the rmf: new emphasis on the risk management framework for government organizations
TRANSCRIPT
The RMF: New Emphasis on the Risk Management Framework for Government Organizations
Sean Sherman Security and Compliance Consultant
Synopsis
There is a problem for any large and dispersed organization to communicate and coordinate. For the US Government, this challenge is particularly important because providing essential services to the country is almost completely reliant on the security of our data, applications, networks and processes.
This presentation is aimed at improving understanding of the Risk Management Framework (RMF) - a process framework that promises to help align security efforts, increase security awareness and improve risk management. How is that possible? What is the big picture? This presentation will try to align the objectives to practical advice on what to do next.
What is the RMF?
Risk Management Framework is most commonly associated with the NIST SP 800-37 guide “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”, which has been available for FISMA compliance since 2004.As a result of the Joint Task Force Transformation Initiative Interagency Working Group, every agency of the US government must now abide by this process. It is recently integrated into DoD instructions and many organizations are creating new guidance for compliance to the RMF.
A Consistent Process
An Effort to Consolidate Reference Docs
RMF is part of core agency references: NIST SP 800-37, DoDI 8501.01, ICD 503 Step 1 References: FIPS Publication 199; NIST Special Publications 800-30, 800-39,
800-59, 800-60; CNSS Instruction 1253. Step 2 References: FIPS Publications 199, 200; NIST Special Publications 800-30,
800-53, 800-53A; CNSS Instruction 1253. Step 3 References: FIPS Publication 200; NIST Special Publications 800-30, 800-53,
800-53A; CNSS Instruction 1253; Web: SCAP.NIST.GOV. Step 4 References: NIST Special Publication 800-53A, 800-30, 800-70. Step 5 References: OMB Memorandum 02-01; NIST Special Publications 800-30,
800-39, 800-53A. Step 6 References: NIST Special Publications 800-30, 800-39, 800-53A, 800-53,
800-137; CNSS Instruction 1253.
Transition is MandatoryBe clear: all systems are expected to migrate to the same ATO process.
The Joint Task Force Transformation Initiative Working Group is a joint effort across executive agencies to build a single methodology for C&A/A&A.
DITSCAP and DIACAP content is merged into the new guidance. DoD entities and organizations will use revised 8500 Series guidance. All expiring accreditations and new request for accreditation must use RMF guidelines (shorter accreditation cycles for more sensitive systems)
800-37 and ICD 503 is expected to replace DCID 6/3 guidance.
The process at the operations level is evolutionary.
Why?
1. Standards across government = alignment of controls, language improve the possibility of Reciprocity
2. Focus on Risk = as a means to address diversity of systems, components, custom environments vs. prescribing one size fits all
3. Address security sooner = Baking security into systems vs. bolting security on.
4. Continuous monitoring, roll up reporting = better federal enterprise security.
Whom does it effect?
Benefits?
How to start: Storyboard success
A pilot project can help design successful activities Choose experts
Expect to learn
Debrief and examine
Possible scenarios Development project
New Software
Upgrade
Vendor tools
Key Take-aways
1. Risk Management focus will improve threat awareness but increases the amount of information to process.
2. Ask, how do our processes align with new guidance? 3. Speed it up! Expect mandated shorter period of authorization based on the
sensitivity of data/criticality of the application.4. Use Automation – to increase capacity, reduce dependence on single point of
failure, create improved sensitivity to the environment, improved reporting.
The Risk Management FrameworkHow Tripwire fits into the Risk Management Framework
Recap
The Risk Management Framework is taken from NIST SP 800-37 guide “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”, which has been available for FISMA compliance since 2004
What does Tripwire do?
History of gathering data around: Change
Configuration
Vulnerabilities
Inventory
Logs
Steps to the Risk Management Framework
Step 1 Categorize Information Systems
Step 2 Select Security Controls
Example of Policy content in TE
IP360 Risk Matrix
Security Controls - TLC
Step 3 Implement Security Controls
Example of Security Control Policy in TE
Step 4 Assess Security Controls
Example in TE of Assessing Security Controls
Step 5 Authorize Information System
Report showing compliance for use for ATO
Step 6 Monitor Security Controls
Monitor Security Controls - TE
Monitoring Security Controls TE & TLC
Monitor Security Controls – IP360 Vulnerabilities
Why Tripwire?
Standards Focus on Risk Address security sooner Continuous monitoring Risk Management Focus Automation and improved reporting
Additional Resources
NIST sp 800-37 Guide:http://csrc.nist.gov/publications/PubsSPs.html#800-37
Tripwire Adjusting to the reality of the RMF:https://www.tripwire.com/register/adjusting-to-the-reality-of-the-risk-management-framework-rmf/