risk management framework (rmf) v2 v2.0 slides… · 3. how to align the nist cybersecurity...
TRANSCRIPT
RISK MANAGEMENT FRAMEWORK (RMF)
V2.0
Derek Duchein, CISSP, CRISC
Cybersecurity Professor, DAU
CHRONOLOGYSP 800-37 Rev. 1 published February 2010 (Updated 6/5/2014)
“Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach”
DODI 8510.01 published March 2014 (updated 7/28/2017 - DIACAP to RMF timing and Coast Guard Applicability).
SP 800-37 Rev. 2 published December 2018
“Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
2
WHY RMF 2.0?
3
https://www.fireeye.com/cyber-map/threat-map.html
4https://csrc.nist.gov/
5
CYBERSECURITY POSTURE
6
“The cybersecurity of our weapons and networks needs
increased attention. In support of that, the Department
needs to evolve how we monitor our cybersecurity posture.
The two-phase Cooperative Vulnerability and Penetration
Assessment (CVPA) and Adversarial Assessment (AA)
approach currently outlined in DOT&E test guidance is
necessary to help inform the cybersecurity posture of DOD
systems, but is not sufficient. This testing has greatly
improved our understanding of cyber vulnerabilities, but in
addition to dedicated assessments, DOD systems must be
built to include technologies to continuously monitor
cybersecurity, and automatically find and patch software
vulnerabilities. Periodic assessments by Red Teams alone
are not adequate, because the security of system software
can change at any time due to operator errors, or adversary
cyber-attacks.” (p. i)
7
8
NIST Special Publication (SP) 800-37 Revision 2, “Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy”
This update to NIST SP 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to:
Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. (May 11, 2017)
OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. (May 19, 2017)
OMB Circular A-130, Managing Information as a Strategic Resource. (July 28, 2016)
OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program. (December 10, 2018)
9
RISK MANAGEMENT FRAMEWORK V2.0
10
Terminal Learning Objective: Understand and Implement our programs and
systems within a unified framework for managing security, privacy, and supply chain
risks.
Enabling Objective: To design the next-generation RMF for information systems,
organizations, and individuals consistent with seven major objectives:
1. Apply closer linkage and communication between the organizational risk
management processes and the operational levels.
2. To institutionalize critical risk management preparatory activities at all risk
management levels.
3. How to align the NIST Cybersecurity Framework with the RMF.
4. To integrate privacy risk management processes into the RMF.
5. To develop trustworthy secure software and systems by aligning life cycle-based
systems engineering processes in SP 800-160 v1&2, with relevant RMF tasks.
6. To integrate security-related, supply chain risk management (SCRM) concepts.
7. To allow for an organization-generated control selection approach to complement
the traditional baseline control selection approach and support the use of the
consolidated control catalog in NIST Special Publication 800-53, Revision 5.
OBJECTIVE #1To provide closer linkage and communication
between the risk management processes and
activities at the governance level of the organization
and the individuals, processes, and activities at the
system and operational level of the organization.
11
The Ultimate
Objective for
Security.
OBJECTIVE #2
To institutionalize critical organization-wide
risk management preparatory activities at all
risk management levels to facilitate a more
effective, efficient, and cost-effective
execution of the RMF.
12
13
ADDITION OF THE “PREPARE” STEPBy achieving the following objectives, organizations can simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks:
1. To facilitate effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level
2. To facilitate organization-wide identification of common controls and the development of organizationally-tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection
3. To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and
models to consolidate, optimize, and standardize organizational systems, applications, and services
4. To reduce the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk
5. To identify, prioritize, and focus resources on the organization’s high value assets (HVA) that require increased levels of protection—taking measures commensurate with the risk to such assets.
14
OBJECTIVE #3To demonstrate how the NIST Cybersecurity Framework
(CSF) can be aligned with the RMF and implemented using
established NIST risk management processes. NIST SP 800-
37 Rev 2 addresses alignment of RMF with the NIST CSF by
providing specific cybersecurity framework “mappings”
within the various RMF steps and activities.
https://www.nist.gov/cyberframework/federal-resources
15
NIST CYBERSECURITY FRAMEWORK
16
Core Function Explanation
Identify Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities.
Protect Develop and implement the appropriate safeguards to ensure
delivery of critical infrastructure services.
Detect Develop and implement the appropriate activities to identify
the occurrence of a cybersecurity event.
Respond Develop and implement the appropriate activities to take
action regarding a detected cybersecurity event.
Recover Develop and implement the appropriate activities to maintain
plans for resilience and to restore any capabilities or services
that were impaired due to a cybersecurity event.
Framework for Improving Critical Infrastructure Cybersecurity, v 1.0, NIST, February 2014
RISK DIAGRAM
17
“The five Functions also balance prevention and reaction, including preparatory
activities to enable the best possible outcome from that reaction. This balance
allows Functions to act as a high level expression of risk management strategy
and structure for risk assessment.” (p. 28)
OBJECTIVE #4
To integrate privacy risk management concepts, principals, and processes into the RMF to better support the privacy protection needs for which privacy programs are responsible. NIST SP 800-37 Rev 2 now integrates privacy risk management concepts into the RMF life cycle and also encourages use of the consolidated cybersecurity and privacy controls catalog in NIST SP 800-53 Rev 5 (Chapter 3).
18
NIST SP 800-53 R5
NIST Special Publication 800-53, Revision 5
Security and Privacy Controls
Final Public Draft: Spring 2019
Final Publication: Summer 2019
NIST Special Publication 800-53A, Revision 5
Assessment Procedures for Security and Privacy Controls
Initial Public Draft: Fall 2019
Final Public Draft: TBD
Final Publication: Spring 2020
19
On the Horizon…
SECURITY CONTROL FAMILY CHANGES *
20
SP 800-53 r4
SP 800-53 r5 *SCRM = 22 Controls
OBJECTIVE #5
To promote the development of trustworthy
secure software and systems by aligning life
cycle-based systems engineering processes in
NIST SP 800-160, Volume 1, with the relevant
tasks in the RMF. NIST SP 800-37 Rev 2 also
provides an alignment of RMF with the systems
engineering process as documented in NIST SP
800-160.
21
SSE – NIST SP 800-160 VOL 1 & 2
22
SP 800-160 Vol. 1 (Final), “Systems Security Engineering:
Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems” (November 2016)It addresses the engineering-driven perspective and actions necessary to develop
more defensible and survivable systems, inclusive of the machine, physical, and
human components that compose the systems and the capabilities and services
delivered by those systems
SP 800-160 Vol. 2 (Draft), “Systems Security Engineering: Cyber
Resiliency Considerations for the Engineering of Trustworthy Secure
Systems” (March 2018)
It provides a flexible systems engineering-based framework to help
organizations address the Advanced Persistent Threat (APT),
addressing cyber resiliency considerations for two important, yet
distinct communities of interest:
- Organizations conducting new development of IT component products,
systems, and services
- Organizations with legacy systems (installed base) currently carrying out day-to-
day missions and business functions.
OBJECTIVE #6
To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC. NIST SP 800-37 Rev 2 pays increased attention to SCRM considerations.
*NIST SP 800-53 Rev 5 adds an additional 23 SCRM security controls to consider.
23
OBJECTIVE #7To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST SP 800-53, Revision 5.
800-53 r5 (page ii): The consolidated catalog of controls (found in Chapter 3) addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability). Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.
24
CYBERSECURITY RISK MANAGEMENT
DoDI 8510.01 – Risk Management Framework (RMF) for DoD IT
DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk
Management Framework (RMF) into the System Acquisition Lifecycle 25
26
800-37 r1
800-37 r2
NIST/DOD RMF RESOURCES
NIST Computer Security Resource Center (CSRC)
- https://csrc.nist.gov/
- https://csrc.nist.gov/publications/sp
OSD: Knowledge Service Website
- https://rmfks.osd.mil
DAU: Cyber Support and Education - https://www.dau.mil/
ISA 220 “RMF for the Practitioner”
- https://www.dau.mil/training/p/apply-for-a-course
• DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle
- https://www.dau.mil (use the search feature)
27
Office of the Secretary of Defense (OSD) Knowledge Service Website (the authoritative source of all DOD RMF documentation and information)
(https://rmfks.osd.mil)
28
29
DAU CYBER WORKSHOP TRAINING MATRIX
Cybersecurity
Awareness
“Technical Oversight” “Technical Execution”
CDI Security
Reqts Assessment
Threat-Based
Engineering
Active
Cyber DefenseCloud Security -
Assessment
System Security
Engineering
Cloud Security -
Principles
DFARS CDI
Overview
Audit
Principles
DCMA Audit
Reqts Assessment
Compliance
Mission Assurance
Test
Level 1 – Learn It
Level 2 – Love It
Level 3 –
Behaviors
Level 4 –
External ValidationAdvanced
TestingAdvanced
RMF 2.0
Learning Objective: Deliver Secure and
Resilient Systems
Cloud Security -
Threat-Based
30
TYPES OF WORKSHOP CUSTOMERS
Executive
LeadershipProgram Office
Cybersecurity
Workforce
Emphasis:
- Agency/Mission
Objectives
- Cybersecurity
Resourcing
- Strategic Level
of Cybersecurity
Emphasis:
- Acquisition Risk
Management
- Trade Space
decisions
- Operational Level
of Cybersecurity
Emphasis:
- Technical Process Execution
- Adequate Security
- Tactical Level of Cybersecurity
31
32
33
34
35
36
Questions
FEDERAL RMF RESOURCES
37
The Risk Management Framework
(RMF) provides a structured, yet
flexible approach for managing the
portion of risk resulting from the
incorporation of systems into the
mission and business processes of
the organization.
This figure represents the links to
other relevant Federal resources
(FIPS and NIST SPs) for
implementing the RMF steps
CYBERSECURITY
MOONSHOT
past efforts and current strategies to seize the opportunity to strategically
reorient from a largely reactive, incremental cybersecurity posture to a proactive
approach that boldly assures digital trust, safety, and resilience for all
Americans.” (p. ES-1) 38
“Make the Internet safe and secure for the functioning
of Government and critical services for the American
people by 2028.”
“The United States is at an inflection point:
simultaneously faced with a progressively
worsening cybersecurity threat environment and
an ever-increasing dependence on Internet
technologies fundamental to public safety,
economic prosperity, and overall way of life. Our
national security is now inexorably linked to
cybersecurity. Therefore, the Nation must build on
OMB A-130: MANAGING INFORMATION AS A
STRATEGIC RESOURCE - UPDATED 28 JULY 2016
• Real Time Knowledge of the Environment
• Proactive Risk Management
39
For Cybersecurity
• Introduces “adequate security”
• Requires System Security Engineering
• Requires Supply Chain Risk Management
CYBERSECURITY IN ACQUISITION
• Understand
implications of
cybersecurity
requirements
• Develop
Cybersecurity
Strategy
• Develop Evaluation
Methodology
inclusive of
Cybersecurity
• Examine system
architecture to identify
potential attack vectors
• Update Cybersecurity
Strategy
• Incorporate Cyber Attack
Surface elements into test
plans
• Define resources for
cybersecurity DT&E
• In cooperation with
SE develop
understanding of
potential system
vulnerabilities
• Assess system
against potential
vulnerabilities
• Provide feedback to
SE
• Execute
adversarial
cybersecurity
DT&E event within
realistic mission
environment.
• Use of Cyber
ranges
• Overt and cooperative
review of the system to
characterize operational
cybersecurity status
• Determine residual risk
as well as readiness for
the Adversarial
Assessment.
• Discovery of all
significant remaining
vulnerabilities and
exploits
Understand
Cybersecurity
Requirements
Characterize
Cyber Attack
Surface
Cooperative
Vulnerability
Identification
Adversarial
Cybersecurity
DT&E
Full RateProduction
Decision Review
Technology Maturation &
Risk Reduction
Engineering & Manufacturing Development
Production and Deployment
O&S
SRR SFR CDR TRR SVRASR
MaterielSolutionAnalysis
MDD
DRAFT
CDDAOA CDD CPD
IATT
Cooperative
Vulnerability and
Penetration
Assessment
IOT&E
Phases
OTRR
DT&E
Event
Adversarial
Assessment
CDD Validation
Dev RFP Release Decision
DT&E Assessment
DT&E Assessment
PDR
ATOA B C
• Full operational test
and evaluation of the
system’s defensive
cyberspace
performance in the
operational
environment.
• Characterization of
the mission impact of
remaining
vulnerabilities and
exploits
40
BEYOND COMPLIANCE
“Cyber security has long been a
compliance dominated process, focused
on doing specific actions on a checklist.
Examining the attack data to determine
what is working well, what is not, where
changes need to be made, and where
investment is required to better defend
against troublesome or emerging threats
would move the Department beyond a
compliance approach towards a more
dynamic performance evaluation.” (p. 11)
41