policies for commonali ty across the federal government while addressing DoD specific needs

Please select each box of the framework for an overview of the policy The links to the policies will be made available in the Resourcessectionmiddot-------------------------9

NIST SP 800- 53A NI ST

NIST SP 800-53A Assessing Security and Privacy Controls in Federal NIST SP 800-39 Information Systems and Organizations provides guidelines for building

=====-===-I effective security assessment plans and privacy assessment plans and r NIST SP 800-37 includes a comprehensive set of procedures for assessing the

=====-===-I effectiveness of security controls and privacy controls employed in NIST SP 800-30 in formation systems and organizations supporting the executive c agencies of the federal government

-~~~~~~~~-middot

NIST SP 800-53l JNIST SP 800-53A


NIST SP 800-160





Please select each box of t he framework for an overview of t he policy The links to t he policies will be

made ava ilable in t he Resojurcessectionmiddot------------------------bull

NIST S P 800-137 NI ST

NIST SP 800-137 Information Securit y Continuous Monitoring for )NIST SP 800-39

Federal Information Systems and Organization provides ongoing =====-===-I monitoring of security This policy includes

NIST SP 800-37r bull Determining if security controls continue to be effective over c timeNIST SP 800-30 bull How to respond to risk as situations change

l bull How to ensure monitoring and reporting frequencies remain NIST SP 800-53 aligned with organizational threats and risk tolerance

NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160






NIST Knowledge Service

NIST SP 800-39 The Risk Management Framework (RMF) Knowledge Service (KS) is DoDs official site for enterprise RMF policy and

NIST SP 800-37 r implementation guidelines The RMF Knowledge Service provides Cybersecurity practitioners and managers with ac NIST SP 800-30 - --11 single authorized source for execution and implementation

l guidance community forums and the latest in formation and developments in the RMFNIST SP 800-53

NIST SP 800-53A

NIST SP 800-137 I~owlcdgc Serv ice J-NIST SP 800-60

J~-middott 1l a ll~ NIST SP 800-160





Please select each box of t he framework for an overview of t he policy The links to t he policies will be made ava ilable in t he Resojur s sect ionmiddot ce- ________________________

NIST S P 800-6 0 NIST

NIST SP 800-60 Information Security addresses the FISMA direction to NIST SP 800-39

develop guidelines recommending the types of in formation and in formation ======-==--I systems to be included in each category of potential security impact This r NIST SP 800-37 guideline is intended to help agencies consistently map security impact ======-==--I levels to types of

NIST SP 800-30c bull Information (eg privacy medical proprietary financial contractor

l sensitive trade secret investigation)NIST SP 800-53 bull Information systems (eg mission critical mission support

administrative )

NIST SP 800-53A








NIST S P 800-16 0 NI

NIST SP 800-160 Systems Security Engineering describes the fundamentals of NISTS

systems security engineering elements and concepts and covers 11 core =====-1 technical processes in systems and software development r NISTS

=====-I The purpose of this publication is NISTS

bull Provide a comprehensive statement of the systems security engineering discipline its principles concepts and activities

NIST S bull Foster a common mindset to deliver security for any system regardless of its scope size complexity or stage of the system life cycle

bull Advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied

bull Demonstrate how systems security engineering processes can be effectively NIST S integrated into systems engineering processes and to serve as a basis for

the development of educational and training programs including the NIST S development of individual certifications and other professional assessment

criteria

NIST SP 800-160




DoDI 850001 and 8510 01 align cybersecuri ty policy and leverage NIST and NSS polic ies for commonali ty across the fjililOO~IQlil~~~iliitlililiiM0111iggJloliiioilll~-illlol~li

Long De script ion Please sele ill be made ava ila

DoDI 850001 and 8510 01 align cybersecuri ty policy and leverage NIST and NSS polic ies These polic ies feed into the Knowledge Service

NIST Polic ies include

r bull NIST SP 800-39 input into DoDI 850001 bull NIST SP 800-37 input into DoDI 850001 and DoDI 8510 01 bull NIST SP 800-30 input into DoDI 8510 01 bull NIST SP 800-53 input into DoDI 8510 01 bull NIST SP 800-53A input into DoDI 8510 01 bull NIST SP 800-137 input into DoDI 8510 01 bull NIST SP 800-60 input into the Knowledge Service bull NIST SP 800-160 input into the Knowledge Service

bull CNSSP 22 input into DoDI 850001 bull CNSSI 1253 NIST SP 800-37 input into DoDI 850001 and DoDI 8510 01 bull CNSS 4009 input into DoDI 8510 01



DoD Risk Management Framework Policy

Please select each heading to view the key policy requirements for the execution of the DoD Risk Management Framework

ecision Structure NI ST SP 800-37 FISMA 2014 CNSSI 1253


ISA220 Risk Man agement Framework for Practition e rs Lesson 1 1 - DoDs Approach to Risk Management RESOURCES I PRINT I HELP

DoD Risk Management Fr amework Policy


Decision Structu re NI ST SP 800-3 7 FISMA 2014 CNSSI 1 253

The DoD will establish and use an integrated enterprise-wide decision structure for cybersecurity risk management ( the RMF) that includes and in tegrates DoD Mission Areas (MAs) pursuant to DoDD 81150l and the governance process prescribed in this instruc tion


--- ---

--------




ecision Stru ctu re NIST SP 800-37 FIS MA 2014 CNSSI 1 253

The cybersecurity requirements for DoD in formation technologies will be managed through the RMF ___ consisten t with the principals es tablished in National Gukraquo fot ~IN l1illl

Institu te of Standards and Technology (NIST) Special - middot Mlin9 bullbullbull~middot1laquoWtl llltormttion SyttittntNISTPublication (SP) 800-37 DoD Information and PIT ---middot ~

systems will transition to the RMF 1uo-icshy -middotmiddot-middot INFORMATION S E CU R ITY

--middot---middot shy

__ _____ --shy-middot-shy I Pbull ge 17 of 21 I

Back Next




ecision Structure NI ST SP 800-37 bull14ACIJ1Isect bull__c_N_ss_ 1_ 1_2s_3_

The RMF must satisfy the requirements o f the Federal Information Security Modernization Act (FISMA) of 2014

DoD must meet or exceed the standards required by the Office of Management and Budget (OMB) and the Secretary of Commerce pursuant to FISMA and section 11331 of Title 40 United States Code (USC) I lDtaAl l1fOlMAJION SICJIUTYMNIMlMlHTNr




Please select each heading to view t he key policy requirements for t he execut ion of t he DoD Risk Management Framework

Decision Structure NIST SP 800-37 FISMA 2014 CNSSI 1253

All DoD Information and PIT systems must determine the impact values to the confidentiality integrity and availability of the information to be processed on the system and select security controls based on those impact values in accordance with Committee on National Security Systems Instruction (CNSSI) 1253 Implementing the RMF includes

bull Implementing a corresponding set of security controls from NIST SP 800-53

bull Using assessment procedures from NIST SP 800-53A and DoD-specific assignment values overlays implementation guidance and assessment procedures found on the RMF Knowledge Service (KS)

bull Executing updates to DoDs implementation of security controls that have been coordinated through the RMF T AG and identified in the RMF KS



DoD Risk Management Framework Policy Cont

Key Policy requirements for the execution of the DoD Risk Management Framework

bull Resources for implementing the RMF must be identified and allocated as part of the Defense planning programming budgeting and execution process

bull Reciprocal acceptance of DoD and other federal agency and department IS and PIT system authorizations will be implemented to the maximum extent possible Refusals must be timely documented and reported to the responsible DoD Component Senior Information Security Officer (SISO)

bull All DoD Information systems PIT systems PIT IT products and IT services must be under the governance of a DoD Component cybersecurity program in accordance with DoDI 850001

bull A Plan of Action and Milestones (POAampM) must be developed and maintained to address known vulnerabilities in the IS or PIT system

bull Continuous monitoring capabilities will be implemented to the greatest extent possible

bull The RMF process will inform acquisition processes for all DoD IT including requirements development procurement and both Developmental Test amp Evaluation (DTampE) and Operational TampE (OTampE) but does not replace these processes



Knowledge Review 2

As part of the Joint Task Force Transformation Initiative Working Group the DoD coordinated with the to establish a single approach to managing risk within National Security Systems (Fill in the blank)

US Army US Air Force US Marine Corps US Navy

~ In telligence Community National Institu te of Standards and Technology NIST) Committee on National Security Systems (CNSS)

Department of Justice Department of Commerce

Department of Interior

Check Answer

As part of the Joint Task Force Transformation Initiative Working Group the DoD coordinated with the Intelligence co mmunity NIST a nd CNSS to establish a single approach to managing risk within National Security Systems

I Pbull ge1Qof21 I Back Next


Knowledge Review 3

An important objective of the Joint Task Force Transformation Initiative Working Group includes reciprocity What is reciprocity

D An information system connecting to another information system

D A system that has already been tested and evaluated to meet security requirements for another purpose

~ A mutual agreement among participating enterprises to accept each others security assessments in order to reuse information system resources and or to accept each others assessed security posture in order to share information

0 A mutual agreement between DoD and the Intelligence Community to connect information systems for the purpose of information sharing

Check Answer

Reciprocity is a mutual agreement among participating enterprises to accept each others security assessments in order to reuse information system resources and or to accept each others assessed security posture in order to share information

I Page20 of 21 I Back Next


Lesson Completion

You have completed the content for this lesson

To continue select another lesson from the Table o f Contents on the left

If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar





The principal goal of an organizations risk management approach is to protect the organization and its ability to perform its mission It is a multi-tiered approach that the risk executive function implements

Successful organization-wide risk management programs build information security into the culture and infrastructure of the organization The implementation of a carefully coordinated set of activities is required to ensure that fundamental requirements for information security are addressed within an organizations mainstream management and operational processes

Please select the magnifying glass to the right to view more detail on a holistic approach to managing risk

ii I of 21 Back Iii ) Next







Pleases aging risk







































to support the

















































































Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion











Pleases aging risk




















ii I of 21 Back lijjji ) Next



















to support the

















































































Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion









































to support the

















































































Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion



















































































Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion

















































Tier 1-0rganization


















































I of 21 I Back Next









Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion





































Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion



























Tier 1-0rganization



























































Back Next

--







-----middot

I of 21 I Back Next


















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion

















Tier 1-0rganization



























































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion






















































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160










I of 21 I Back Next












--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion
















































Back Next

--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion





--







-----middot



















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion






















Knowledge Review 1





~ all of the above

Check Answ er








security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion










security IC




















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion



















NIST DoD NSS




NIST SP 80053 1 -r-


Knowledge Scrvlco

NIST SP 800-60

















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion



















NISTSP--------------------------------I--------------------------------middot






OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion









OoOI 850001



( NIST SP 800-1 37








CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion









CNSSP No 22 NSS


-shy

--shy

CNSSI 1253

CNSS bull009


NIST SP 800-137

Knowledge Scrvlco

NIST SP 800-60






across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion








across the feder











NIST SP 800-60

NIST SP 800-160






NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion









NSS CNSSI 1253




Knowledge Scrvlco

NIST SP 800-60






across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion








across the feder









NIST S

NIST SP 800-60

NIST SP 800-1 60




DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion







DoDI 851001





NIST SP 800-160






CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion









CNSS 4009


-t -shy

NSS

CNSSP 22


NIST SP 80053

NIST SP 80053A

NIST SP 800-137

1 OoDI 851001

l -r- CNSS bull 009

Knowledge Scrvlco

NIST SP 800-60












NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion














NIST SP 800-53A


NIST SP 800-160










-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion













-~~~~~~~~-middot



NIST SP 800-160












NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion















NIST SP 800-53A

NIST SP 800-137

NIST SP 800-60

NIST SP 800-160










NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion













NIST SP 800-53A













administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion














administrative )

NIST SP 800-53A

















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion


















criteria

NIST SP 800-160






















--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion

























--- ---

--------










Back Next




























Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion
































Knowledge Review 2






Check Answer




Knowledge Review 3






Check Answer




Lesson Completion






Knowledge Review 3






Check Answer




Lesson Completion






Lesson Completion





i...• t ier 2-m iss o n direction/guida th e do d rm t hree-tie r s . • tie r 3-i n fo r m tie r...

Documents