Running head: CSOL530 MODULE 7 FINAL PROJECT 1

Final Project White Paper

Sergio Ginocchio

University of San Diego

CSOL530 MODULE 7 FINAL PROJECT 2

Final Project White Paper

Introduction

This paper provides a description of the Risk Management Framework (RMF) as

described in SP 800-37 [1] and it describes each of the six steps of the RMF and their importance

in helping organizations manage risks related to operating information systems. This paper

describes the process of assessing risk, authorizing systems for operation and continuously

monitoring systems in operation as part of the concept of near real-time risk management and

ongoing system authorization as promoted by the RMF. [12] [1]

The Risk Management Framework

NIST in partnership with the Department of Defense, the Office of the Director of

National Intelligence, and the Committee on National Security Systems, developed a Risk

Management Framework(RMF) to improve information security, strengthen risk management

processes, and encourage reciprocity among organizations [1]. The RMF emphasizes managing

risk by building security and privacy capabilities into systems through:

The application of security and privacy controls

Maintaining awareness of the security and privacy state of systems on an ongoing basis

though enhanced monitoring processes

Providing essential information to senior leaders and executives to facilitate their risk-

based decisions regarding the operation and use of systems [1].

The RMF consist of a six-step process: Categorize, Select, Implement, Assess, Authorize, and

Monitor. RMF activities are applied on an on-going basis and throughout the lifecycle of a

system. The following sections describe each of the steps in the RMF.

CSOL530 MODULE 7 FINAL PROJECT 3

Step 1 – Categorize: Security Categorization

What is security categorization and why is it important? Security categorization provides

a method to determine the criticality and sensitivity of the information being processed, stored,

and transmitted by an information system. The security category is based on the potential impact

to an organization should certain events occur that would jeopardize the information and

information systems needed by the organization to accomplish its goals, prevent the organization

from protecting its assets or fulfilling its legal responsibilities, or maintain its day-to-day

functions [2]. FIPS 199[4] establishes security categories for both information and information

systems.

Information and information system owners identify the types of information associated

with the systems. Then based on these types, security impact values are assigned for the security

objectives of confidentiality, integrity, or availability for each type. An overall security impact

level is determined applying the high-water mark concept. This overall security impact level is

used to prioritize information security efforts and select security controls [3].

The importance of the security categorization is that it guides organizations in subsequent

risk management processes to determine the adverse impact or consequences to the organization

with respect to the compromise or loss of confidentiality, integrity, and availability of

organizational systems and the information processed, stored, and transmitted by those systems

[3].

Step 2 – Select: Security Control Selection Process

Security controls are the management, operational, and technical safeguards or

countermeasures employed to protect the confidentiality, integrity, and availability of the

information and information system. Selecting the appropriate set of security controls helps

CSOL530 MODULE 7 FINAL PROJECT 4

organizations accomplish their goals and provide adequate security or security commensurate

with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or

destruction of information. A significant challenge for organizations is to determine the

appropriate set of security controls that will cost-effectively mitigate risk and comply with the

security requirements [5].

It is important that organizations go through this process to identify and select an

appropriate set of security controls that will enable protection of the confidentiality, integrity, and

availability of the organizations’ information and information systems. The security control

selection process takes as an input the output from the security categorization process, a system

impact level of low, moderate or high. For federal information systems, organizations must select

an appropriate set of security controls for their information systems that satisfy the minimum

security requirements as specified by FIPS-200[6], but organizations in the private sector can

benefit from following this process as well. The selected set of security controls must include

one of three, appropriately tailored security control baselines from NIST Special Publication

800-53[7] that are associated with the designated impact levels determined during the security

categorization process. [6]. Outcomes from this process include: Security and privacy plans

reflecting the system-specific, hybrid, and common controls necessary to protect the system and

a system level monitoring strategy that complements the organizational continuous monitoring

strategy.

Step 3 - Implement: Implementation Process

Systems security engineering, as part of the Implementation process, realizes the security

aspects of all system elements. Security aspects include mechanisms that provide a security

capability, that serve as a control, safeguard, or countermeasure and as the passive protection

CSOL530 MODULE 7 FINAL PROJECT 5

capability realized through the implementation methods, processes, and tools. This process

results in a system element that satisfies specified system security requirements, architecture, and

design. [8].

As part of the implementation strategy, it is important that organizations have a clear

understanding of what change is being implemented, what impact will be, in the case of an

existing system, how different will it be from the current situation, who is impacted and how. It

is important that all stakeholders understand and have agreed to specific outcomes, that they

understand the risks being mitigated and what the residual risk may be. Only when there has

been full agreement and the project is able to deliver the agreed upon outcome an

implementation can be successful.

This scenario assumes that all roles and responsibilities for the implement step have been

assigned and there is a change control process and all approvals are in place for implementation.

The implementation of the security controls should document:

How the controls are deployed within the system and environment of operation.

Who, when and where the selected controls will be deployed

What the expected outcome is and how it will be measured.

How continuous evaluation and reporting will be done

Step 4 – Assess: Security Control Assessment Process

Security controls provide safeguards for an information system and are designed to

protect the confidentiality, integrity and availability of its information. Selecting and

implementing appropriate security controls is an important task as it can have significant

implications on the operations and assets of an organization. Assessing these controls is as

CSOL530 MODULE 7 FINAL PROJECT 6

important. Once these controls have been implemented, there is the need to assess them to

determine their overall effectiveness, that is, validate if they are operating as intended and

producing the desired outcome [9]. The NIST Special Publication 800-53A provides an

assessment framework and initial starting point for assessment procedures. These procedures can

be used as guidelines and can be tailored to adequately meet the risk management needs of the

organization. The following is an overview at a high level of the steps leading to, during and

after the assessment process:

The organization preparation:

All steps in the RMF prior to the assessment step, have completed successfully.

Assessor/Assessment Team is identified.

The objective, timeline, and scope of assessments is clearly defined and all stakeholders

properly informed.

Assessor preparation:

Understand organization's mission functions and business process.

Understand the information system architecture.

Understand the controls selected for the assessment.

Develop an assessment plan.

Obtain assessment plan approval.

Assessment:

Implement security and privacy assessment plans.

Execute assessment procedures to achieve the assessment objectives.

Produce assessment findings; Recommend specific remediation actions.

Produce the Assessment Reports.

CSOL530 MODULE 7 FINAL PROJECT 7

Post Assessment Process:

Review assessment findings.

Determine and initiate appropriate response actions.

Develop Plans of Action and Milestones.

Update Security and Privacy Plans.

Special Publication 800-53A[9] provides assessment procedures for each security and privacy

control and control enhancement in Special Publication 800-53[7]. For each security or privacy

control in the security plan to be included in the assessment, assessors select the corresponding

assessment procedure from Appendix F of 800-53A and tailor the assessment procedure to match

the characteristics of the information system under assessment.

The purpose of the Assessment step is to determine if the security and privacy controls

selected are implemented correctly, operating as intended, and producing the desired outcome

with respect to meeting the security and privacy requirements for the system. [1]

Step 5 – Authorize: Authorization Process

“The purpose of the Authorization step is to provide strict accountability by requiring a

senior management official to determine if the security and privacy risk to organizational

operations and assets, individuals, other organizations, or the Nation based on the operation of a

system or the use of common controls, is acceptable.” [1]. Organizations use this authorization

step to arrive to an authorization decision regarding the operation of an information system. The

following are the tasks in the authorization process as describe in SP 800-37 [1]:

CSOL530 MODULE 7 FINAL PROJECT 8

Plan of Action and Milestones (POA&M) Prepare the plan of action and milestones based on

the findings and recommendations of the security and privacy assessment reports excluding any

remediation actions taken.

Authorization Package Assemble the authorization package to submit to the authorizing official

for adjudication. The package can include the POA&M, system security plan, security

assessment report (SAR).

Risk Determination Determine the risk from the operation or use of the system.

Risk Response Identify course of action including accepting risk, avoiding risk, mitigating risk,

sharing risk, transferring risk or a combination of these.

Authorization Decision Determine if the risk from the operation or use of the system and use of

common controls is acceptable or not.

Authorization Reporting Report the authorization decision and any weaknesses or deficiencies

in security and privacy controls that represent significant vulnerabilities to the system or the

organization.

Step 6 – Monitor: Monitoring Process

The purpose of the Monitoring step is to maintain an ongoing situational awareness about

the security and privacy posture of the system and the organization in support of risk

management decisions. Continuous monitoring addresses the security impacts on information

systems resulting from changes to the hardware, software, firmware, or the operational

environment. The objective of continuous monitoring is to determine if the security controls in

the information system continue to be effective over time. Changes occur over time to the system

as well as in the environment in which the system operates. Continuous monitoring also

CSOL530 MODULE 7 FINAL PROJECT 9

provides an effective mechanism to update security plans, security assessment reports, and plans

of action and milestones. An effective continuous monitoring process includes:

Configuration management and control processes for organizational information systems

Security impact analyses on actual or proposed changes to information systems and

environments of operation

Assessment of selected security controls based on a continuous monitoring strategy

Security status reporting to appropriate organizational officials

Active involvement by authorizing officials in the ongoing management of information

system-related security risks. [10].

Change is Inevitable

Business needs evolve, information systems need to change to support evolving mission

and business functions and processes.

Technology evolves, upgrade and configuration management processes need to keep up

with the change.

Workforce is in constant flux, new hires, terminations, temporary workers, role changes,

access control needs to keep with this constant change

Threat landscape changes, there is a need for continuous vulnerability and patch

management and continuous monitoring.

In this dynamic landscape, continuous monitoring is the first step that can provide assurance that

the system remains within an acceptable level of risk. Continuous monitoring can provide

ongoing awareness of information security, vulnerabilities, and threats to support organizational

risk management decisions. An ISCM program can be established to collect the necessary data to

CSOL530 MODULE 7 FINAL PROJECT 10

be used in risk-based decisions. Establishing a continuous monitoring program can enable

ongoing assessment and ongoing authorization and provide an acceptable level of assurance that

the system remains secure. “Ongoing authorization is part of RMF Step 5, the Authorize step,

and is dependent on the organization’s Information Security Continuous Monitoring (ISCM)

strategy and program which is implemented as part of RMF Step 6, the Monitor step. Ongoing

authorization is fundamentally related to the ongoing understanding and ongoing acceptance of

information security risk.” [12]

Conclusion

The Risk Management Framework process in not a one-time process. Change is

inevitable and with this change there has to be a Continuous Monitoring Strategy in place to

provide adequate information about security control effectiveness and organizational security

status allowing organizational officials to make informed, timely security risk management

decisions. That is, the implementation, effectiveness, and adequacy of all security controls are

monitored along with the current organizational security status. [11]

In order to maintain ongoing awareness of information security, vulnerabilities, and

threats to support organizational risk management decisions there are a variety of tools and

technologies available that can be used to efficiently and effectively gather, aggregate, analyze,

and report data ranging from continuously monitoring the security status of its enterprise

architecture and operating environment(s) down to components of individual information

systems. [11]

Some of these tools are:

Configuration Management Tools

Vulnerability and Patch Management tools

CSOL530 MODULE 7 FINAL PROJECT 11

Asset Management Tools

IDS/IPS

SIEM

All the collected data from these tools can be analyzed, aggregated and consolidated into SIEM

tools and management dashboards and report. This data can be used to provide overall picture of

the effectiveness of the security controls and the organizational security status. [11] Automation

should be leveraged as much as possible to assist in providing the necessary information in a

time-efficient manner to AOs to make risk-based decisions.

CSOL530 MODULE 7 FINAL PROJECT 12

References

[1] NIST. (2017, September). Risk Management Framework for information systems and

organizations - Draft NIST Special Publication 800-37

Revision 2. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-

2/draft/documents/sp800-37r2-discussion-draft.pdf pp.16-61

[2] NIST (2008, August). NIST SP 800-60 Vol. I Rev.1: Guide for mapping types of information

and information systems to security categories. Retrieved from

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

[3] NIST (2009, January 27). Categorize step FAQs - Draft. Retrieved from

https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/documents/categorize/faq-

categorize-step1.pdf

[4] NIST (2004, February). FIPS Pub 199: Standards for security categorization of federal

information and information systems. Retrieved from

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

[5] NIST. (2011, January 18). Select step FAQs NIST Risk Management Framework - Draft

Retrieved from https://csrc.nist.gov/CSRC/media/Projects/Risk-

Management/documents/select/faq-Select-step2.pdf

[6] NIST. (2006, March). Minimum Security Requirements for Federal Information and

Information Systems - FIPS 200. Retrieved from

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf pp. 4-5

[7] NIST. (2017, August). Security and privacy controls for information systems and

organizations - Draft NIST Special Publication 800-53 Revision 5. Retrieved from

CSOL530 MODULE 7 FINAL PROJECT 13

https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-

draft.pdf

[8] Ross, R., McEvilley, M. & Oren, J.C. (2016, November). Systems security engineering:

Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems

- NIST special publication 800-160. Retrieved from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf

[9] NIST. (2014, December). Assessing security and privacy controls in federal information

systems and organizations: Building effective assessment plans - NIST special publication 800-

53A revision 4. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final

[10] NIST. (2009, April 30). Monitor step FAQs: NIST risk management framework.

Retrieved from https://csrc.nist.gov/CSRC/media/Projects/Risk-

Management/documents/monitor/faq_monitor-step6.pdf

[11] Dempsey, K., Chawla, N.S., Johnson, A., Johnston, R., Jones, A.C., Orebaugh, A., Matthew

Scholl, M & Stine, K. (2011, September). Information security continuous monitoring (ISCM)

for federal information systems and organizations: NIST Special Publication 800-137 Retrieved

from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

[12] Dempsey, K., Ross, R. & Stine, K. (2014, June). Supplemental guidance on ongoing

authorization transitioning to near real-time risk management. Retrieved from

http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=916095

CSOL530 MODULE 7 FINAL PROJECT 14

Appendix

Figure 1. The RMF integrates information security and risk management activities into the system development life cycle. [1] p.8

RMF Step NIST Publications CATEGORIZE Information System

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

SELECT Security Controls

FIPS 200 Minimum Security Requirements for Federal Information and Information Systems SP 800-53 Security and Privacy Controls for Information Systems and Organizations

IMPLEMENT Security Controls

SP 800-160 Risk Management Framework for Information Systems and Organizations

ASSESS Security Controls

SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

AUTHORIZE Information Systems

SP 800-37 Risk Management Framework for Information Systems and Organizations

MONITOR Security State

SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Table 1. RMF Steps and NIST Publication used for Guidance at each step.