Risk Management Framework Today - BAI RMF Resource Center


Risk Management Framework Today and TomorrowContinuous Monitoring Today—And TomorrowBy Lon J. Berman, CISSP, RDRPStep 6 of the Risk ManagementFramework (RMF) is entitled “MonitorSecurity Controls”. Many securityprofessionals would argue it is the mostimportant step, since monitoring is whattransforms RMF from yet another “pointin time” evaluation to a true life cycleprocess. It has been more than threeyears since the official adoption of RMF,yet no Information Security ContinuousMonitoring (ISCM) policy, procedure orguidance has been published by DoD.Security control CA-7 states:“The organization develops a continuousmonitoring strategy and implements acontinuous monitoring program thatincludes:July, 2017Volume 7, Issue 3a. Establishment of [Assignment:organization-defined metrics] to bemonitored;b. Establishment of [Assignment:organization-defined frequencies] formonitoring and [Assignment: organizationdefined frequencies] for assessmentssupporting such monitoring;c. Ongoing security control assessments inaccordance with the organizationalcontinuous monitoring strategy;In this issue:Continuous Monitoring 1Today — And TomorrowCybersecurityFramework (CSF) as itrelates to RiskManagementFramework (RMF)2d. Ongoing security status monitoring oforganization-defined metrics in accordancewith the organizational continuousmonitoring strategy;e. Correlation and analysis of securityrelated information generated byassessments and monitoring;f. Response actions to address results of theanalysis of security-related information; andRegistered DoD RMFPractitioner (RDRP)3Security Control Spotlight—Inheritance froma FedRAMP ApprovedCSP4g. Reporting the security status oforganization and the information system to[Assignment: organization-defined personnelor roles] [Assignment: organization-definedfrequency].”Training for Today and Tomorrow5For each of the Control CorrelationIdentifiers (CCIs) comprising thiscontrol, the RMF Knowledge Serviceprovides the following ImplementationGuidance and Assessment Procedure:“Future DoD-wide Continuous Monitoringguidance to be published”Many system owners (and independentassessors!) interpret this to mean CA-7can legitimately be declared as “NotApplicable” pending publication of DoDwide guidance.Is this really the end of the story (fornow)? Can we just put the whole ISCM“thing” on the back burner until DoDfinally publishes some guidance?For the sake of your program’s mission not to mention our Nation’s security I sincerely hope not!That’s all nice to say, but how can yoube expected to establish an effectiveISCM program when there is no guidanceavailable?The answer is that, in reality, there isno shortage of available continuousmonitoring guidance – both from DoDand elsewhere. And, beyond that, manytechnical tools that can be leveraged insupport of your ISCM program arealready available from DoD.DoDI 8510.01 (RMF for DoD IT) lays outthe system owner’s responsibilities forRMF Step 6 (Monitor Security Controls).These include: Determining the security impact ofproposed changes to the systemMonitoring the system andenvironment for security-relevanteventsPeriodically assessing of securitycontrol implementationReporting significant changes insecurity posture to the AuthorizingOfficialAssessing security controls annuallyConducting remediation activitiesbased on the results of ongoingmonitoring and assessment activitiesUpdating the system POA&M on aregular basisNIST SP 800-37 provides additionalguidance on Step 6 activities.NIST SP 800-137, entitled “InformationSecurity Continuous Monitoring (ISCM)for Federal Information Systems andOrganizations”, is an entire volumededicated to Continuous Monitoring. Itcovers topics such as: development ofmonitoring strategies and monitoringplans, selection of metrics andassessment frequencies, security statusreporting, and monitoring programevaluation.Other government publicationssupporting continuous monitoringactivities include:See Continuous Monitoring, Page 2

Risk Management Framework Today and TomorrowCybersecurity Framework (CSF) as it relates to RiskManagement Framework (RMF)Page 2By P. Devon Schall, CISSP, RDRP“ CSF is not thesame as RMF, andit is not a “rip andreplace” of RMF.”owners will need toaddress any of this.”I recently attended the CybersecurityFramework (CSF) Workshop from May 1617 at NIST in Gaithersburg, Maryland.The workshop proved to be informativein relation to how government and industry are implementing the guidance issuedby President Obama in Executive Order13636. This EO outlines the responsibilities of Federal Departments and Agenciesin Improving Critical InfrastructureCybersecurity. President Trump’s executive order issued on May 11, 2017 titled,Presidential Executive Order onStrengthening the Cybersecurity of Federal Networks and Critical Infrastructurereinforced EO 13636 and directly referenced CSF. CSF is a complicated framework, the scope of this article will be tooutline concerns about CSF as it relatesto RMF.1. What the heck is CSF? I am just nowlearning how to do RMF, why is NISTthrowing another three-letter frameworkacronym at me?RMF, and it is not a “rip and replace” ofRMF. The writers of CSF assured me thatRMF is not going by the wayside and it isa separate framework than RMF. CSF isvoluntary guidance based on existingcybersecurity practices to help organizeand manage risks. CSF is holistic andtargeted toward federal agencies as wellas the private sector. Similarities to RMFare a multi-step security lifecycle as wellas common language. Additional technical information about CSF can be foundin NIST Cybersecurity Framework Draft1.1.2. How will CSF change RMF?I asked this exact question to the folks atNIST. They indicated that those alreadydoing RMF could voluntarily use aspectsof CSF to strengthen their RMF activities,and we may see some aspects of CSF implemented in future updates to RMF.See Cybersecurity Framework (CSF), Page 3Rest assured, I had similar concerns. At avery basic level, CSF is not the same asContinuous Monitoring, from Page 1 NIST SP 800-92, “Guide to ComputerSecurity Log Management”NIST SP 800-55, “PerformanceMeasurement Guide for InformationSecurity”“US Government Concept ofOperations (CONOPS) for InformationSecurity Continuous Monitoring(ISCM)”, published by the JointCybersecurity Performance MetricsWorking GroupDoD has developed numerous tools tosupport continuous monitoring. Theseinclude: Assured Compliance AssessmentSolution (ACAS) – an enterprisevulnerability scanning and reportingtoolHost-based Security System (HBSS) –a suite of commercial products thatinclude malware protection and host-based intrusion detection/preventionSCAP Compliance Checker (SCC) – a tool that facilitates scanning ofoperating systems and othersoftware for compliance with DoDSecurity Technical ImplementationGuides (STIGs)SCAP benchmarks – contentdeveloped by Defense InformationSystems Agency (DISA) to supportSTIG compliance scanning (usingSCC) of various commercial softwareproductsSTIG viewer – software tool tofacilitate “manual review” ofoperating systems, databasemanagement systems, web servers,etc., for STIG complianceSystem owners are encouraged toleverage the above resources toimplement a continuous monitoringprogram now. When DoD (finally) getsaround to publishing their long-awaitedContinuous Monitoring Policy/Guidancedocument, it will most likely take onlyminor adjustments to bring your ISCMprogram into complete compliance.Between now and then, you’ll sleepbetter!

Risk Management Framework Today and TomorrowRegistered DoD RMF Practitioner (RDRP)Page 3By Lon J. Berman, CISSP, RDRPBAI Information Security is pleased toannounce the upcoming launch of a newprogram called Registered DoD RMFPractitioner (RDRP) - a network ofsecurity professionals specializing insupporting RMF in DoD programs. Therequirements to join RDRP are veryminimal:Step 1: Attend 4 days or more of RMFfor DoD IT training.Step 2: Complete the 50 question “RMFfor DoD IT Competency Test” with apassing score of 70%.Step 3: Remit the initial credentialingfee (No cost if you’ve completed BAI’sRMF 4-day training program within thepast 12 months).Your next question may be, why would Iwant to join the RDRP registry? We feelthat being part of the RDRP registry notonly adds value to your resume, but italso shows employers and governmentofficials that you have a comprehensiveunderstanding of RMF as it isimplemented within DoD.Another dynamic of RDRP that is worththinking about is how it relates to TheNational Initiative for CybersecurityEducation Workforce Framework(NCWF), which is currently in an earlydraft. The mission of NCWF is toenhance the overall cybersecurityposture of the United States byaccelerating the availability ofeducational and training resourcesdesigned to improve the cyberbehavior, skills, and knowledge. Amajor part of NCWF is to define thecybersecurity workforce and identifythe training and professionaldevelopment required by mappingcybersecurity skills to sevencybersecurity categories. Thesecategories are: Securely Provision (SP),Operate and Maintain (OM), Overseeand Govern (OV), Protect and Defend(PR), Analyze (AN), Collect and Operate(CO), and Investigate (IN). BAI’s coursesand RDRP map directly to the familySecurely Provision (SP) which includesthe specialty area of Risk Management(RM) mapping to a variety of in demandwork roles. Over 20 agencies andfederal departments worked inpartnership to develop NCWF, and Iimagine, it will play a more significantrole in career development andqualification once a final draft isissued.For additional information on RDRP,keep an eye on BAI’s website andfollow the BAI LinkedIn page forannouncements. For more on TheNational Initiative for CybersecurityEducation Workforce Framework(NCWF), review Draft NIST SpecialPublication 800-181 or join the NICEWorking Group (NICEWG) hosted byNIST.Cybersecurity Framework (CSF), From Page 2The future integration was describedto me as “RMF with a CSF flair”. I donot anticipate CSF to immediatelyimpact RMF, but I do think we’ll seeCSF language in NIST SP 800-53 Rev. 5.3. How will CSF impact my ATO?At this point, RMF activities andcurrent ATO’s will not be impacted byCSF. CSF is a framework targeted instrengthening cybersecurity posturingfor organizations and has manyoverlaps with RMF, but it is not goingto change your current pursuit of anATO.Overall, CSF is an interestingframework, and it is encouraging tosee the Trump administrationrecommending its usage. Theframework is appealing as beingholistic and applicable to businesses ofany size. The initial draft is anapproachable government documentwhich I highly recommend reading.

Risk Management Framework Today and TomorrowPage 4Security Control Spotlight—Inheritance from a FedRAMP Approved CSPBy Kathryn M. Daily, CISSP, RDRPIn a previous issue, security controlinheritance from an external systemhosted at a departmental or agency datacenter was discussed. In this article, weare going to discuss inheritance from aFedRAMP Approved Cloud Service Provider(CSP) such as Amazon Web Services (AWS),Microsoft Azure, etc.FedRAMP is an assessment andauthorization process for cloud computingproducts and services. Federal agencieshave been directed to use FedRAMPapproved cloud computing products andservices to ensure that a minimum level ofsecurity is provided by the CSP. Likefederal information systems, FedRAMPapproved CSPs receive an ATO for a periodof 3 years, and they go through the A&Aprocess again, or when there is a majorchange. As with inheriting from anotherinformation system, the benefit of using aFedRAMP approved CSP is that iteliminates redundant validation ofcompliance—the compliance of the“providing system” (CSP) automaticallyinures to the benefit of the “receivingsystem” (hosted customer system).“.This inheritancemakes YOUR A&Aprocess much lesspainful.”This inheritance makes YOUR A&A processmuch less painful. For one, Maintenance,Media Protection and Physical andEnvironmental are completely inherited.Prior to FedRAMP, the Security ControlAssessor (SCA) had to visit the data centerto check the “gates, guards and guns”every single time, even if that specificassessor had previously visited that datacenter. That is no longer necessary. TheFedRAMP ATO takes care of all of that. Inaddition, there are several “sharedcontrols” where the CSP provides thecapability to fulfill the control, andprovided that the customer configured themechanism appropriately, the control iscompliant. One example of this is theAccess Control family. AWS provides atool called Identity and AccessManagement (IAM) that enables you tosecurely control access to AWS servicesand resources for your users. IAMprovides the capability to be compliantwith much of the Access Control family.AWS also provides CloudTrail, whichprovides the capability to be compliant withmost of the Audit and Accountability family.You can obtain the System Security Plan forthe CSP you choose, which documents thedetails of the implementation for each ofthe shared and inherited controls.At https://marketplace.fedramp.gov youcan see all available CSPs, their servicemodels (SaaS, Iaas, PaaS, etc) and theimpact level (high, moderate or low).Currently there are 67 CSPs that are ‘InProcess’ and 86 that are approved. You canalso fill out the Package Access RequestForm which will get you a copy of theirFedRAMP artifacts (SSP, ATO, etc). Keep inmind a government employee will need torequest the package on behalf of acontractor.

Risk Management Framework Today and TomorrowTraining for Today and TomorrowPage 5Our training programs:Contact Us! RMF for DoD IT – recommended for DoD employees and contractors that require detailedRMF knowledge and skill training; covers the RMF life cycle, documentation, security controls, and transition from DIACAP to RMF. The program consists of a one day“Fundamentals” class, followed by a three day “In Depth” class. RMF for Federal Agencies – recommended for Federal “civil” agency (non-DoD) employeesand contractors; covers RMF life cycle, NIST security controls and documentation. Programconsists of a one day “Fundamentals” class, followed by a three day “In Depth” class. Information Security Continuous Monitoring (ISCM) – open to all, however priorknowledge of RMF is recommended. This is a three day “In Depth” program. Certified Cloud Security Professional (CCSP) – recommended for government employeesand contractors working (or planning to work) in the cloud environment, this five-daytraining program will prepare students for the CCSP certification examination given by ISC2 eMASS eSSENTIALS – recommended for government employees and contractors working(or planning to work) in the DoD environment, this one-day training program providespractical guidance on the key features and functions of eMASS. “Live operation” of eMASS(in a simulated environment) is used to reinforce the practical skills needed to use eMASS.RMF Today and Tomorrowis a publication of BAI Information Security, Fairlawn,Virginia.Phone: 1-800-RMF-1903Fax: 540-518-9089Email: rmf@rmf.orgOur training delivery methods: Traditional classroom – regularly-scheduled training programs are offered at various locations nationwide, including Colorado Springs, Huntsville, National Capital Region(Pentagon/Crystal City area), Pensacola and San Diego. Online Personal ClassroomTM – regularly-scheduled training programs are also offered inan online, instructor-led format that enables you to actively participate from the comfortof your home or office On-site training – our instructors are available to deliver any of our training programs toa group of students from your organization at your site; please contact BAI at 1-800-RMF1903 to discuss your requirementsRegularly-scheduled classes through September, 2017:RMF for DoD IT—4 day program (Fundamentals and In Depth) Huntsville 7-10 AUG Colorado Springs 11-14 SEP 4-7 DEC San Diego 18-21 SEP 11-14 DEC National Capital Region 2-5 OCT Pensacola 6-9 NOV Online Personal Classroom 17-20 JUL 14-17 AUG 18-21 SEP 16-19 OCT 13-16 NOV 11-14 DECRMF for Federal Agencies—4 day program (Fundamentals and In Depth) Online Personal Classroom 21-24 AUGInformation Security Continuous Monitoring—3 day program (In Depth class only) Online Personal Classroom 25-27 JULCertified Cloud Security Professional (CCSP)—5 day program Online Personal Classroom 24-28 JUL National Capital Region 25-29 SEPeMASS eSSENTIALS—1 day program Online Personal Classroom 26 JUL 30 AUG 27 SEP 25 OCT 15 NOV 13 DECRegistration for all classes is available at https://register.rmf.orgPayment arrangements include credit cards, SF182 forms, and Purchase Orders.

FedRAMP is an assessment and authorization process for cloud computing products and services. Federal agencies have been directed to use FedRAMP approved cloud computing products and services to ensure that a minimum level of security is provided by the CSP. Like federal information systems, FedRAMP approved CSPs receive an ATO for a period