isa220 ri s m a ng ement framework for practitio r s this ... · common security controls, as...
TRANSCRIPT
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Introduction
This lesson explains the processes and resources available to assist you in implementing security controls The Risk Management Framework (RMF) Knowledge Service (KS) is your primary resource for more specific Department of Defense (DoD) guidance for implementing security controls
You can access the KS sys tem by selec ting this link
I Pbull ge 1of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Roles Of Key RMF Team Members In the Implementation Of Security Controls
I
As your Information System Securi ty Manager ( ISSM) I will continue to align our Automated Fuels System (AFS) to the ac tivities involved in the RMF
In RMF Step 3 you as the Information System Owner ( ISO) are responsible for implementing securi ty controls for the AFS You will update the Securi ty Plan to include addressing any proposed or ac tual changes to the information system and its environment of operation while implementing the securi ty controls
You will also update our system-level continuous monitoring strategy The Program Manager (PM) will coordinate with you on securi ty controls monitoring strategy securi ty plan and also ensure that securi ty is engineered to mee t cybersecuri ty requirements
ii I Page 2 of 23 Back Iii ) Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Roles Of Key RMF Team Members In the Implementation Of Security Controls Cont
I
The AFS Mission and Information Owners will need to translate security controls into system specifications and integrate those specifications into the system design
They will also ensure that security engineering tradeoffs do not affect the systems ability to meet fundamental mission requirements
Our Information System Security Engineer ( SSE) comes into action during this step of the process Our SSE addresses the AFS security control requirements and coordinates with our Common Control Provider the Fuels Program Manager and the Information System Owner on implementing the security controls we inherit from the Fuels Program Network
These are very important roles specifically within this step and they must be documented in the System Security Plan
ii I Page 3 of 23 Back iii ) Next
Automated Fuels System Roles and Responsibilities Select each of the icons to team more about the Roles and Responsibilities
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Engineer ( I SSE) is Max Black
The SSE also referred to as Information Security Architect is an integral group individual associated with the system developer
The SSE
bull Ensures information security requirements are effectively implemented throughout the security architecting design development configuration and implementation processes
bull Coordinates security related activities with the Information System Security Officer (ISSO) Information System Security Manager ( ISSM) and the Common Control Provider (CCP)
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Roles Of Key RMF Team Members In the Implementation Of Security Controls
I
As your Information System Securi ty Manager ( ISSM) I will continue to align our Automated Fuels System (AFS) to the ac tivities involved in the RMF
In RMF Step 3 you as the Information System Owner ( ISO) are responsible for implementing securi ty controls for the AFS You will update the Securi ty Plan to include addressing any proposed or ac tual changes to the information system and its environment of operation while implementing the securi ty controls
You will also update our system-level continuous monitoring strategy The Program Manager (PM) will coordinate with you on securi ty controls monitoring strategy securi ty plan and also ensure that securi ty is engineered to mee t cybersecuri ty requirements
ii I Page 2 of 23 Back Iii ) Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Roles Of Key RMF Team Members In the Implementation Of Security Controls Cont
I
The AFS Mission and Information Owners will need to translate security controls into system specifications and integrate those specifications into the system design
They will also ensure that security engineering tradeoffs do not affect the systems ability to meet fundamental mission requirements
Our Information System Security Engineer ( SSE) comes into action during this step of the process Our SSE addresses the AFS security control requirements and coordinates with our Common Control Provider the Fuels Program Manager and the Information System Owner on implementing the security controls we inherit from the Fuels Program Network
These are very important roles specifically within this step and they must be documented in the System Security Plan
ii I Page 3 of 23 Back iii ) Next
Automated Fuels System Roles and Responsibilities Select each of the icons to team more about the Roles and Responsibilities
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Engineer ( I SSE) is Max Black
The SSE also referred to as Information Security Architect is an integral group individual associated with the system developer
The SSE
bull Ensures information security requirements are effectively implemented throughout the security architecting design development configuration and implementation processes
bull Coordinates security related activities with the Information System Security Officer (ISSO) Information System Security Manager ( ISSM) and the Common Control Provider (CCP)
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Roles Of Key RMF Team Members In the Implementation Of Security Controls Cont
I
The AFS Mission and Information Owners will need to translate security controls into system specifications and integrate those specifications into the system design
They will also ensure that security engineering tradeoffs do not affect the systems ability to meet fundamental mission requirements
Our Information System Security Engineer ( SSE) comes into action during this step of the process Our SSE addresses the AFS security control requirements and coordinates with our Common Control Provider the Fuels Program Manager and the Information System Owner on implementing the security controls we inherit from the Fuels Program Network
These are very important roles specifically within this step and they must be documented in the System Security Plan
ii I Page 3 of 23 Back iii ) Next
Automated Fuels System Roles and Responsibilities Select each of the icons to team more about the Roles and Responsibilities
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Engineer ( I SSE) is Max Black
The SSE also referred to as Information Security Architect is an integral group individual associated with the system developer
The SSE
bull Ensures information security requirements are effectively implemented throughout the security architecting design development configuration and implementation processes
bull Coordinates security related activities with the Information System Security Officer (ISSO) Information System Security Manager ( ISSM) and the Common Control Provider (CCP)
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of the icons to team more about the Roles and Responsibilities
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Engineer ( I SSE) is Max Black
The SSE also referred to as Information Security Architect is an integral group individual associated with the system developer
The SSE
bull Ensures information security requirements are effectively implemented throughout the security architecting design development configuration and implementation processes
bull Coordinates security related activities with the Information System Security Officer (ISSO) Information System Security Manager ( ISSM) and the Common Control Provider (CCP)
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Engineer ( I SSE) is Max Black
The SSE also referred to as Information Security Architect is an integral group individual associated with the system developer
The SSE
bull Ensures information security requirements are effectively implemented throughout the security architecting design development configuration and implementation processes
bull Coordinates security related activities with the Information System Security Officer (ISSO) Information System Security Manager ( ISSM) and the Common Control Provider (CCP)
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information Owners (IO) are the Fuels Program Chief Financial OfficershyUS Army Colonel Alexis Greenback and Fuels Program Logistics Officer-staff Sergeant Movin Now
The IO has statutory or operational authority for specified information and establishes controls for the information generation collection processing dissemination and disposal
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Common Control Provider (CCP) is the Department of Defense (DoD) Fuels System
The CCP is responsible for the planning development implementation assessment authorization and monitoring of common controls Organizations can have multiple CCPs depending upon how in formation security responsibilities are allocated organization -wide
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
You the student have been assigned as the AFS Information System Owner
In coordination with the Information Owner ( IO) you will
bull Categorize the system and document it in the Security Plan
bull Be responsible for the overall procurement development integration modification or operation and maintenance of an information system
bull Plan and budget for security control implementation assessment and sustainment throughout the system life cycle including timely and effective configuration and vulnerability management
The Information System Owner ( ISO) or Program Manager Systems Manager develops the Plan of Action and Milestones (POAampM) and implements corrective actions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Information System Security Manager ( I SSM) is Ms Sheila Fumes
The ISSM
bull Is responsible for the day- to -day security and continuous monitoring of an Information System (IS) or Platform Information Technology (PIT) System
bull Develops and maintains an organizational or system-level cybersecurity program that includes cybersecurity architecture requirements objectives and policies cybersecurity personnel and cybersecurity processes and procedures
bull As the principal advisor to the Authorizing Officer (AO) assembles the security authorization package
When circumstances warrant a single individual may fulfill both the ISSM and the Information System Security Officer (ISSO) roles
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Mission Owner ( MO) is the Fuels Program Director Colonel Sam Wheels
The MO has opera tional responsibility for the mission or business process supported by the mission business segment or the information system The MO is the key stakeholder for system life cycle decisions
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
Automated Fuels System Roles and Responsibilities Select each of t he icons to learn more about t he Roles and Responsibilit ies
The Program Manager is Lieutenant Colonel Whitey Fry
The Program Manager Systems Manager (PM SM) is the person who has the responsibility and authority to accomplish program or system objectives for development production and sustainment to meet the users operational needs
The PM SM or Information System Owner ( ISO) develops the Plan of Action and Milestones (POAampM) implements corrective actions and ensures the security plan and POAampM are updated based on the results of the system-level continuous monitoring process
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Security controls as defined by Committee on National Security Systems Instruction (CNSSI) 1253 are controls in which the implementation is managed by an organizational entity other than the system owner It is a security control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible official or organizational element (other than the information system owner)
bull The results from the assessment of the control which can be used to support the RMF processes of an agency information system where that control has been applied
By indicating whether the controls are typically implemented as common (also known as inherited) controls the column titled Potentially Common Inheritable in table D-2 of CNSSI 1253 provides guidance with implementation planning
The final determination of which controls to implement as common controls will vary depending on the system and its intended environmentdeployment All controls selected for an information system must be addressed in the security plan whether those controls are implemented by the information system or inherited from a common control provider
Evidence must be included or referenced in the security plan that shows the information system actually receives protection from the inheritable security controls
-~ lthbull mbullgoltyog ltoo lto bull deg D- ~lty Coolaquool ~
I PageSof 23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
rnmmnn 4Pruritv rnntrnlc
Table D-2 Additional Security Control Information
A
x
Justification for NSS Baseline (s)
x
Insider Threat Issuance CNSSI No 1015
Best Prac tice Insider Threa t
Insider Threat Issuance CNSSI No 1015
Insider Threa t Insider Threat
Insider Threa t
Potentially CommonInheritable
x
x x x x x
x
x
ID c
AC-1 x ACshy 2 x
ACshy 2( 1) x ACshy 2(2) x ACshy 2(3) x ACshy 2(4 ) x ACshy 2(5) x ACshy 2(6) x ACshy 2(7) x ACshy 2(8) x ACshy 2(9) x
ACshy 2( 10) x ACshy 2( 11) x ACshy 2( 12) x
I
x x x x x x x x x x x x x x
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls
Common Securi ty controls as defined by Committee on National Securi ty Systems Instruc tion (CNSSI ) 1253 are controls in which the implementation is managed by an organizational enti ty o ther than the system owner It is a securi ty control that can be applied to one or more organizational information systems and includes
bull The development implementation and assessment of the common control that is assigned to a responsible o
Long Description bull The results f
of an agency The Table D-2 Securi ty Control Baselines contains the Control ID
By indicating whet Confidentiali ty Integri ty Availabili ty Justification for NSS Baseline(s) and controls the colum Potentially Common Inheritable AC-I 2 2( 1) 2(2) 2(3) 2(4) 2(5) 2(6) 2 guidance with impl (7) 2(8) 2(9) 2( 10) 2( 11) and 2( 12) have Confidentiali ty and Integri ty
The final de termina bull ACI has Availabili ty and Potentially Common Inheritable system and its inte bull AC2( 1) 2(2) 2(3) have Potentially Common Inheritable be addressed in th bull AC2(4) has an Insider Threat Issuance CNSSI No 1015 and is or inherited from a Potentially Common Inheritable
bull AC2(5) has Availabili ty Justification for NSS Baseline is Best Prac tice Evidence must be i Insider Threat It is also Potentially Common Inheritable ac tually receives p bull AC2(7) has an Insider Threat Issuance CNSSI No 1015
bull AC2(9) and AC2( 12) has a justification for NSS Baseline as Insider Please select the Threat and is Potentially Common Inheritable
bull AC2( 10) has a justification for NSS Baseline as Insider Threat
I PageSof23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesso n 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
View CR Submit CRExamples of Common Security Controls
The DoD defines a Common Security Control as A security control that is inherited by one or more organizational information systems
The RMF Knowledge Service provides additional information on common security controls provided by Tiers 1 2 and 3 as well as the list of Common Security Controls that can be inherited by DoD Information and PIT systems from Tier 1
At Tier 1 the DoD CIO identifies common security controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD Information and PIT systems are automatically compliant with Tier 1 common security controls because they implement and are satisfied by existing documented DoD level policies
~ I Page6of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Examples of Common Security Controls Cont
Risk associated with Tier 1 common security controls is assumed by the DoD Components collectively through their concurrence with the DoD level policies as issued
The Authorizing Official for the Tier 1 common security controls is the DoD Senior Information Securi ty Officer
~ I Pbull ge7of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 1
True or False A c ommon security control can be applied to one or more organizational information systems and can be assigned to a responsible official or organizational element other than the information system owner
~ True
LJ False
Check Answ er
True A common security control can be applied to one or more organizational information systems and can be assigned to a responsible o fficial or organizational element other than the information system owner
I Pbull ge8of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization Risk Assess m ent Inh_e_r_it_a_n_c_e_J____
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF St ep 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
Personnel Organization Risk Assessment Inheritance
ISSEs with support from ISSMs and ISSOs employ a sound security engineering process that captures and refines in formation security requirements and ensures their integration into information technology produc ts and sys tems through purposeful security design or configuration
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel M1JibullHIHFyeniiiJI Risk Assessment Inh_e_r_it_a_n_c_e_J____
Organization security control implementation includes
bull Main taining consistency with the organizations en terprise architecture and information securi ty archi tecture
bull Using best prac tices when implementing the security controls within the Information or PIT system including system and software engineering methodologies security engineering principles and secure software coding techniques
bull Satisfying minimum assurance requirements when implementing security controls
bull Establishing and implementing mandatory configuration settings on information technology products in accordance with federal and organizational policies
I Pbull ge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementation guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[Personnel Organization ljljj1hsectll Inh_e_r_it_a_n_c_e_J____
Risk assessments may help in form decisions regarding the cost benefit and risk trade -offs in using one type o f technology versus another for control implementation
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Risk Management Framework Step 3 Security Control Implementation
RMF Step 3 involves the process of implementing the security controls specified in the Security Plan in accordance with OoO implementa tion guidance found on the RMF KS
Select each heading to view the key factors to consider when implementing security controls
[lgtersonnel Org anization Risk Assessm ent MMllsectifi13- ____
Security con trols are typically accepted by inheriting organiza tions i f tha t organization has complied with OoD implementation guidance and assessment procedures and has met the minimum DoD enterprise-wide speci fic assignment values
Each organization has the authority t o be more stringent than the published DoD implementation guidance and OoD specific assignment v alues for individual security controls Howev er the increase in stringency cannot preclude required interoperability or reciprocity
Organizations requiring more stringency or otherwise devia ting from OoO implementation guidance must document the assessment procedures used along with justification for the deviation in the security plan
I Pbullge Qof23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tier s of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
TACTICAL RISK
I Pbull ge10 of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier I
The DoD Chief In formation Officer (CIO) identifies common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD
DoD In formation System ( IS) and PIT systems are automatically compliant with Tier I common securi ty controls because they implement and are satisfied by existing documented DoD level policies
Risk associated with Tier I common securi ty controls is assumed by the DoD Components collec tively through their concurrence with the DoD level policies as issued The AO for the Tier I common securi ty controls is the DoD Senior In formation Securi ty Officer (SISO)
TACTICAL RISK
I Page10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier2
The DoD Component Chief In formation Officer (CIO) identifies component-specific common securi ty controls that are satisfied by existing component policy and guidance and are applicable throughout the component Tier 2 common securi ty controls may be more stringent than Tier I common securi ty controls but may not negate or contradic t them Additionally Tier 2 common securi ty controls may not prevent interoperabili ty or reciprocity between or among the DoD Components
Component In formation Systems (IS) and PIT systems are automatically compliant with Tier 2 common securi ty controls because they implement and are satisfied by existing documented component policies and guidance Risk associated with Tier 2 common securi ty controls is assumed by the component providing the securi ty control
The Authorizing Official for the Tier 2 common securi ty controls is the Component Senior In formation Securi ty Officer (SISO) Tier 2 common securi ty controls are identified by DoD Components and should be posted to the individual DoD Components KS workspace
I Page 10of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each t ier of t he Strategic risk pyramid to see how common securit y cont rols are applied
STRATEGIC RISK
Tier3
Within Tier 3 are Enclaves which are a set of system resources that operate in the same security domain and that share the protection of a single common continuous security perimeter
Enclaves may identify enclave-specific common security controls that are made available to Information or PIT systems that are nested within the enclave through agreements between the enclave and the nested Information or PIT systems
The RMF Technical Advisory Group chairman has approved amplifying guidance for Tier 3 inheritance of common controls This may be found under the Common Controls and Inheritance tab within the RMF Knowledge Service
Risks introduced via common security controls at Tier 3 must be documented and either accepted mitigated or rejected by the nested Information or PIT system Authorizing Official
TACTICAL RISK
I Page 10of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Security Controls Applied to the DoD Tiers of Risk Management
Select each tier of the Strategic risk pyramid to see how common security controls are applied
STRATEGIC RISK
Long Descript ion
DoD T iers of Risk Management
Tier 1-0rganization Tier 2-Mission Business Processes Tier 3-15 PIT Systems
TACTICAL RISK
I Pbull ge 10of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 5I - Implementation of Control Solutions RESOURCES I PRINT I HELP
Tier I Common Security Controls for the Do D Enterp rise
The following is a list of the DoD Enterprise level (Tier I ) common securi ty controls that are satisfied by existing DoD policy and guidance and are applicable throughout the DoD DoD Information and PIT systems are considered to be automatic ally compliant w ith these controls
Control Number Control Title
AT-I SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT- 2 SECURITY AWARENESS TRAINING AT- 2(I ) SECURITY AWARENESS I PRACTICAL EXERCISES ATshy 2(2) SECURITY AWARENESS I INSIDER THREAT IA-I IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IAshy5(I 4) AUTHENTICATOR MANAGEMENT I MANAGING CONTENT OF PK TRUST STORES IA-5(3) AUTHENTICATOR MANAGEMENT I IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
IR-I INCIDENT RESPONSE POLICY AND PROCEDURES IRshy4(3) INCIDENT HANDLING I CONTINUITY OF OPERATIONS MP-I MEDIA PROTECTION POLICY AND PROCEDURES PE-I PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PL-I SECURITY PLANNING POLICY AND PROCEDURES PL-9 CENTRAL MANAGEMENT PM-I INFORMATION SECURITY PROGRAM PLAN PM-IO SECURITY AUTHORIZATION PROCESS PM- 7 ENTERPRISE ARCHITECTURE
PM-9 RISK MANAGEMENT STRATEGY PS-I PERSONNEL SECURITY POLICY AND PROCEDURES RA-I RISK ASSESSMENT POLICY AND PROCEDURES SI-I SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
I Page11of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 2
At which Department of Defense DoD) Tier of risk management is risk introduced via common security controls at the enclave level that must be documented as either accepted mitigated or rejected risk by the nested Information System or Platform Information Technology PIT) System Authorizing Official
Tier 1
LJ Tier 2
~ Tier 3
Check Answer
Tier 3 is the DoD tier of risk management at which risk is introduced via common security controls at the enclave level that must be documented as either accepted mitiga ted or rejected risk by the nested Information System or PIT System Authorizing Official
I Pbull ge12of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
Within the list for each security control DoD has assigned specific values implementation guidance and assessment procedures These can be used to manage and document the RMF process In addition to the Knowledge Service these procedures can be found in the DoD Enterprise Mission Assurance Support Service (eMASS)
AC-1 ACCESS CONTROL POLICY AND PROCEDURES Cont rol Text The organisation a Develops documents and disseminates to [all personel] 1 An access control policy that addresses purpose scope roles responsibil ites management commitment coordination amongorganizational entit ies and compliance and 2 Procedures to facilitate the implementation of the acces control policy and associated access cont rols and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Supplemental Guidance
References 11111shySecurity Categorization
Implementation Guidance and Assessment Procedures
I Page13of 23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Guidance within the RMF Knowledge Service Security Control Explorer to Support Security Control Implementation
The Security Controls Explorer found within the RMF Knowledge Service provides implementation guidance and best practices for implementing security controls This resource is critical when implementing security controls within DoD
uidance and assessme ition to the
Long DescriptionKnowledg pport Service (
AC- I Access Control Policy and Procedures
bull Control Text The organization a Develops documents and disseminates to [all personnel] 1 An access control policy that addresses purpose scope roles responsibilities management commitment coordination among organizational entities and compliance and 2 Procedures to facilitate the implementation of the access control policy and associated access controls and b Reviews and updates the current 1 Access control policy [Annually] and 2 Access control procedures [Annually]
Su bull Supplemental Guidance Users can view control details bull References
Re bull Security Ca tegorization bull Implementation Guidance and Assessment Procedures_____________________________________________________
Se
Implementation Guidance and Assessment Procedures
I Page13of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifier (CCT)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 Securit y and Privacy Cont rols for Federa l I nformation Systems and Organizations provides specific security control information that can be applied to all US Government information systems
However DoD has provided amplifying guidance requirements and direction based on DoD policies mandates architectures and environments within the RMF Knowledge Service
The CCI provides a standard identifier and description for each of the discrete tasks that comprise a security control CCi s bridge the gap between high- level policy expressions and low- level technical implementations DoD has taken every security control and associated enhancements within the Security Controls Catalog and decomposed them into individual measurable statements
CCi s
bull Do not change the meaning or intent of a security control
bull Are simply a breakdown of each individual requirement within the security control
bull Are given a numeric label
bull Provide specific implementation guidance and assessment procedures
I Page14of 23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioner s Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance
A Common Control Identifier gives us specific DoD guidance and procedures for implementing and assessing the securi ty controls
For example when implementing IR- 7 security controls the Common Control Identifiers (CCI- 000839 through CCl- 000842) guides us to
bull (CCl-000839) Provide an incident response support resource integral to the organiza tional incident response capabili ty that offers advice and assistance to users o f the information system for the handling and reporting o f security inciden ts
bull (CCI-000840) Employ automated mechanisms to increase the availability of incident response-related information and support
bull (CCI-000841) Establish a direct cooperative relationship between its incident response capability and external providers of information system protection capability
bull (CCI-000842) Identify organizational incident response team members to the external providers policy
I Page15of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Guidance Cont
At this time DoD has an enterprise capability known as the Joint Incident Management System (JIMS) that allows all DoD Components to share cyber incident information with US Cyber Command in support of situational awareness and sharing
Our guidance is to assess this security control by examining the incident response information sharing capability and validating that this capability is available to our organizational users
In assessing this security control we will identify and interview as necessary to determine if the CCis are fulfilled As DoD requires us to implement an automated intra-organization incident response information sharing capability we must determine if this capability is implemented
This implementation is intended to provide information and support such as standard operating procedures for incident reporting incident handling frequently asked questions current incident activity awareness information incident response contact information and incident report submissions
I Page 16 of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
--
I
ISA220 Risk Management Framework for Practitioners Lesson 51 shy Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IH (IJ tR7 (I)
IH (2) 1R 7 (7)(a)
~middot
IR-7 (2) IR-7 (7)(11) ~middot2
n___ - n--~ --middot-fflOOM-t fHOlotrU Wt91 lO lM ~ldHlffMdWiii Ktlbltttl lllll~HIMlmillM Ri ~ llnCIClilinamp ~ tnellllllnl PGftM MIPSIOt MM(bull Of91112aGNI 614-rwM ~middotmiddotof IMl---H-bulltouun --toMrTdolll oo----middot----Vol
-bull-nldtMlto llMrSlor -ote-bullltll--bullmiddot-shy I_1_lortlgtt-09_WV_bull
Tho Of91Z-- bullllOYI -ed-__- _ ___ ood _
c~ bM Ila -middot-middotshy---middotr-bull-___ copoMlyTllo---middot--shy~ fHPQnM tbullem~ totM _
~---- ___shytnCIChnll Chen _Vf ~~to
-SYNI 4 M ~ tffOOfrH MlOft wttet to COftlaet
--9 ------1pectedlH-NPM~ lfllJllICUOrVbullbullbullUment obt_ ___the _____ -middotmiddotmiddot---middot-~ ---~~ middotmiddot-middotmiddoti---g~ middotmiddot~lhtlcl-g-Nllled -middotmiddot--~ I S()P lor--ng--- 2-~~Nl ) Currtflt ~ lctMCy ~
4 ffticldM rHponM CONlicl --5 - ltportmiddot- shy
n --~ wtspcttdlasMned mml ~a-ogr--middot-ftlhlOtlit cWeftM bullCbull pnMdel
(CtC)SP)n--o-o cttdlMloHffd mu1amp eftd folPClmbull tM bull1t of IPllltNll ~
n__- ~ususment otllMll _ampht _____OlpNZ ~ fft wlidllbull curr11
Tho 1H--C119 bulltplCUOfttHlffllftlllC otll lndi ~ tM llllt Of ifUfMll lfICllCMft rtolfOllllP
tHponM t-n INgt M MCetNfY ampo ute II eccwMd c11N Vi 1~ deg~ ollNCNOSP -Cl40SP _ i _ - middot--- -IHpotlMl____ _lhotio CllOSP- -
Select the image above to progress through a Control Correlation Identifiers example
Page 17 of 23 Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
__
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
R-7 R -7 ~n_-_tffPGftM ~~ toN
----~~ -u Md nMIMCit bullo USlfS
GllM - tyoebullmtof lht ~___yshy
IR-7(1) 11111 ~-~ -oc1 JTMChMlbullmt lO lnCfenbull of
~niR -~- shy-
R middot7 QI R middot7(1)(a) C0-1 _ - COOlpldlNI betwHnill ____ y_
__oyushy
capololity R -7 (2) IH (11 C-1 n -bull_ shy~2
~ fKpilftM lt- ~ tothl__
I The--~
I --~
~MIUHllM ~ M MpeCtIONMfft __ ----middot __ ___ I
~ tbull en rt dHll 10 ~~ ponM luppailf MNCH Md qumy
---- _
-middot M_ _tolt11-g___ -middotolllgtOM middot--wMltI I_- _
lfIOdltltl thiM ~doc~ to _ 11 M WIOdett tnpOMt ppoft
Mnitebull to COdJCt
-middot-bo9mnbullPfdl6astbullbullffd ~ bull n---_ ~bullUS-lrMntMd tDnWlt9 the ___ - -- _bolily
--__blloey middotmiddot-middot ---_~ ___ --middotmiddot-- bullbull degdeg ---2-~lAO-shygt eun-Y-bull ~rn~conlXI s ___ -The -middot shy btolll n-- shy tOftCfuclonI lftspKltdasses1S mullbull~ a -----deg IMpKbOftlauusr etuiM md bullimnwws the __~ dtfMM MMCbull~ Clf99Nl_ llnd Ct~ 10 dlltdlee bull bull CUNtinl
(CtCgtSP) - shy __ Tho ~c-cto)tilo lntpKttdMHllecJ nlllll prcMde Md IMPKtINUMlllMN mcJ Chit 1M bullbull ol fttfNI iiMltdlN Ila el tn1MYI ~ _ bullbull_ rftMllMft _ tMIP ftWtnDln es MCbullbullJatY to bull la ecabulle MdC_ deg lht ~la GllM CNOSP - CNOSP ~-- shy-1lt1 c_ _---1middot----QIOSPshy
The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response AssistancelAutomation Support For Availability Of Information Support
Pag e 17 of 23 Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
--
___
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
IRmiddot1 IRmiddot7
CCI
COshy
CCI-no___ _ tHfIOIM aupoon tbullto1ttbull to tN ---rH-MUpobMy 1NI elrin ~MidMliiA-U 10 Wtra
dlM-bullibullmtot11M~ --d-yWM-S
--~_ ~-------_-_-shy-
1R 1 QI IHQl(ll CO-I TM~Hl-bullclortd CoopedlNe ~
- bullbullbull-clflllY _ txtipo-d_ cwty
C0-2 TIM_bull ___IR-7 2) IRmiddot7 QI (11) iflCldlN tH$IOM4 Ibull~ to tM txtotNI_
The control is given a CCI number 000840
~
Tho --bot Tht--~~tidrMMbullud_H~ _ mpecWNHMHlMftl ___ ____ ~IOMJThtlp- topwa_rH_M_NNCHINl~ffl cMlcbull W U llMCt to uMrt W aallt1MCe ol thoH HMCff ~ 11Md I ~-middotmiddot--Y ____~ ~fVSlft~illhOnLO
Mt-et II M 1ftCldert ~
MMebull lo cotUct Tht -middot- Tht ___pectt6nMut ~ ~ obtMllll s -nne1 tht_____ ------wv---_~ ---_~ 10 0 __- _ -lomiddotmiddot---shy--_ I SOPlor--O 2 ~deg
) o Y-middot_ rHponM Conucts ~ _
Tht --bot TIM--~ lfltpeC1tidiMMUed bulllhtlilliM ~ otllMM s t1lit
fMCWodc ~ -MNCbull ptcMdef Wt CfJl)ltO 1ti1 - bull m wrren1 -middot--middotmiddot-middot ----- (QCllSP - shyTN Olll)lll zbullM bMt9 Tllif OfflllVbulldeg c0fdut19 a lfltpKlMUM tnull prNde Mii 1M91CbOftUffllrntinC Md_ tht upctae 1bt bull11 o1 tm11 llllttdMI Mt wwetnlll PifM bullbullbull~ JM ~mt_ bullbull MltHJaY to wMilbull bull 11 eccurlllbull and c_ ke ___ tlM ~ CNOSP -CHOSP____ __ C--N ___lllO ---Mt CJlOSPshy -oc1
Page 17 of 23 Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
---
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example
CCIOoshy
IR-1 A-1 CO- no___- Tho __ Tht--~t fHSIOMbull IUIJPM flICMilU ti lO the specttclr_IMCf Hfaibllltl MPKtflftHtfflmenl ~onll~ fHpOftH capiibMy lftCdtiril rnpoftM ~MNCe Of9ilV-oNI VHft to _ tllftHamp fl ma~~Md nace 10 Mllogow bullbull rr POHJt to~~ rHpMM 9tIPPOft middot~ Md -1bull ollllt-JY(tmloflllt_ --u-010-lof n-tMIMM_n_lllOd I--middotuany -~-middotmiddot-~--middot-y-- __--lO
_ff 11 idlnlI M ~ HSOONbull ~ MNCe to COlUCI
Rmiddot1 (1) Amiddot1 (1) The organizat ion employs automated Tho --bull_impecbatllbulluu olilaM ft x tht mechanisms to Increase the availability of
--- ---- C-Y__bololy IO-o IN__~incident response-related Information and _ - __ support _
----middot ~~~-~ l c~ bull deg - tclfleyFor each ~ fftPQnM COfll-ICImeasurable -shy
statement shys---shyTho __ Thi--~Thtot--bullbulloct c~MLll11s mspecte6assustcl rnmt ~ bull ~anbulltslNftl~ mtd IM
- middot-~ysmshy~__MtMlkMNCt prCMdet __wtQ~ lot II 9 CUfWll ----middot-- --cloc--hcopoWry (QC)SP) Mid shyTho__ Tho_ c-g lllollH C2) A-7 (2)(b) Thl0t~-middot~shy -OIHuocl-l~ond _ _ ___~ tflpenM tt ~tom tXltmal pnMdiln upclabull the bullbull Cl ~ ~~middot bullbull ~
POftM mttntltta bullbull MCairt to II ecc Md CllilNWll ~ ttw~lllo~eltlltCHOSP _CHOSP___ - -- __pon--MOylhollt
CtlOSP19- middot- The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7 CCfOOOll39 Tht Ofgltlltuotl ~ 811 ~ Tht OttJfUllOtl btillf The OtPitlllOlI COlOicl1119 I rt ftgtOMt ~Pl rtsourct lflttgltal 10 11W itlsptltttdlubullbull bullbulltdWil t ltbullblitJI 811 lnbullPtCtfoNbullbullbullbullbullbullmtlaquo nl lflltMtW OtfMllbullion11 itlC1I ffbullpotIM capaWlaquoy itlCldttlt pot bull11P1gtM bulltMCt organit8li0flal 11bullotri 10 dt-1 41_ d IPIbull ohf$ ~ Wld bullbullSttt811Ct 10 U$tff ~ 10 811 IT lltlpbullbullJc lO ~ ilICiltlttll tttporM $Upp)fl $tMCtt and qualily ti d Ult lftlltlOft sytiem fot 1111 hlftdlbullO 4MCbull and HtlftMCt 10 uwbull fot bullbullbullitctnet ol u~ bullbulllYicbullbull wMll 11Md bull
The organization being The organization conducting the inspectedassessed will implement an inspectionassessment obtains and examines the automated intra-organization incident incident response information sharing capabil ity response information incident related to validate the information sharing capability is information and support for example available to organizational users 1 SOP for Incident reporting 2 Incident handl ing FAQ -
3 Current incident activity awareness Information DoD specific guidance
4 Incident response contact and procedures Information
5 Incident report submissionIR-7 (2) IRbull7 (2) (bull)
pror_Mfs of~ system l)IOlICbOn nttworit dfftntbull StNCt ~ ~lllotl Mid Ct-IOSP lO lllidale bull 11 Wlftfll cap1bilily (CNOSP) Md Wllid
IRmiddot7 (2) IRmiddot7 (2) (b) CCl-0008A2 OfptllZMIOlI ~middotOlpZltiOfI Tht Ot1PfiZlllOn bttfIO The ~middotdeg CltMWMl(t tM ~ rt t-pofSe 1ebull m fNfllbtft 10 the itlf9Kttdfbullbullbullbullbullbulled ~ ttWI itlSpeltllOtlfbullbullbullbullbullbulltntfll obi Wld middot~middot lht UClemai~bull u~e llle lilt ol intemll incidenl list ol illlemal inCidetll re-tp(lltM tbullllM mtnlben
tHPottM teem mtmbers bull s MCeSSMy 10 91MUce ll bullbull ccbullbull and cunent lnteMeWS 1htoughOIA lhe WCydt Of the CNOSP With CttOSP pertdeg~~MOt11 gr-Mmt_ ilI conpincbOn Mth lhe lteidttll rttPolM te lflI mtmbtrbull nwy bullbullo be CNOSP flltfll ~ed~
DOD provides guidance and procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for users seeking incident response assist ance For example individuals m ight query the assistance capability via a website or conversely the assistance capabil ity may preemptively send informat ion to users (general dist ribution or target ed) as part of increasing understanding of current response capabilit ies and support
Page 17 of 23 Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Control Correlation Identifiers Example ConltOI 800-53 CoonltOI CCINumber Tut lndlcalOf
IRmiddot1 IRmiddot7
Long Descript ion
A typical Control Correlation Identifiers entry is comprised of
bull Control Number IR-7 ( 1) is highlighted The Incident Response Family IR-7 ( 1) is a specific control to address Incident Response Assistance IAutomation Support For Availability Of Information Support
bull CCI label highlighted The control is given a CCI number 000840
bull CCI definition is highlighted The CCI definition is the same as the Control definition in NIST SP 800-53 and within the Security Controls Catalog
IR-7 (2) IRbull7 (2) (bull) bull Guidance is highlighted DoD provides guidance and
procedures This supplemental guidance reflecting automated mechanisms can provide a push pull capability for
IRmiddot7 (2) IRmiddot7 (2) (b) users seeking incident response assistance For example individuals might query the assistance capability via a website or conversely the assistance capability may preemptively send information to users (general distribution
DOD provides or targeted) as part of increasing understanding of current can provide a response capabilities and support individuals m i
_ 41 StMCff qualily ti bullbullwMll11Md bull
d examines tile ring capabil ity capability is
c guidance ures
-
cunent lnteMeW5~deg -middot-bullbullbull ted mechanisms xample tance capabil ity
may preemptively send informat ion to users (general distri bution or target ed) as part of increasing understanding of current response capabilit ies and support
I Page17of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control I dentifiers in Correlation to Security Technical Implementation Guides (STIGs)
CCls also allow us to map (correlate) security controls to DoD Security Technical Implementation Guides (STIGs) In RMF Step 1 while defining our system and authorization boundary we identi fied the hardware and software requirements
We can use that initial list to establish a list o f applicable STIGs for the In formation or PIT system
I Pbull ge18of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Common Control Identifiers in Correlation to Security Technical Implementation Guides (STIGs) Cont
When a STIG is not available for the specific hardware or software application we will use on our system a Security Requirements Guide (SRG) may be used
SRGs are a compilation of security controls and Control Correlation Identifiers (CCis) grouped into more applicable specific technology areas at various levels of technology and product specificity An SRG provides DoD specificity (such as DoD or organizationally defined parameters) to CCI requirements
SRGs are also used by DISA and vendor guide developers to build Security Technical Implementation Guides (STGs) There are basically two types of SRGs
The first group are four Core SRGs which deal with Applications Networking Devices Operating Systems and Policy The second group are technology specific SRGs A Technology specific SRG is a child of a Core SRG For example the Database SRG was derived from the requirements in the Application SRG
I Page 19of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitioners Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
The Purpose and Implementation Of Control Correlation Identifiers
As we align to the Acquisition Life Cycle processes the individual CCs may be incorporated as appropriate into initial Statements of Work or Objectives System Requirements Documents Contract Data Requirements Lists (CDRLs) and Integrated Master Plans Schedules ( IMPs IMSs)
CCs also provide direct traceability between security controls and derived requirements and specifications that can be maintained throughout the development life cycle
To ensure that initial user performance and functional requirements are correctly translated into product specifications and the final design the ISSM and SSE should fully participate in Integrated Process Team ( PT) analyses trades configuration management risk deliberations and throughout Systems Engineering Technical Review (SETR) processes and reviews
I Page20of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
In addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is not limited to configuration of solutions to meet security control and control correlation identifier requirements from product vendors or o ther organizations that have employed the same or similar Information or PIT systems
Especially consider when a vendor or organization has used automation to allow them to maximize communica tions and increase the overall efficiency and cost effectiveness of their security control implementation
The Department of Defense Instruction DoDI) 8500 Series mandates the use of Security Technical Implementation Guides STIGs) and Security Requirements Guidelines SRGs)
In absence of SRGs or STIGs for a particular solution or implementation you may use National Security Agency NSA) Secure Configuration Guidelines NIST guidance or Natjonal Information Assurance Program NIAP) Protection Profiles
I Pbull ge 21 of 23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Management Framework for Practitione rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Additional Security Control Implementation Guidance
Jn addition to using the RMF Knowledge Service to assist you in implementing security controls organizations should reference other relevant documentation This could include but is no t limited to configuration o f solutions to meet security control and control correla tion identi fier requiremen ts from product vendors or o ther organizations that have employed the same or similar Jnformation or PIT systems
Especially consider when a vendor or organization has used automation to allow them to~-llilliwimiddot~----------------------bull communications and increase theand cost effectiv eness of their se National Information Assurance Program implementation The National In formation Assurance Partnership NIAP) is a
United States government initiative to meet the securityThe Department of Defense Instn testing needs of both information technology consumers andSeries mandates the use of Secur producers that is operated by the National Security AgencyImplementation Guides STJGs) ar NSA) and was originally a joint effort between NSA andRequirements Guidelines SRGs) the National Institute of Standards and Technology NIST)
Jn absence of SRGs or STJGs for lt For more information please visit or implementation you may use N f fm Agency (NSA) Secure Configuratimiddot ttos w nia ic v rolRh Cih l lww o-ic ie smiddoto e IW atisN AIPCESmiddotcmiddotI guidance or National Information Assurance Program NIAP) Protection Profiles
-41111111 I Page 21 of 23 Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Knowledge Review 3
The Department of Defense DoD) has taken every security control and associated enhancements within the National Institute of Standards and Technology NJST) Special Publication (SP) 800- 53 and decomposed them into individual measurable statements referred to as (Fill in the blank)
DoD Security Controls
LJ Common Security Con trols
~ Control Correlation Identifiers
Security Controls catalog
Check Answ er
The Department of Defense DoD) has taken every security control and associated enhancements within the NIST SP 800-53 Security Controls Catalog and decomposed them into individual measurable statements referred to as Control Correlatio n I de nt ifiers
I Pbull ge 22 of 23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next
ISA220 Risk Man agement Framework for Practition e rs Lesson 51 - Implementation of Control Solutions RESOURCES I PRINT I HELP
Lesson Completion
You have completed the content for this lesson
To continue select another lesson from the Table o f Contents on the left
If you have closed or hidden the Table of Contents click the Show TOC button at the top in the Atlas navigation bar
I Pbull ge23of23 I Back Next