Transcription
DoD CIOUNCLASSIFIEDHow to Apply the Risk ManagementFramework to Control Systems withinDoDMr. Kevin Dulany, CISSP, CISM, CISA, CAPChair, RMF TAG, Department of Defense (DOD) ChiefInformation Officer (CIO)Deputy CIO for CybersecurityCybersecurity Policy & Strategy DirectorateSUPPORT THE WARFIGHTER1
DoD CIOUNCLASSIFIEDDoDI 8510.01 “RMF for DoD IT” Incorporates cybersecurity early and robustly in the acquisition and systemdevelopment lifecycle Implements a three-tiered approach to risk management that addressesrisk-related concerns at the enterprise level, the mission and businessprocess level, and the information system level Focuses on risk to the mission and buying down cybersecurity risks throughthe right mitigations Provides a risk management methodology that gives organizations a truepicture of vulnerabilities caused by non-compliant controls as it relates toother risk factors (i.e. likelihood, threat, and impact) Codifies system authorization reciprocity, enabling organizations to acceptapprovals by other organizations for interconnection or reuse of IT withoutretesting Emphasizes information security continuous monitoring and timelycorrection of deficiencies, including active management of vulnerability andincidents Applies to all IT which reduces exploitation of vulnerabilities in PIT,Services, or Products previously not secured or assessedSUPPORT THE WARFIGHTER2
DoD CIOUNCLASSIFIEDRMF Lifecycle for DoD Information Systems and PlatformInformation Technology (PIT) SystemsStep 1CATEGORIZESystemStep 6MONITORSecurity Controls Determine impact of changes to thesystem and environmentAssess selected controls annuallyConduct needed remediationUpdate Security Plan, SAR andPOA&MReport security status to AOAO reviews reported statusImplement system decommissioningstrategyStep 2SELECTSecurity Controls Categorize the system inaccordance with the CNSSI1253 Initiate the Security Plan Register system with DoDComponent CybersecurityProgram Assign qualified personnel toRMF roles Common ControlIdentification Select security controls Develop system-levelcontinuous monitoringstrategy Review and approve SecurityPlan and continuousmonitoring strategy Apply overlays and tailorStep 5AUTHORIZESystemStep 3IMPLEMENTSecurity Controls Prepare the POA&M Submit Security AuthorizationPackage (Security Plan, SAR andPOA&M) to AO AO conducts final risk determination AO makes authorization decisionStep 4ASSESSSecurity Controls Develop and approve SecurityAssessment Plan Assess security controls SCA prepares SecurityAssessment Report (SAR) Conduct initial remediationactions Implement control solutionsconsistent with DoDComponent Cybersecurityarchitectures Document security controlimplementation in SecurityPlanSUPPORT THE WARFIGHTER3
DoD CIOUNCLASSIFIEDChallenges and Solutions Challenges:ooHow to assess non-traditional ITIntegrating current security requirements and performing a gap analysis Solutions:ooEstablishment of guidance through the RMF KS (e.g., EI&E PIT ControlSystems page)Establishment of focus groups to address: defining the process for DoDIT that is designated as "Assess Only" and cybersecurity of DoD PITsystemsSUPPORT THE WARFIGHTER4
DoD CIOUNCLASSIFIEDMr. Kevin M. DulanyChief, Risk Management Framework DivisionDOD CIO, DCIO(CS), CSPSKevin.M.Dulany.civ@mail.milEmail RMF Implementation Questions to:RMF TAG Secretariat (OSD.RMFTAG-Secretariat@mail.mil) orvia the RMF KS Help and Feedback Form (https://rmfks.osd.mil)SUPPORT THE WARFIGHTER5
DoD CIOUNCLASSIFIEDBACK-UPSUPPORT THE WARFIGHTER6
DoD CIOUNCLASSIFIEDDIACAP / RMF Knowledge ServiceThe authoritative source for information, guidance, procedures, andtemplates on how to execute the DIACAP and Risk ManagementFrameworkhttps://rmfks.osd.milSUPPORT THE WARFIGHTER7
DoD CIOUNCLASSIFIEDRMF Technical Advisory Group (RMF TAG) Mission: Strengthen and evolve the ability for DoD to rapidlydeploy secure IT systems that enable information sharing betweenthe Department, the IC, and other entities. Duties:oooooProvide implementation guidance for the RMFProvide detailed analysis and authoring support for the enterpriseportion of the Knowledge Service (KS)Recommend changes to security controls, baselines, and RMF policyAdvise DoD forums established to resolve RMF priorities and crosscutting issuesDevelop and manage RMF automation requirements Chair: DoD SISO appointed Members: All DoD Components are authorized to be representedby one primary and one alternate cybersecurity SME.SUPPORT THE WARFIGHTER8
Package (Security Plan, SAR and POA&M) to AO AO conducts final risk determination AO makes authorization decision . . DIACAP / RMF Knowledge Service The authoritative source for information, guidance, procedures, and templates on how to execute the DIACAP and Risk Management
