rmf roles and responsibilities (part 1)
TRANSCRIPT
“The Chief Information
Officer, with the support
of the senior agency
information security
officer, works closely
with authorizing officials
and their designated
representatives to ensure
that an agency-wide
security program is
effectively implemented,
that the certifications
and accreditations
required across the
agency are
accomplished in a timely
and cost-effective
manner, and that there
is centralized reporting
of all security-related
activities. “
NIST SP 800-37
“A senior management
official or executive
with the authority to
formally assume
responsibility for
operating an
information system at
an acceptable level of
risk to agency
operations, agency
assets, or individuals.” -
NIST SP 800-37
“Official responsible for the overall procurement,
development, integration, modification, or
operation and maintenance of an information
system. “ - (NIST SP 800-37)
“Individual responsible for the
installation and maintenance
of an information system,
providing effective information
system utilization, adequate
security parameters, and sound
implementation of established
Information Assurance policy
and procedures.”
CNSS Instruction No. 4009
“The information system security officer often plays an active
role in developing and updating the system security plan as well
as in managing and controlling changes to the system and
assessing the security impact of those changes.“ NIST SP 800-37
The certification agent is an individual, group, or organization
responsible for conducting a security certification, or comprehensive
assessment of the management, operational, and technical security
controls in an information system to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security
requirements for the system. - NIST SP 800-37
“At the discretion of senior agency officials, certain security
certification and accreditation roles may be delegated and if so,
appropriately documented. Agency officials may appoint
appropriately qualified individuals, to include contractors, to
perform the activities associated with any security certification
and accreditation role with the exception of the Chief Information
Officer and authorizing official. The Chief Information Officer and
authorizing official have inherent United States Government
authority, and those roles should be assigned to government
personnel only. Individuals serving in delegated roles are able to
operate with the authority of agency officials within the limits
defined for the specific certification and accreditation activities.
Agency officials retain ultimate responsibility, however, for the
results of actions performed by individuals serving in delegated
roles. “ NIST SP 800-37
Mission
Business Unit
IT
Security
Audit
IG
IA
SCA
SISO
ISSM
ISSO
CIO
SO
SA
BUM
IO
EU
Program
Level
System
Level
Audit Security ITBusiness
Unit
Middle- Tier
Independence
AO
Risk Executive Function
Head of Agency (CEO)
SO
D
SO
D
Mission
DoDI 8510.01 & 8500.2 SP 800-37 Rev 1
Head od DoD Components Head of Agency (CEO)
Principle Accrediting Authority (PAA) Risk Executive Function and/or
Approving Authority (AA)
Senior Information Assurance Officer
(SIAO)
Senior Information Security Officer
(SISO)
Designated Accrediting Authority
(DAA)
Approving Authority (AA)
Systems Manager Common Control Provider and/or
Systems Owner
Program Manager Common Control Provider and/or
System Owner
Information Assurance Manager (IAM) ISSO and/or SISO
Information Assurance Officer (IAO) Information Systems Security Officer
(ISSO)
Certification Agent Security Control Assessor
CISSP
CISM
CISSP
ISSMP
CAP CISA
GSNA
SSCP
CASP
Security+
CISSP
ISSEP/
ISSAP
CSSLP
Management /
Risk Audit
Software
Dev
Network /
Communications
Level Qualifying Certifications
CND Analyst GCIA, CEH
CND Infrastructure
Support
SSCP, CEH
CND Incident Responder GCIH, GSIH, CEH
CND Auditor CISA, CEH, GSNA
CN-SP Manager CISM, CISSP-ISSEP
“The CNSS is directed to assure the security of NSS against technical
exploitation by providing: reliable and continuing assessments of threats and
vulnerabilities and implementation of effective countermeasures; a technical
base within the USG to achieve this security; and support from the private
sector to enhance that technical base assuring that information systems security
products are available to secure NSS.”