WIXLIB

Risk Management Framework TodayFormerly DIACAP Dimensions And TomorrowRMF Transition—What do I Really Need to Know?By Lon J. Berman, CISSPIt’s hard to believe it’s been a whole yearsince the publication of DoD Instruction(DoDI) 8510.01 in March of 2014, whichofficially began the transition from theDIACAP process and IA Controls to theRisk Management Framework (RMF) andNIST Security Controls. While there areisolated pockets of progress to report,the fact is the major DoD componentsare just now beginning their transition inearnest.March, 2015Volume 5, Issue 1DoD employees and contractors are nowfaced with the daunting tasks of adjustingto a new process and assessing theirsystems’ compliance with a completelynew baseline of controls. Most havecome to the realization that some type oftraining is essential to their success. Butwhat sort of training do they need?First priority should be training that iscentered around the RMF for DoD ITprocess and security controls. This typeof training should provide a thoroughunderstanding of:In this issue:RMF Transition—What 1Do I Really Need toKnow?What are CCIs andWhy Should I Care? 2Top Ten—Getting Off 3to a Good StartSecurity ControlSpotlight—The PMFamily4Training for Today and Tomorrow5 RMF TerminologyRMF Roles and responsibilitiesRMF for DoD IT life cycle process Categorize Select Implement Assess Authorize MonitorRMF for DoD IT documentation Security Plan (SP) Security Assessment Report(SAR) Plan of Action andMilestones (POA&M)NIST security controls andassessment proceduresOK, so I need to learn all about the RMFfor DoD IT process and security controls.What about eMASS training? Won’t thatdo the trick? After all, isn’t eMASS thesupport tool that is becoming the“standard” across all (or nearly all) ofDoD?It is true that eMASS is the tool of choicefor most DoD components. And,absolutely, learning how to “push thebuttons” and operate eMASS isimportant. However, without a solidfoundation in the RMF process and theNIST controls, eMASS training alone willnot give you the understanding you needto tackle the job of getting your systemsauthorized in accordance with RMF.Ideally, you should walk into eMASStraining with thorough knowledge of RMFfor DoD IT. That’s the only way you’llhave the context within which to trulygrasp what eMASS can do for yourorganization.But wait. Doesn’t eMASS training alreadyinclude instruction in the RMF processand security controls? Generallyspeaking, the answer is NO or, if anyprocess training is included at all, it’sabsolutely minimal.The best approach is to get yourselfthoroughly trained in RMF for DoD IT,and then get some eMASS training.That makes sense. Now, I see numeroussources to get RMF training. How do Iknow which ones are best? Well, a goodstart is to make sure they are offering“RMF for DoD IT” training, and not justgeneric “RMF” training. There are verysignificant differences.See Really Need to Know, Page 2

Risk Management Framework Today And TomorrowPage 2What Are CCIs and Why Should I Care About Them?By Kathryn M. Farrish, CISSPOne of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI providesa standard identifier and description for“singular, actionable statements” thatcomprise a security control or securitybest practice.“.DoD has mappedCCIs to each one ofthe assessmentobjectives in NISTSP 800-53A .”The purpose of CCIs is to allow a highlevel statement made in a policy document (i.e., a security control) to be“decomposed” and explicitly associatedwith the low-level security settings thatmust be assessed to determine compliance with the objectives of that specificstatement.Under the leadership of the Defense Information Systems Agency (DISA), aworking group has been cataloging CCIsfor the past several years. The collectionhas now been developed to the pointthat every assessment objective in theNIST SP 800-53A has been mapped to anindividual CCI.The current list of CCIs can be downloaded in XML format (viewable in a webbrowser such as Internet Explorer). TheURL for downloading is: SA encourages feedback from the information security community; a commentform is provided for that purpose.Here is an example of a CCI:CCI: CCI-001239Status: DraftContributor: DISA FSODate: 2009-09-22Type: TechnicalDefinition: The organization employs malicious code protection mechanisms at information system entry and exit points to detectand eradicate malicious code transported byelectronic mail, electronic mail attachments,web accesses, removable media or othercommon means or inserted through exploitation of information system vulnerabilities.References: NIST SP 800-53 SI-3.aNIST SP 800-53A SI-3.1(ii)DISA is also in the process of revising numerous Security Technical Implementation Guides (STIGs) to include referencesto CCIs that correspond to each of therecommended configuration settings.With the success of the CCI effort comessome hope that at least a portion of theeffort associated with RMF assessmentcan be automated!Really Need to Know, from Page 1Also, make sure the training vendors youare considering are teaching the entireclass from the “DoD perspective”,which should include: DoD policiesSimilarities and differences betweenDIACAP and RMFDIACAP-to-RMF transition guidanceSome training providers claim they teacha single RMF course that meets theneeds of DoD as well as otherdepartments and agencies. Don’tbelieve them.Lastly, consider the provider’s overalltraining approach. Vendors whoseprimary mission is to prepare studentsfor certification tests may not offerpractical guidance, case studies andclass exercises appropriate to studentswho will need to put their training intopractice in the “real world” of DoD IT.

Risk Management Framework Today And TomorrowTop Ten—Getting Off to a Good StartBy Annette Leonard“The beginning is the most important part of the work.”― Plato, The RepublicBefore rushing headlong into the RMFfray, DoD system owners should takethe time to ensure they get off to agood start. Mistakes made at thebeginning of the effort can be verycostly to correct later in the life cycle.Here, then, is our “Top Ten” list ofthings you should do to “hit the groundrunning” with your RMF transitioneffort.10. Glossary. RMF is replete with newor revised terminology and acronyms.Get yourself a copy of CNSSI 4009, theNational Information AssuranceGlossary. This will be an invaluablereference for those times when you runinto an unfamiliar term or find yourselfin a friendly “dispute” over somethingyou encounter in a policy document ormemo.9. Document Library. Start building alibrary of RMF reference documents.Remember, unlike previous DoDprocesses, RMF relies heavily ondocuments from sources outside DoD.Here is a good starting list for yourlibrary: DoDI 8500.01, DoDI 8510.01 CNSSI 1253 NIST SP 800-37 NIST SP 800-53, NIST SP 800-53A.8. Component Policies. Check withyour DoD Component (Air Force, Army,Marine Corps, Navy, etc.) cybersecurityoffice to see if there are any policies orinstructions related to RMF. If so, addthem to you document library.7. Authorizing Official(s). Make sureyou know who will be signing theauthorization (accreditation) for yoursystem(s) under RMF. It may or maynot be the same individual (DAA) whosigned your DIACAP ATO.6. RMF Knowledge Service. Make sureyou can access the RMF KnowledgeService (KS). This website is DoD’s“authoritative source” for all thingsRMF.5. Automated Tool. Make sure youhave an account and can log into theautomated tool that your componentor command will be using to supportRMF. In many cases, this will be theDoD enterprise tool eMASS.4. System Boundaries andInheritance. Take the time to confirmyour system boundaries andinheritance relationships with hostingproviders, etc.3. Information Content. Make sureyou understand the types ofinformation stored and processed byyour system(s) and who theinformation owners are. Theseindividuals will be critical to thesuccess of the system categorizationeffort.2. Information Security Support.Make sure you have an InformationSystem Security Manager (ISSM) orInformation System Security Officer(ISSO) on your team to providesupport.1. Training. Make sure you and theother members of your team aretrained, both in the RMF for DoD ITprocess itself, and in any automatedtools (e.g., eMASS) you will be usingto document your efforts.Page 3

Risk Management Framework Today And TomorrowSecurity Control Spotlight—The PM FamilyPage 4By Lon J. Berman, CISSPThe Beatles were comprised of how manymusicians? Easy, right? They were calledthe “Fab Four”, so there were definitely4. Now Google “the fifth Beatle” and seewhat you get. Ditto for “sixth sense”.When I eat at a Thai restaurant and thewaitress asks how hot I want my food—ona scale of 1 to 5—I usually answer “6”.If you’ve looked through NIST SP 800-53Rev 4, you probably saw that there are 17families of controls from which thevarious baselines are to be built. Yet, ifyou ask a group of “subject matterexperts” how many control families thereare, some people will answer 18.Like most apparent paradoxes, there’s asomewhat logical explanation for thisseemingly bizarre discrepancy.“.When NIST firstput together SP 80053, there really were18 families ofsecurity controls.”When NIST first put together SP 800-53,there really were 18 families of securitycontrols. The 18th family was “PM”, or“Program Management”. It was filled withcontrols dealing with various aspects orestablishing and operating anorganization’s information securityprogram. Some of the controls in the PMfamily include: PM-1 Information Security Program Plan PM-2 Senior Information Security Officer PM-3 Information Security Resources PM-4 Plan of Action and Milestones Process PM-5 Information System Inventory PM-7 Enterprise Architecture PM-8 Critical Infrastructure Plan PM-9 Risk Management Strategy PM-13 Information Security WorkforceThese controls are clearly aimed at theorganizational level, and not at individualinformation systems. In fact, NIST included a“disclaimer” to that effect:Despite everything, the PM family ofcontrols remained in the main body of SP800-53 through several revisions. Finally, itdawned on the authors that these controlsjust didn’t belong with the other 17families; they were moved to a separateAppendix (Appendix G, to be exact) andremoved from the recommended baselinesof controls.Some suggested the PM family of controlshad been “demoted” or “Plutoed”. The factis they were simply moved to where theymade more sense.End of story? Not quite.In the DoD world, some versions of eMASSwere found to be putting the PM controlsright back into the baselines for all systemcategorization levels.So, that’s the story of the PM family ofcontrols at least so far! If anyone everasks you how many control families thereare, give them your best answer (17), butjust remember—”Men are from Mars, womenare from Venus, and security controls—atleast the Program Management ones—arefrom Pluto.”