Transcription
RiskManagementFrameworkToday and TomorrowIn this issue:DoD Transition to NIST SP 800-53 Why is it Taking so Long? . .1The Pedagogy of RMF Training .2FedRAMP Turns 10! .3Ask Dr. RMF .4Classroom RMF, eMASS, SCI/SCA,and STIG Training is Back! .6Training for Today and Tomorrow .7Find us onJanuary, 2022 Volume 13, Issue 1DoD Transition to NIST SP 800-53 Rev 5 Whyis it Taking so Long?By Lon J. Berman, CISSP, RDRPWelcome to 2022! It’s now been wellover a year since the release of NISTSP 800-53 Rev 5, yet Rev 4 remainsthe DoD standard. When DoD firstadopted RMF back in 2014! they expressed their commitment to“keeping up” with the NIST publications. So why the long delay in thiscase? When can we expect DoD tofinally adopt Rev 5?available, there are still numerous obstacles to overcome. First and foremost, eMASS needs to be revised toinclude the Rev 5 security controlsand CCIs. This is a major undertakingthat will involve extensive development and quality assurance work.Changes to controls and CCIs mayalso entail corresponding changes toDISA STIGs. The RMF KnowledgeService content will also need to beIn a previous edition of RMF Today revised, particularly the Security Con and Tomorrow we provided a sum- trols Explorer.mary of the new and revised materialin Rev 5, and also listed out the many Finally, a “transition plan” will needto be worked out. It’s clearly unrealis“moving parts” that will need tochange in order to accommodate the tic to expect every DoD system totransition from Rev 4 to Rev 5. Prime transition “overnight” to the Rev 5control set, so some sort of phasedamong these is the publication of aapproach will be needed. The mostrevised CNSSI 1253, which is thegoverning document for selection of reasonable assumption is that eachsystem will be expected to make thesecurity controls and CCIs based ontransition on its next “ATO cycle”. Sothe system categorization. Until theCommittee on National Security Sys- if your system just got its new threetems (CNSS) releases a revised 1253 year ATO, you would not be expecteddocument, DoD will be unable to pro- to make the transition for anotherceed with adoption of NIST SP 800- three years. So far so good. If your53 Rev 5. So, at least for the time be- ATO expires in six or nine months,ing, DoD can “hide behind” CNSS as you would need to get cracking onmaking the transition ASAP. Well,the reason for the delay.OK. But, what about a system whoseAllegedly work is “underway” on the ATO expires in three or four months?The system owner is probably already1253 revision, but, again, no ideadeep in the throes of working the newwhen this will actually happen. UnATO. What will they be expected tolike NIST, which regularly releasespublication schedules and draft docu- do? As usual, the devil is in the dements for public comment, DoD and tails, and all of this will need to beCNSS tend to do their document de- worked out before DoD can officiallyvelopment “in the dark”, so to speak, begin the transition.before finally lobbing new publicaAll that said, I believe it’s reasonabletions “over the wall” and makingthem official. In other works, it could to expect some sort of movement onhappen tomorrow, or it could happen the part of DoD this year. My recomin twelve months or something in mendation is to get yourself as readyas you can. Get yourself a copy ofbetween.NIST SP 800-53 Rev 5 and start reading!Even after a new CNSSI 1253 isPage 1
RiskManagementFrameworkToday and Tomorrow“In order to provide the highest training quality, we haveno intentions of deviatingfrom this educational deliveryapproach as we believe it isthe most efficient way for ourstudents to gain a strong understanding of RMF and theability to work the RMF process.”Find us onThe Pedagogy of RMF TrainingBy Philip D. Schall, Ph.D., CISSP, RDRP“By far one of the best courses I havetaken in a long time. I just finished up a10-week graduate course on RMF, and Ilearned more in this 4-day class fromLinda than I did the entire 10 weeks, bestmoney I have ever spent!!”classroom setting is the best deliverymethod for their RMF education needs.Because of this, BAI continues to offerour flagship RMF for DoD IT & FederalAgencies curriculum in physical locations throughout the US with a current- BAI RMF for DoD IT student testimonial rotation between Pensacola, San Diego,Colorado Springs, Washington D.C., andHuntsville. I completely understand theBAI’s Mission:convenience of training remotely, but ITo provide exceptional Risk Managebelieve that nothing can substitute thement Framework (RMF) training byexperience of sitting in a classroom withbuilding student confidence in their abiliout distractions and learning the RMFties to operationally engage in the RMFprocess while establishing a face-to-faceprocess as efficiently and effectively as connection with your RMF instructor. Aspossible.a cybersecurity educator, I hope in thecoming year we see a swing back to traThis short article was created to educate ditional in-person classroom training.potential BAI students on our trainingpedagogy.The Case for Intensive Four-Day RMFTrainingThe Case for the Online PersonalClassroom As the above student testimonial demonIt is no secret that the educational land- strates, many of our students feel the inscape has changed dramatically withintensive nature of our four-day RMF forthe past few years due to the COVID-19 DoD IT & Federal Agencies training curpandemic. One of the major changes has riculum is the most effective approach tobeen a shift from in-person classroombeing able to work on RMF projects astraining to online training. At BAI, wequickly as possible and maximize returnfirmly believe that there is no substitute on investment. As a traditional universityfor live instructor-led training conducted educator, I believe that some topics are aby seasoned RMF practitioners. In fact, good fit for a full semester of educationwe have been approached many timesor even graduate coursework, but I firmabout the creation of RMF eLearningly believe an intensive RMF deep dive iscourses and other asynchronous RMFthe best way for students to be able retraining modules, but we stand firm inturn to their office ready to get to workour belief that in order to fulfill our mis- on RMF activities. Our traditional stusion in providing the best RMF training dent population consists of students whoavailable the ideal delivery platform ishave likely been tasked with an RMFlive and instructor-led. In order to proresponsibility or have been made awarevide the highest training quality, we have of an impending RMF project comingno intentions of deviating from this edu- down the pipeline. Not having a full uncational delivery approach as we believe derstanding of RMF is very stressful forit is the most efficient way for our stuthose with looming deadlines. In our exdents to gain a strong understanding ofperience, the best way to build theRMF and the ability to work the RMFknowledge and confidence needed is inprocess.the delivery of intensive full-day RMFtraining in four consecutive days leveragThe Case for In-Person Classesing group activities and real-world examples of RMF implementation.Although online training is the currenttrend, as Training Director for BAI, Ifirmly believe that for some learners, inperson training conducted in a physical See The Pedagogy of RMF, Page 3 for more.Page 2
RiskManagementFrameworkToday and Tomorrow“FedRAMP launched the Marketplace which provides government agencies with a onestop-shop for approved cloudsolutions to fit their needs aswell as provide a base levelof assurance that the provider meets the requirementsunique to the federal government.”FedRAMP Turns 10!By Kathryn Daily, CISSP, CAP, RDRPOn December 8, 2021, the FedRAMPprogram turned 10 years old! Createdin 2011, the goal for FedRAMP was toproduce a cost-effective, repeatable solution for securing cloud services andcloud service providers. I think we cansafely say, mission accomplished. TheCGI IAAS Platform was the first CSPto be authorized through the Joint Advisory Board in 2013. FedRAMP currently has 246 (As of Jan 10, 2022)vendors approved with many more onthe way! FedRAMP launched the Marketplace which provides governmentagencies with a one-stop-shop for approved cloud solutions to fit their needsas well as provide a base level of assurance that the provider meets the requirements unique to the federal government. Prior to FedRAMP, each federal agency had to assess cloud servicesthat they wanted to use as apart of theirAssessment and Authorization activity.With the advent of FedRAMP, the federal government adopted an assessonce, use may times framework thatreduced the cost and complexity forfederal agencies using cloud services.FedRAMP has developed a template setfor vendors to use to go through theFedRAMP approval process in an effortto streamline the documentation process, something that RMF could benefitfrom in my opinion. Additionally,FedRAMP has created an accreditationprogram for the 3PAOs (Third PartyAssessment Organizations) to ensurethat assessments are performed uniformly across the board.It's been so successful, that states havestarted to imitate what the federal government has accomplished with theirown StateRAMP to accomplish thesame mission as the federal governmentbut at the state level. WhileStateRAMP is still in its infancy, itshows great promise to bring the samebenefits that the federal government hasseen to state government.Let’s see what FedRAMP has in storefor the next 10 years!The Pedagogy of RMF, from Page 1The Case for RMF TrainingFind us onderstanding of the intricacies of theIn a research study published by Cyber hundreds of government documentsand policies which compose RMF.Security: A Peer-Reviewed Journal IQuite simply, there is no substitute forfound a direct relationship between theRMF training delivered by an RMFreceipt of formalized RMF trainingand increased RMF efficiency and re- subject matter expert.duced overall RMF project costs. Taking this data into consideration, I sug- Whether RMF training is delivered inour Online Personal Classroom or ingest all parties involved in an RMFa physical classroom, our research andproject attend live instructor-led RMFtraining taught by expert RMF practi- student feedback support our belieftioners. Through my research, I found that BAI delivers an exceptional RMFthat when workers are tasked with an training experience.RMF project and attempt to selfFor the most up to date curriculum andeducate, RMF efficiency decreases andtraining schedule, please visitRMF project timelines and costs increase. RMF is a complicated process www.rmf.org.best taught by those with an active unPage 3
RiskManagementFrameworkToday and Tomorrow“So long as the POA&M presents a realistic plan to address the non-compliant controls, the AO should at leastbe willing to consider an ATOor ATO with Conditions.”Find us onAsk Dr. RMFDo you have an RMF dilemma that you could use advice on how to handle? Ifso, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants whohave decades of RMF experience as well as peer-reviewed published RMF research. Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.“Overlay Layover” asks:I’m a little bit confused about how tofind available security controls overlays. According to the RMF policy(DoD Instruction 8510.01) and theRMF Knowledge Service, approvedoverlays can be found on theCNSS.GOV website. Well, I keeplooking there and all I see are thesame handful of overlays that havebeen there for years (classified information overlay, privacy overlay,space platform overlay, etc.) I’mquite sure lots of additional overlayshave been developed, but there don’tseem to be any new ones showing up.Why is that?Dr. RMF responds:Dr. RMF can confirm that there are infact other overlays out there. It’s notaltogether clear why they haven’tshown up as “official” overlays onthe CNSS.GOV site. Dr. RMF suspects the process of gaining approvalfrom CNSS may be sufficiently onerous that the overlay developers justhaven’t chosen to go that route. Having said that, it is worth noting thatmany overlays have been developedfor specific “communities of interest”and have been shared by some meanswithin the said community. For example, several overlays dealing withclassified contractor systems (underDCSA purview) have been madeavailable in “NISP eMASS”, which isexclusive to that community.“In Search of Perfection” writes:One of my customers was told bytheir Security Control Assessor(SCA) that they could not get Authorization To Operate (ATO) unlesstheir POA&M had zero open items;in other words, they are expected tobe 100% compliant with all the controls in their baseline. What makesthis even more ridiculous is that thesystem in question has no connectionto any other system or network – it isliterally a standalone system! Doesthis make any sense to you, Dr.RMF?Dr. RMF Responds:The short answer is “No”. The decision to issue an ATO which, bythe way, belongs to the AuthorizingOfficial (AO) and not the SCA should be based on a judgment thatthe overall system risk is acceptable.Virtually every system will havesome non-compliant controls – perfection is a laudable goal but rarelyachievable in the real world. So longas the POA&M presents a realisticplan to address the non-compliantcontrols, the AO should at least bewilling to consider an ATO or ATOwith Conditions. That way, the system can be put into operation whilethe remaining non-compliant itemsare addressed.Want to see more of Dr. RMF? Watch our Dr. RMF video collection .Page 4
RiskManagementFrameworkToday and Tomorrow“.the DoD RMF process uses CNSSI 1253 as the process document for systemcategorization and securitycontrol selection. On the other hand, the Treasury RMFprocess will use CNSS1 1253for systems designated asNational Security Systems(NSS) only ”Find us onAsk Dr. RMFDo you have an RMF dilemma that you could use advice on how to handle? Ifso, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants whohave decades of RMF experience as well as peer-reviewed published RMF research. Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.“Identity Crisis” writes:I am a contractor working on development of a system that is jointlyowned by a DoD agency and a federal civil agency (Dept. of Treasury).My company is expected to do mostof the “heavy lifting” to develop theRMF package for this system and weare terribly confused as to how weshould approach this task. Our bossis not terribly understanding, heseems to think that since DoD andTreasury “both use RMF”, thereshouldn’t be any ambiguity and ourpath forward is clear. How do weconvince him it’s harder than hethinks? Beyond that, how do yourecommend we approach the RMFtasking?used. DoD RMF and Treasury RMFare certainly very similar, but thereare key differences that will have tobe worked out. For example, theDoD RMF process uses CNSSI 1253as the process document for systemcategorization and security controlselection. On the other hand, theTreasury RMF process will useCNSS1 1253 for systems designatedas National Security Systems (NSS)only; all other systems will use FIPS199 for categorization and NIST SP800-53 for security control selection.Dr. RMF responds:A system under joint ownershipneeds to have a single designatedAuthorizing Official (AO). Thereshould be a Memorandum of Agreement (MOA) put in place betweenthe two organizations’ AOs that designates one or the other of them asthe “lead” AO. This can sometimesbe a long and painful process, but,fortunately, as a contractor, it willnot involve you or your company!Among the issues that will need tobe “negotiated” are the RMF rolesand responsibilities. It’s critical thatthere be agreement on which RMFprocess and control sets are to beWant to see more of Dr. RMF? Watch our Dr. RMF video collection .Page 5
RiskManagementFrameworkToday and TomorrowClassroom RMF, eMASS, SCI/SCA, and STIGTraining is Back!BAI RMF Resource Center is pleased to announce the return of RMF, eMASS, Security Controls, and STIG training classrooms with the addition of our new locations inColorado Springs, Pensacola, San Diego, and San Antonio!RMF for DoD IT and Federal Agencies & eMASS eSSENTIALS Colorado Springs, CO — February 28th – March 4th and May 23th – 27thPensacola, FL — April 25th – 29thSan Diego, CA — March 28th – April 1st and June 27th – July 1stEnjoy the scenery after class in Colorado Springs (top), Pensacola (bottom left), or San Diego(bottom right)!Security Controls Implementation and Assessment Workshop & STIG 101 San Antonio, TX — March 21st – 25thFind us onStudents can discover and enjoy San Antonio’s authentic cuisineand historic River Walk outside of class hours.To register, contact alice@rmf.org or go to register.rmf.org.Page 6
RiskManagementFrameworkToday Training for Today and TomorrowOur training programs: RMF for DoD IT – recommended for DoD employees and contractors that require detailed RMFknowledge and skill training; covers the RMF life cycle, documentation, and security controls. RMF for Federal Agencies – recommended for Federal Agency employees and contractors that requiredetailed RMF knowledge and skill training; covers the RMF life cycle, documentation, and security controls with an additional emphasis on Federal application. RMF Supplement for DCSA Cleared Contractors – covers the specifics of RMF as it applies to clearedcontractor companies under the purview of the Defense Counterintelligence and Security Agency(DCSA). Companies holding a Facility Clearance who also maintain “on premise” information technology(such as standalone computers and small networks) will benefit from this training. DFARS Compliance with CMMC/NIST SP 800-171 Readiness Workshop—provides detailed practicalapplication based DFARS training that will help DoD contractors work through DFARS requirementstowards certification in the most efficient means possible. eMASS eSSENTIALS – provides practical guidance on the key features and functions of eMASS. “Liveoperation” of eMASS is exemplified in our eMASS eXPERIENCE simulation environment. STIG 101 – is designed to answer core questions and provide guidance on the implementation of DISASecurity Technical Implementation Guides (STIGs) utilizing a virtual online lab environment. Security Controls Implementation Workshop – provides an in-depth look into Step 3 of the Risk Management Framework process Implement Security Controls. Upon completion of the course the studentcan confidently return to their respective organizations and ensure the highest level of success for themost difficult part of the RMF process. Contact Us!Security Controls Assessment Workshop – provides a current approach to evaluation and testing ofsecurity controls to prove they are functioning correctly in today's IT systems. Information Security Continuous Monitoring – equips learners with knowledge of theory and policybackground underlying continuous monitoring and practical knowledge needed for implementation.RMF Today and Tomorrow is a RMF in the Cloud – provides students the knowledge needed to begin shifting their RMF efforts to acloud environment.and Tomorrowpublication of BAI Information Security,Fairlawn, Virginia.Phone: 1-800-RMF-1903Fax: 540-518-9089Email: rmf@rmf.orgOur training delivery methods: Traditional classroomOnline Personal ClassroomTM (interactive, live, instructor-led)Private group classes for your organization (on-site or online instructor-led)Regularly-scheduled classes through June, 2022:RMF for DoD IT and Federal Agencies—4 day program (Fundamentals and In Depth) Registration for allclasses is available at Online Personal Classroom 10 - 13 JAN 24 - 27 JAN 14 - 17 FEB 28 FEB - 3 MAR 14- 17 MAR 28 - 31 MAR 4 - 7 APR 25 - 28 APR 9 - 12 MAY 23 - 26 MAY 6 - 9 JUN 27 - 30 JUNColorado Springs, CO 28 FEB - 3 MAR 23 - 26 MAYPensacola, FL 25 - 28 APRSan Diego, CA 28 - 31 MAR 27 - 30 JUNeMASS eSSENTIALS—1 day programhttps://register.rmf.org Payment arrangements includecredit cards, SF182 forms,and Purchase Orders. Online Personal Classroom 14 JAN 28 JAN 18 FEB 4 MAR 18 MAR 1 APR 8 APR 29 APR 13 MAY 27 MAY 10 JUN 1 JULColorado Springs, CO 4 MAR 27 MAYPensacola, FL 29 APRSan Diego, CA 1 APR 1 JULSecurity Controls Implementation & Assessment Workshop—4 day program Online Personal Classroom 17 - 20 JAN 7 - 10 FEB 7 - 10 MAR 18 - 21 APR 2 - 5 MAY 31 - 3 MAY 13 - 16 JUNSan Antonio, TX 21 - 24 MARSTIG 101—1 day program Online Personal Classroom 21 JAN 11 FEB 11 MAR 22 APR 6 MAY 17 JUNSan Antonio, TX 25 MARDFARS Compliance with CMMC/NIST SP 800-171 Readiness Workshop—3 day program Find us onOnline Personal Classroom 22 - 24 FEB 11 - 13 APR 21 - 23 JUNRMF Supplement for DCSA Cleared Contractors—1 day program Online Personal Classroom 24 JUNInformation Security Continuous Monitoring—1 day program Online Personal Classroom 19 JAN 9 FEB 9 MAR 12 APR 16 MAYRMF in the Cloud—1 day program Online Personal Classroom 20 JAN 10 FEB 10 MAR 13 APR 17 MAY 23 JUNCAP Exam Prep—1 day program Online Personal Classroom 18 MAYPage 7
DISA STIGs. The RMF Knowledge Service content will also need to be revised, particularly the Security Con-trols Explorer. Finally, a "transition plan" will need to be worked out. It's clearly unrealis-tic to expect every DoD system to transition "overnight" to the Rev 5 control set, so some sort of phased approach will be needed. The most
