1

DIARMF and Continuous Monitoring

BILL ROSS

INFOSECFORCE

“ Balancing security controls to business requirements “

RMF Overview

RMF History

12 March 2014, DoD mandates 6 month migration

plan to transition from DIACAP to NIST-based

Risk Management Framework (DIARMF)

RMF aligns DoD with Executive Branches of

government for system assurance and complies

with FISMA

DoD Certification and Accreditation (C&A) concept

replaced by assessment and authorization (A&A)

More detailed and comprehensive risk

management process

eMASS is documentation and process tool

What is the RMF?

The Risk Management Framework (RMF) is the

“common information security framework” for

federal government and its information and

information systems. The goals of the RMF are:

To improve information security

To strengthen the risk management processes

To encourage reciprocity among federal

agencies

Provide a control continuous monitoring service

DIACAP – DIARMF Process Comparison

References

(a) DoD Instruction 8510.01 of 12 March 2014, Risk

Management Framework (RMF) for DoD Information Technology

(IT)

(b) National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-37 Guide for Applying the Risk

Management Framework to Federal Information System of

February 2010, as amended

(c) Committee on National Security Systems Instruction 1253 of

March 27, 2014, Security Categorization and Control Selection

for National Security Systems as amended

(d) NIST SP 800-53 Security and Privacy Controls for Federal

Information Systems and Organizations, of 30 April 2013, as

amended

(e) DoD Instruction 8500.01 of 14 March 2014, DoD

Cybersecurity

Automated Tools

such as the

Enterprise

Mission

Assurance

Support Service

(eMASS) and the

Ports, Protocols,

and Services

Management

(PPSM) registry

enable agile

deployment

DoD

Cybersecurity

Policy

Cybersecurity

Policy

DoDI 8500.01

DoDI 851 0.01

Implementation

Guidance

RMF Knowledge

Service

Automated

Implementation

Guidance

eMass

The RMF

Knowledge Service

is the authoritative

source for

information,

guidance,

procedures, and

templates on how

to execute the Risk

Management

Framework

DoD Cybersecurity

Policies provide

clear, adaptable

processes for

stakeholders that

support and secure

missions and align

with Federal

requirements

Initiate the DIARMF A&A procedure

Deliver the DIARMF A&A package

System Security Plan (SSP) – NIST SP 800-18

Security Assessment Report

Risk Assessment – NIST SP 800-30

Plan of Action and Milestones

Transmittal and Decision Letters (ATO, IATT, DATO)

Conduct DIARMF continuous control

monitoring operations

RMF operational mechanics

DIARMF

OPS

DIARMF Lifecycle

Continuous Monitoring within the Risk Management Framework

Control management• Security Control Selection Documentation Control

selection

• Continuous control monitoring

• Creating the PSSP

• Defining and categorizing system based on controls

• Ensuring controls are put into the PSSP.

• Ensuring controls are considered in the SDLC

• Continuous control assessment

• Ensure that the NIC vulnerability assessment program

is reporting on the controls

• Ensuring control weaknesses are remediated

• Tracking control inheritance against all the PCI related

systems

• Enter control management data into CFT

• Ensure that control deficiencies in all IT areas are

POA&Med

• Ensure that the proper controls are examined in the

IRAF

• Ensuring that if controls are added or the system is re-

categorized that the proper control updates occur

• Determine teaming relationships with other parts of the

NIC PCI effort

“ During the security control selection process, organizations may begin planning for the continuous monitoring process by

developing a monitoring strategy. The strategy can include, for example, monitoring criteria such as the volatility of specific security

controls and the appropriate frequency of monitoring specific controls. Organizations may choose to address security control

volatility and frequency of monitoring during control selection as inputs to the continuous monitoring process.” DoDI 8510.01

An effective continuous monitoring program

• Configuration management and control processes for

organizational information systems;

• Security impact analyses on proposed or actual changes to

organizational information systems and environments of operation;

• Assessment of selected security controls (including system-

specific, hybrid, and common controls) based on the organization-

defined continuous monitoring strategy

• Security status reporting to appropriate organizational officials

• Active involvement by authorizing officials in the ongoing

management of information system-related security risks.

The continuous monitoring test plan identifies the plans for testing

a subset of the security controls (including management,

operational, and technical controls) on an ongoing basis

subsequent to the initial authorization. The selection of appropriate

security controls to monitor and the frequency of monitoring are

defined in the plan and approved by the authorizing official and

senior information security officer. The use of automation to support

security control assessments facilitates a greater frequency and

volume of assessments that is consistent with the continuous

monitoring strategy established by the organization.

• RMF is highly control centric with numerous control functions to accomplish

• Continuous monitoring within the RMF is a framework of its own that includes a detailed

technical approach, specific goals and expected outcomes.

• Structured control management requires continuous monitoring to measure success.