WIXLIB

Risk Management Framework Today and TomorrowContinuous Monitoring Today—And TomorrowBy Lon J. Berman, CISSP, RDRPStep 6 of the Risk ManagementFramework (RMF) is entitled “MonitorSecurity Controls”. Many securityprofessionals would argue it is the mostimportant step, since monitoring is whattransforms RMF from yet another “pointin time” evaluation to a true life cycleprocess. It has been more than threeyears since the official adoption of RMF,yet no Information Security ContinuousMonitoring (ISCM) policy, procedure orguidance has been published by DoD.Security control CA-7 states:“The organization develops a continuousmonitoring strategy and implements acontinuous monitoring program thatincludes:July, 2017Volume 7, Issue 3a. Establishment of [Assignment:organization-defined metrics] to bemonitored;b. Establishment of [Assignment:organization-defined frequencies] formonitoring and [Assignment: organizationdefined frequencies] for assessmentssupporting such monitoring;c. Ongoing security control assessments inaccordance with the organizationalcontinuous monitoring strategy;In this issue:Continuous Monitoring 1Today — And TomorrowCybersecurityFramework (CSF) as itrelates to RiskManagementFramework (RMF)2d. Ongoing security status monitoring oforganization-defined metrics in accordancewith the organizational continuousmonitoring strategy;e. Correlation and analysis of securityrelated information generated byassessments and monitoring;f. Response actions to address results of theanalysis of security-related information; andRegistered DoD RMFPractitioner (RDRP)3Security Control Spotlight—Inheritance froma FedRAMP ApprovedCSP4g. Reporting the security status oforganization and the information system to[Assignment: organization-defined personnelor roles] [Assignment: organization-definedfrequency].”Training for Today and Tomorrow5For each of the Control CorrelationIdentifiers (CCIs) comprising thiscontrol, the RMF Knowledge Serviceprovides the following ImplementationGuidance and Assessment Procedure:“Future DoD-wide Continuous Monitoringguidance to be published”Many system owners (and independentassessors!) interpret this to mean CA-7can legitimately be declared as “NotApplicable” pending publication of DoDwide guidance.Is this really the end of the story (fornow)? Can we just put the whole ISCM“thing” on the back burner until DoDfinally publishes some guidance?For the sake of your program’s mission not to mention our Nation’s security I sincerely hope not!That’s all nice to say, but how can yoube expected to establish an effectiveISCM program when there is no guidanceavailable?The answer is that, in reality, there isno shortage of available continuousmonitoring guidance – both from DoDand elsewhere. And, beyond that, manytechnical tools that can be leveraged insupport of your ISCM program arealready available from DoD.DoDI 8510.01 (RMF for DoD IT) lays outthe system owner’s responsibilities forRMF Step 6 (Monitor Security Controls).These include: Determining the security impact ofproposed changes to the systemMonitoring the system andenvironment for security-relevanteventsPeriodically assessing of securitycontrol implementationReporting significant changes insecurity posture to the AuthorizingOfficialAssessing security controls annuallyConducting remediation activitiesbased on the results of ongoingmonitoring and assessment activitiesUpdating the system POA&M on aregular basisNIST SP 800-37 provides additionalguidance on Step 6 activities.NIST SP 800-137, entitled “InformationSecurity Continuous Monitoring (ISCM)for Federal Information Systems andOrganizations”, is an entire volumededicated to Continuous Monitoring. Itcovers topics such as: development ofmonitoring strategies and monitoringplans, selection of metrics andassessment frequencies, security statusreporting, and monitoring programevaluation.Other government publicationssupporting continuous monitoringactivities include:See Continuous Monitoring, Page 2

Risk Management Framework Today and TomorrowCybersecurity Framework (CSF) as it relates to RiskManagement Framework (RMF)Page 2By P. Devon Schall, CISSP, RDRP“ CSF is not thesame as RMF, andit is not a “rip andreplace” of RMF.”owners will need toaddress any of this.”I recently attended the CybersecurityFramework (CSF) Workshop from May 1617 at NIST in Gaithersburg, Maryland.The workshop proved to be informativein relation to how government and industry are implementing the guidance issuedby President Obama in Executive Order13636. This EO outlines the responsibilities of Federal Departments and Agenciesin Improving Critical InfrastructureCybersecurity. President Trump’s executive order issued on May 11, 2017 titled,Presidential Executive Order onStrengthening the Cybersecurity of Federal Networks and Critical Infrastructurereinforced EO 13636 and directly referenced CSF. CSF is a complicated framework, the scope of this article will be tooutline concerns about CSF as it relatesto RMF.1. What the heck is CSF? I am just nowlearning how to do RMF, why is NISTthrowing another three-letter frameworkacronym at me?RMF, and it is not a “rip and replace” ofRMF. The writers of CSF assured me thatRMF is not going by the wayside and it isa separate framework than RMF. CSF isvoluntary guidance based on existingcybersecurity practices to help organizeand manage risks. CSF is holistic andtargeted toward federal agencies as wellas the private sector. Similarities to RMFare a multi-step security lifecycle as wellas common language. Additional technical information about CSF can be foundin NIST Cybersecurity Framework Draft1.1.2. How will CSF change RMF?I asked this exact question to the folks atNIST. They indicated that those alreadydoing RMF could voluntarily use aspectsof CSF to strengthen their RMF activities,and we may see some aspects of CSF implemented in future updates to RMF.See Cybersecurity Framework (CSF), Page 3Rest assured, I had similar concerns. At avery basic level, CSF is not the same asContinuous Monitoring, from Page 1 NIST SP 800-92, “Guide to ComputerSecurity Log Management”NIST SP 800-55, “PerformanceMeasurement Guide for InformationSecurity”“US Government Concept ofOperations (CONOPS) for InformationSecurity Continuous Monitoring(ISCM)”, published by the JointCybersecurity Performance MetricsWorking GroupDoD has developed numerous tools tosupport continuous monitoring. Theseinclude: Assured Compliance AssessmentSolution (ACAS) – an enterprisevulnerability scanning and reportingtoolHost-based Security System (HBSS) –a suite of commercial products thatinclude malware protection and host-based intrusion detection/preventionSCAP Compliance Checker (SCC) – a tool that facilitates scanning ofoperating systems and othersoftware for compliance with DoDSecurity Technical ImplementationGuides (STIGs)SCAP benchmarks – contentdeveloped by Defense InformationSystems Agency (DISA) to supportSTIG compliance scanning (usingSCC) of various commercial softwareproductsSTIG viewer – software tool tofacilitate “manual review” ofoperating systems, databasemanagement systems, web servers,etc., for STIG complianceSystem owners are encouraged toleverage the above resources toimplement a continuous monitoringprogram now. When DoD (finally) getsaround to publishing their long-awaitedContinuous Monitoring Policy/Guidancedocument, it will most likely take onlyminor adjustments to bring your ISCMprogram into complete compliance.Between now and then, you’ll sleepbetter!

Risk Management Framework Today and TomorrowRegistered DoD RMF Practitioner (RDRP)Page 3By Lon J. Berman, CISSP, RDRPBAI Information Security is pleased toannounce the upcoming launch of a newprogram called Registered DoD RMFPractitioner (RDRP) - a network ofsecurity professionals specializing insupporting RMF in DoD programs. Therequirements to join RDRP are veryminimal:Step 1: Attend 4 days or more of RMFfor DoD IT training.Step 2: Complete the 50 question “RMFfor DoD IT Competency Test” with apassing score of 70%.Step 3: Remit the initial credentialingfee (No cost if you’ve completed BAI’sRMF 4-day training program within thepast 12 months).Your next question may be, why would Iwant to join the RDRP registry? We feelthat being part of the RDRP registry notonly adds value to your resume, but italso shows employers and governmentofficials that you have a comprehensiveunderstanding of RMF as it isimplemented within DoD.Another dynamic of RDRP that is worththinking about is how it relates to TheNational Initiative for CybersecurityEducation Workforce Framework(NCWF), which is currently in an earlydraft. The mission of NCWF is toenhance the overall cybersecurityposture of the United States byaccelerating the availability ofeducational and training resourcesdesigned to improve the cyberbehavior, skills, and knowledge. Amajor part of NCWF is to define thecybersecurity workforce and identifythe training and professionaldevelopment required by mappingcybersecurity skills to sevencybersecurity categories. Thesecategories are: Securely Provision (SP),Operate and Maintain (OM), Overseeand Govern (OV), Protect and Defend(PR), Analyze (AN), Collect and Operate(CO), and Investigate (IN). BAI’s coursesand RDRP map directly to the familySecurely Provision (SP) which includesthe specialty area of Risk Management(RM) mapping to a variety of in demandwork roles. Over 20 agencies andfederal departments worked inpartnership to develop NCWF, and Iimagine, it will play a more significantrole in career development andqualification once a final draft isissued.For additional information on RDRP,keep an eye on BAI’s website andfollow the BAI LinkedIn page forannouncements. For more on TheNational Initiative for CybersecurityEducation Workforce Framework(NCWF), review Draft NIST SpecialPublication 800-181 or join the NICEWorking Group (NICEWG) hosted byNIST.Cybersecurity Framework (CSF), From Page 2The future integration was describedto me as “RMF with a CSF flair”. I donot anticipate CSF to immediatelyimpact RMF, but I do think we’ll seeCSF language in NIST SP 800-53 Rev. 5.3. How will CSF impact my ATO?At this point, RMF activities andcurrent ATO’s will not be impacted byCSF. CSF is a framework targeted instrengthening cybersecurity posturingfor organizations and has manyoverlaps with RMF, but it is not goingto change your current pursuit of anATO.Overall, CSF is an interestingframework, and it is encouraging tosee the Trump administrationrecommending its usage. Theframework is appealing as beingholistic and applicable to businesses ofany size. The initial draft is anapproachable government documentwhich I highly recommend reading.