Transcription
RMF2.0RISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.Dr. Ron RossComputer Security DivisionInformation Technology LaboratoryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The Current Landscape.It’s a dangerous world in cyberspace NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY2
Risk.Function (threat, vulnerability, impact, eNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY3
Resilient Military Systems and the Advanced Cyber Threat Cyber Supply Chain Cyber DeterrenceDefense Science Board ReportsNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY4
Complexity.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY5
Our appetite for advanced technology israpidly exceeding our ability to protect it.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY6
Data. Data. Everywhere.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY7
Houston, we have a problem.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protecting critical systems and assets—The highest priority for the national and economicsecurity interests of the United States.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY9
Defending cyberspacein 2018 and beyond.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY10
Federal Government’s Modernization Strategy Identify and develop federal shared services. Move to FedRAMP-approved cloud services. Isolate and strengthen protection for high value assets.Reduce and manage the complexity of systems and networks Engineering more trustworthy, secure, and resilient solutions.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY11
Simplify. Innovate. Automate.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY12
NIST SP 800-37, Revision 2Risk Management Framework for Information Systems and OrganizationsA System Life Cycle Approach for Security and PrivacyNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY13
Risk Management Framework (RMF) EASSESSNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY14
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 1To provide closer linkage and communication between the riskmanagement processes and activities at the C-suite or governancelevel of the organization and the individuals, processes, and activitiesat the system and operational level of the organization.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 2To institutionalize critical enterprise-wide risk managementpreparatory activities to facilitate a more effective, efficient, andcost-effective execution of the RMF.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 3To demonstrate how the Cybersecurity Framework can bealigned with the RMF and implemented using established NISTrisk management processes.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 4To integrate privacy risk management concepts and principles intothe RMF and support the use of the consolidated security and privacycontrol catalog in NIST Special Publication 800-53, Revision 5.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 5To promote the development of trustworthy secure software andsystems by aligning life cycle-based systems engineering processes inNIST Special Publication 800-160 with the steps in the RMF.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 6To integrate supply chain risk management (SCRM) concepts intothe RMF to protect against untrustworthy suppliers, insertion ofcounterfeits, tampering, unauthorized production, theft, insertion ofmalicious code, and poor manufacturing and development practicesthroughout the SDLC.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMFRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.OBJECTIVE 7To provide an alternative organization-generated control selectionapproach to complement the baseline control selection approach.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
ITOR*Security and Privacy.AuthorizedPII ProcessingYESNOYESYESYESYESYESUnauthorizedSystem Activityor BehaviorImpacting PIIYESYESYESYESYESYESYESPRIVACY RISKSRMF STEPS* Except for system description, categorization tasks are not conducted to managethe risks arising from the authorized processing of PII.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY22
A unified framework for managingsecurity, privacy, and supply chain risks.Communication between C-Suite andImplementers and OperatorsSecurity RiskManagementRMF2.0Alignment with NISTCybersecurity FrameworkPrivacy RiskManagementAlignment with SecurityEngineering ProcessesSupply Chain RiskManagementNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Everything (good or bad) thathappens with the RMF starts at thetop of the organization.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY24
Outcomes Individuals are identified and assigned key rolesfor executing the RMF.[Cybersecurity Framework: ID.AM-6; ID.GV-2]Prepare StepOrganization LevelPreparing organizations toexecute the RMF from theenterprise perspective A risk management strategy for the organizationthat includes a determination and expression oforganizational risk tolerance is established.[Cybersecurity Framework: ID.RM] An organization-wide risk assessment iscompleted or an existing risk assessment isupdated.[Cybersecurity Framework: ID.RA] Tailored control baselines for enterprise-wideuse are established and made available.[Cybersecurity Framework: Profile]NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY25
Outcomes Common controls that are available forinheritance by organizational systems areidentified, documented, and published.[Cybersecurity Framework: No mapping]Prepare StepOrganization LevelPreparing organizations toexecute the RMF from theenterprise perspective A prioritization of organizational systems withthe same impact level is conducted.[Cybersecurity Framework: ID.AM-5] An organization-wide strategy for monitoringcontrol effectiveness is developed andimplemented.[Cybersecurity Framework: DE.CM]NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY26
Outcomes Missions, business functions, and processes thesystem is intended to support are identified.[Cybersecurity Framework: Profile; Implementation Tiers; ID.BE] The stakeholders having an interest in thesystem are identified.Prepare StepSystem LevelPreparing organizations toexecute the RMF from thesystem perspective [Cybersecurity Framework: ID.AM; ID.BE] Stakeholder assets are identified and prioritized.[Cybersecurity Framework: ID.AM] The authorization boundary (system-of-interest)is determined.[Cybersecurity Framework: No mapping] The types of information processed, stored, andtransmitted by the system are identified.[Cybersecurity Framework: ID.AM-5]NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY27
Outcomes For systems that process PII, the information lifecycle is identified.[Cybersecurity Framework: No mapping] A system-level risk assessment is completed oran existing risk assessment is updated.Prepare StepSystem LevelPreparing organizations toexecute the RMF from thesystem perspective [Cybersecurity Framework: ID.RA] Protection needs and security and privacyrequirements are defined and prioritized.[Cybersecurity Framework: ID.GV; PR.IP] The placement of the system within theenterprise architecture is determined.[Cybersecurity Framework: No mapping] The system is registered for management,accountability, coordination, and oversight.[Cybersecurity Framework: ID.GV]NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY28
Life Cycle Security and Privacy Business or mission analysis Stakeholder needs and requirements definition System requirements definition Architecture definition Design definition System analysisISO/IEC/IEEE 15288:2015 ImplementationSystems and software engineering— System life cycle processes Integration VerificationBuild It In Transition Validation Operation Maintenance DisposalNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY29
Transparency.Traceability.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYTrust.30
On the Horizon NIST Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and OrganizationsFinal Publication: October 2018 NIST Special Publication 800-53, Revision 5Security and Privacy Controls for Information Systems and OrganizationsFinal Publication: December 2018 NIST Special Publication 800-53A, Revision 5Assessing Security and Privacy Controls in Information Systems and OrganizationsFinal Publication: September 2019NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY31
Some final thoughts.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY32
Work smarter, not harder.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Institutionalize.The ultimate objective for security.Operationalize.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
GovernmentAcademiaSecurity is a team sport.IndustryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY36
Security. Privacy. Freedom.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY37
Federal Computer Security Managers' ForumOffsite MeetingMay 15-16, 2018NIST Gaithersburg (MD) CampusRegistration closes May 10, 2018For more information, the agenda, and to register:https://go.usa.gov/xQYFePlease send questions to sec-forum@nist.govNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY38
RMFRon RossRISK MANAGEMENT FRAMEWORKSIMPLIFY. INNOVATE. AUTOMATE.100 Bureau Drive Mailstop 8930Gaithersburg, MD USA sron.ross@nist.govcsrc.nist.govNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY301.651.5083sec-cert@nist.gov39
May 09, 2018 · For systems that process PII, the information life cycle is identified. [Cybersecurity Framework: No mapping] A system-level risk assessment is completed or an existing risk assessment is updated. [Cybersecurity Framework: ID.RA] Protection needs and security and privacy requirements are def
