NIST 800-37 Risk Management & Certification and Accreditation Tasks Old Process Flow
Presenter
Presentation Notes
RMF Process, 3 Phases, 6 Steps NIST SP 800-37 Rev 1 Draft NIST SP 800-37 Rev 1 Draft 3 Phases were in the draft of NIST SP 800-37 rev1 but taken out of the final document
Categorize Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. FIPS 199 NIST SP 800-60 NIST SP 800-37 Rev 1, § 2.1
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Select Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. FIPS 200 NIST SP 800-53 NIST SP 800-37 Rev 1, § 2.1
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Implement Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Various NIST SP and IR OMB Memorandum NIST SP 800-37 Rev 1, § 2.1
the controls are implemented correctly, operating as intended, and producing the desired outcome
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Assess Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. NIST SP 800-53A NIST SP 800-115 NIST SP 800-37 Rev 1, § 2.1
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Authorize Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. NIST SP 800-37 Rev 1 NIST SP 800-37 Rev 1, § 2.1
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Monitor Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. NIST SP 800-37 Rev 1, § 2.1
Presenter
Presentation Notes
Each part of the process has a NIST Document NIST SP 800-100 Chapter 10
Document RememberNIST SP 800-37 C & A program, overall process, guidelinesFIPS 199 Standard to define criticality / sensitivityNIST SP 800-60 Guideline to define criticality / sensitivityFIPS 200 Standard to select controlsNIST SP 800-53 Guidelines to selecting controls, control catalog NIST SP 800-53A Guidelines for assessing controls, auditNIST SP 800-30 Risk Assessment guidelinesNIST SP 800-18 Guidelines for System Security PlansNIST SP 800-64 Guidelines for Security and SDLCNIST SP 800-70 Security Configuration Checklist ProgramNIST SP 800-47 Guideline for System Interconnections (MOU/MOA)NIST SP 800-34 Contingency Planning GuideNIST SP 800-61 Computer Security Incident Handling Guide
Presenter
Presentation Notes
Key NIST Documents
Presenter
Presentation Notes
C & A / RMF There are multiple frameworks used for FISMA Compliance DoD uses DITSCAP, DIACAP, moving toward DIARMF NSA and intelligence agencies use NIACAP Public Agencies use NIST’s C&A and moving to the new RMF There is movement ahead to come up with one framework NIST SP 800-53 rev 3 is the first move in that direction adding DoD controls to the NIST control catalog Lots of challenges ahead DoD and NSA have staff who do what NIST does, they will not want to give that up NIST has the mandate from congress and will eventually have the framework used by the entire federal government (input from all agencies of course) Joint Task Force Transformation Initiative Interagency Working Group NIACAP: National Information Assurance Certification and Accreditation Process (NSTISSI No. 1000) DITSCAP: DoD Information Technology Security Certification and Accreditation Process (DoD Instruction 5200.40) DIACAP: DoD Information Assurance Certification and Accreditation Process (DoD Directive 8510.01) C&A: Certification and Accreditation (NIST SP 800-37) RMF: Risk Management Framework (NIST SP 800-37 Rev 1) Must the Department of Defense and the Director of National Intelligence (DNI) follow OMB policy and NIST guidance? Provided that DOD and DNI internal security standards and policies are as stringent as OMB’s policies and NIST’s standards, they must only follow OMB’s reporting policies. However, please note that NIST publication SP-800-53 Revision 3 (issued in August 2009) was developed jointly by NIST, the Department of Defense (DOD) and the intelligence community through the Joint Task Force Transformation Initiative Interagency Working Group. Therefore, DOD and the intelligence community must follow this publication. - OMB M-10-15 - FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management “With the rewrite of NIST 800-37, the new document represents a convergence of information security standards, guidelines and best standards across agencies. As a result, the DoD and the Intelligence community will begin to transition away from DIACAP toward NIST over time.” https://www.isc2.org/cap-change-faqs.aspx
Comparison C & A and RMF Methodology Risk Management Framework (RMF) NIST SP 800-37 Rev 1 DIACAP includes a 5th phase “Decommission”
Presenter
Presentation Notes
NIST C & A Phases (NIST SP 800-37) NIST SP 800-100 This is the old NIST 4 phase approach as documented in NIST SP 800-37. They have since moved to a 6 step process with NIST SP 800-37 Rev 1.
Presenter
Presentation Notes
NIACAP C & A Phases NSTISSI 1000
Presenter
Presentation Notes
NIACAP Phase 1 NSTISSI 1000
Presenter
Presentation Notes
NIACAP Phase 2 NSTISSI 1000
Presenter
Presentation Notes
NIACAP Phase 3 NSTISSI 1000
Presenter
Presentation Notes
NIACAP Phase 4 NSTISSI 1000
Presenter
Presentation Notes
DIACAP Source: DoDI 8510.01 28-NOV-2007
This instruction applies to: (2) All DoD IT that receive, process, store, display, or transmit DoD information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services, and IT products. This includes IT supporting research, development, test and evaluation (T&E), and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD. - DoDI 8510.01, para 2a
Photo by Donald E. Hester all rights reserved NIST SP 800-37 Rev 1, § 2.2
Security is most useful and cost-effective when such integration begins with a system development or integration project initiation, and is continued throughout the SDLC through system disposal. A number of federal laws and directives require integrating security into the SDLC, including the Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64 Rev. 1, Security Considerations in the Information System Development Life Cycle, presents a framework for incorporating security into all phases of the SDLC,
Presenter
Presentation Notes
RMF and C&A work with the SDLC Security is most useful and cost-effective when such integration begins with a system development or integration project initiation, and is continued throughout the SDLC through system disposal. A number of federal laws and directives require integrating security into the SDLC, including the Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64 Rev. 1, Security Considerations in the Information System Development Life Cycle, presents a framework for incorporating security into all phases of the SDLC, Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 Table 1.8 Information Technology Security Activities in the SDLC
Presenter
Presentation Notes
Risk Management Framework in the SDLC Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
All information technology (IT) projects have a starting point, what is commonly referred to as the initiation phase. During the initiation phase, the organization establishes the need for a particular system and documents its purpose. The information to be processed, transmitted, or stored is typically evaluated, as well as who is required access to such information and how (in high-level terms). In addition, it is often determined whether the project will be an independent information system or a component of an already-defined system. A preliminary risk assessment is typically conducted in this phase, and security planning documents are initiated (system security plan). NIST SP 800-100
Presenter
Presentation Notes
Initiation Phase Document the sensitivity of the system with the risk assessment Identify threats and vulnerabilities Control selection With limited resources you will have to prioritize All information technology (IT) projects have a starting point, what is commonly referred to as the initiation phase. During the initiation phase, the organization establishes the need for a particular system and documents its purpose. The information to be processed, transmitted, or stored is typically evaluated, as well as who is required access to such information and how (in high-level terms). In addition, it is often determined whether the project will be an independent information system or a component of an already-defined system. A preliminary risk assessment is typically conducted in this phase, and security planning documents are initiated (system security plan). NIST SP 800-100
Presenter
Presentation Notes
Risk Management Framework in the SDLC Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle.
During the first part of the development/acquisition phase, the organization should simultaneously define the system’s security and functional requirements. These requirements can be expressed as technical features (e.g., access control), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training). During the last part of this phase, the organization should perform developmental testing of the technical and security features/functions to ensure that they perform as intended prior to launching the implementation and integration phase. NIST SP 800-100
Presenter
Presentation Notes
Acquisition / Development Phase Cost-benefit analysis Control selection Develop SSP During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. During the first part of the development/acquisition phase, the organization should simultaneously define the system’s security and functional requirements. These requirements can be expressed as technical features (e.g., access control), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training). During the last part of this phase, the organization should perform developmental testing of the technical and security features/functions to ensure that they perform as intended prior to launching the implementation and integration phase. NIST SP 800-100
Presenter
Presentation Notes
Risk Management Framework in the SDLC Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system. Design reviews and system tests should be performed before placing the system into operation to ensure that it meets all required security specifications. NIST SP 800-100
Presenter
Presentation Notes
Implementation Phase Ensure controls are in place and functioning correctly SSP updated as needed Certification test Certification test results reporting Authorization to operate (go live) In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system. Design reviews and system tests should be performed before placing the system into operation to ensure that it meets all required security specifications. NIST SP 800-100
Presenter
Presentation Notes
Risk Management Framework in the SDLC Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
An effective security program demands comprehensive and continuous understanding of program and system weaknesses. In the operation and maintenance phase, systems and products are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. During this phase, the organization should continuously monitor performance of the system to ensure that it is consistent with preestablished user and security requirements, and needed system modifications are incorporated. NIST SP 800-100
Presenter
Presentation Notes
Operations/Maintenance Phase An effective security program demands comprehensive and continuous understanding of program and system weaknesses. In the operation and maintenance phase, systems and products are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. During this phase, the organization should continuously monitor performance of the system to ensure that it is consistent with preestablished user and security requirements, and needed system modifications are incorporated. NIST SP 800-100
Presenter
Presentation Notes
Risk Management Framework in the SDLC Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
The disposal phase of the system life cycle refers to the process of preserving (if applicable) and discarding system information, hardware, and software. This step is extremely important because during this phase, information, hardware, and software are moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. NIST SP 800-100
Presenter
Presentation Notes
Disposition Phase Disposal of the system System replacement and/or upgrade Secure disposal Archive data Data migration
Presenter
Presentation Notes
Additional Study Resource Check out Section 3.6 Security Activities within the SDLC, NIST SP 800-100, Information Security Handbook: A Guide for Managers (March 2007)
should be risk-based
Presenter
Presentation Notes
Challenges to Implementation Failing to follow the System Development Life Cycle (SDLC) Rapid deployment Alternative is to have multiple tracks Normal full C & A track Fast track for interim authorization to operate, followed by full C & A Flexibility, should be risk-based
Comparison C & A and RMF Methodology *(ISC)2 Domains from March 2010 to November 2010 and NIST SP 800-37 Rev 1 Draft NIACAP: National Information Assurance Certification and Accreditation Process (NSTISSI No. 1000) DITSCAP: DoD Information Technology Security Certification and Accreditation Process (DoD Instruction 5200.40) DIACAP: DoD Information Assurance Certification and Accreditation Process (DoD Directive 8510.01) C&A: Certification and Accreditation (NIST SP 800-37) RMF: Risk Management Framework (NIST SP 800-37 Rev 1)
Initiation (Definition)
Certification(Verification)
Accreditation(Validation)
Continuous Monitoring(Postaccreditation)
Presenter
Presentation Notes
SDLC and C & A Overlay Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers
Categorize
SelectImplement
Assess
Authorize
Monitor
Presenter
Presentation Notes
SDLC and RMF Overlay Reference: NIST SP 800-100, Information Security Handbook: A Guide for Managers Using the 6 steps of the RMF as it was documented in NIST SP 80-37 Rev 1
Presenter
Presentation Notes
NIST SP 800-39 Draft This graph was removed from the Final Public Draft of NIST SP 800-39 released Dec 2010
Presenter
Presentation Notes
Summary
Presenter
Presentation Notes
Class Discussion: Life Cycle You are an auditor assessing a system for the certification phase. You notice the last time the system security plan and risk assessment were modified was prior to the last accreditation/authorization. What would this indicate to you as an auditor? What is the benefit of using a cycle to describe the process of authorization? What is the best time to start the RMF process when developing or purchasing a new system? What happens in reality?
