Introduction to the national institute of standards and technology cybersecurity framework, also known as the CSF. This program is designed to provide you an understanding of the NIST cybersecurity framework and how to implement it. In this course we focus on the national institute of standards and technologies special publication 837 known as the risk management framework, or simply just RMF. Risk based security frameworks are used to define protect and detect issues. The national institute of standards and technologies risk management framework. In other words, NIST 837 guide for applying the risk management framework to federal information systems is a FISM, federal information security management act driven guidance document designed to help organizations assess. And manage risks to their information systems. The updated risk management process changed the traditional focus of the certification. And accreditation CNA as a static procedural activity to a more dynamic approach that provides the capabilities to more effectively manage information systems related security risks in highly diverse environments of complex. And sophisticated cyber threats ever increasing system vulnerabilities and rapidly changing missions. The risk management framework provides a security authorization process. And procedure which emphasizes building information security capabilities into information systems through management operational. And technical security controls, maintaining awareness of the security state of information systems on an ongoing basis through monitoring processes. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets. Individuals other organizations based on the operation and use of the systems. The updated NIST 837 Rev two also adds an overarching concern for individual privacy, helping to ensure that organizations can better identify and respond to these risks. Including those associated with using individual personally identifiable information when compared to the older Rev one which was primarily concerned with cybersecurity protection from external threats. There are six main steps in the RMF and a preparatory step to ensure that organizations are ready to execute the process. In the center of this circle is the prepared to execute function. We first prepare to execute the RMF from an organizational level and a system level perspective by considering a variety of inputs. And carrying out specific activities that established the context for managing security and privacy risks for the system of interest and establishing your baselines for security controls. The rest of the steps, encircling the preparatory steps are, categorize the system and the information processed, stored, transmitted by the system based on a security impact analysis. Select an initial set of controls for the system and tailor the controls as needed based on an organizational assessment of risk and local conditions. Implement the controls and describe how the controls are employed within the system and its environment of operation. Assess the controls to determine the extent to which the controls are implemented correctly operating as intended. And producing the desired outcome with respect to meeting the security and privacy requirements for the system and satisfying the security. And privacy policy authorized the system or common controls based on a determination that the risk to the organization's operations and assets, individuals, other organizations and the nation is acceptable. And finally monitor the system and the associated controls on an ongoing basis to include assessing controls, effectiveness, documenting changes to the system and the environment of operation. Conducting risk assessments and impact analysis and reporting the security and privacy posture of the system. Over the next few screens, I'll break down each one of these steps. Step 1 after we prepared for the implementation of the RMF. We start with categorizing the system and the information processed, stored and transmitted by the system based on a security impact analysis. This process starts with the FIPS-199 and NIST 860. FIPS- 199 helps categorize the organizational systems as low impact, moderate impact or high impact for security objectives of confidentiality integrity and availability. As well as NIST special publication 860 the guide for mapping types of information and information systems to security categories. The categorization objectives are to produce the FIPS-199 categorization documentation for the system. This document is utilized in multiple locations and on multiple efforts. The system security plan SSP the budget and CPIC activities. The system of record notice, SORN and the POM and POR actions for services. Capital planning and investment control CPIC process is a systematic approach to selecting managing and evaluating information technology investments. CPIC is mandated by the Clinger Cohen Act of 1996, which requires federal agencies to focus on the results produced by ICT investments. The system of record notice SORN is a system of records. A system of records is a group of any records under the control of any agency for which information is retrieved by the name of the individual. Or by some identifying number symbol or other identifiers assigned to the individual. The privacy act requires each agency to publish notices of its system of records in the federal register. This notice is generally referred to as a system of record notices or SORN. Production and operations management POM transfers accompanies inputs including raw materials and product designs into outputs or finished consumer products. Process of records POR means documents and or systems that specify a series of operations. The POR includes the process receipts and parameters at each operation for the specified record. Categorization tasks the first and perhaps the most important step in the system categorization process is the determination of the information types that are stored and processed by the system. So what exactly is in information type. The formal definition FIPS-199 is a specific category of information. For example, privacy, medical, proprietary financial investigation, contract sensitive security management, those types of things defined by an organization or in some instance by a specific law. This special publication 860 is a key resource to aid system owners in identifying information types. Listed here are the typical tasks associated with categorization. Conduct categorization this must be defined by the organization. You developed a system description and register the system. The information system owner is the primary role for system categorization. The information owner supports this process because they are the best equipped to determine the classification and categorization of the data under their control. All the other roles involved in the risk management process also support this process. RMF step 2 here we would leverage FIPS publication 200 minimum security requirements for federal information and information systems. This promotes the development, implementation and operation of more secure systems by establishing minimal levels of due diligence. And facilitating a more consistent, comparable and repeatable approach for selecting and specifying security controls for. For systems. Special publication 830 guide for conducting risk assessments provides guidance for carrying out each of the steps in the risk assessment process. And how risk assessments and other organizational risk management processes, complement and inform each other as well as identifying specific risk factors to monitor on an ongoing basis. Or special publication 853 security and privacy controls for federal information systems and organizations. This is a comprehensive catalog of customizable security and privacy controls and delineates a process for selecting controls to protect organizational operations, assets, individuals and other organizations from a diverse set of threats. Selection objectives under this step are, identify security controls needed. For example, when controls apply to a single system, they are system specific controls not common. However, when they can be applied to more than one system, they can be considered common controls. When some part of the control applies to a single system, while other parts of the control can apply to more than one system, they are considered a hybrid control. The other part is to select minimum security controls baseline. The security controls listed in the initial baselines are not a minimum, but rather a proposed starting point where we can remove or add controls based on our tailoring guidance. Tailoring encompasses identifying or designating common controls in initial baselines, making risk based decisions on the remaining baseline controls selecting compensating controls, supplementing baselines with additional controls and control enhancements if applicable. The other thing we can do is build monitoring strategies for identified controls. Here, the information systems and assets are monitored at discrete intervals to identify cyber security events and verify the effectiveness of proactive measures. You would perform network monitoring, physical security monitoring and personnel monitoring for cybersecurity events flagged by those detection system processes under the selection tasks. We have common control identification and security control selections. Then you have a monitoring strategy, the system security approval. All the selected controls are documented in detail in the SSP. Information System Owner, ISO or the ISSM, Information Systems Security Manager, is primarily responsible for the selection of controls supported by the common control providers, information owners and the security architect. The third step of the risk management framework is supported by multiple NIST publications like NIST special publication 818 guide for Developing Security Plans for Federal Information Systems. NIST special publication 800-34, Contingency Planning Guide for Federal Information Systems. NIST special publication 800-70, National Checklist program for IT products guidelines for checklist users and developers. NIST special publication 800-61, Computer Security Incident Handling guide. And this special publication 801-28, guide for security focus configuration management of information systems. The implementation objects of this third step are to install security controls into the system. This starts with the tailoring of controls based on the selected security framework for example, ISIL 27,000 series, NIST 800-53 co SIL ITEL NIST 800-171 etc. The tailoring process involves, designing common controls. Applying scoping considerations. Selecting compensating controls. Supplementing the baseline controls. And providing implementation specifications. The implementation tasks involved in this step are security control implementation based on the selected controls, for example, system specific, common or hybrid to effectively implement common controls. It's necessary to define the intent of the control and ensure security requirements are met. This is typically identified when developing the organization's risk based cybersecurity strategy and documented in the SSP, the System Security Plan. Security controls documentation is the next part. This is going to be in the system security plan. The information system owner is the primary role in this process. The common control provider supports this process and so does the security engineer. The RMF step 4. This is supported by special publication 800- 53A assessing security and privacy controls in federal information systems and organizations. Building effective assessment plans, which provides a set of procedures for conducting assessments of the information security and privacy controls in 800-5. The assessment objectives are to conduct evaluations of system security with the following questions answered. Are the controls implemented correctly, operating as intended and producing the desired outcome? This step is all about monitoring, ensuring that the selected controls are developed, implemented and assessed for effectiveness by qualified assessors with a level of independence required by the organization. Usually a fed ramp third party assessors or 3PAO. This includes documenting assessment findings in a security assessment report, SAR. Providing a plan of action and milestone, POAM, for all common controls deemed less than effective, for example, having an unacceptable weakness or deficiency in a control and then updating the system security plan. The assessment tasks in this step, our assessment preparation. This is the documentation, policies and artifacts, security controls, assessment interviews, running tools like app scans, Nexus, Medisploy, Wireshark, etc. Development of the security assessment report, the SAR, recommendation actions. This is where the POA&M is created for the items that were not resolved that are moderate to low risk. And finally, security control assessor is the primary role in this step. The other roles such as common control provider and information system owner support this step. Risk Management Framework, step 5. This is where everything starts to come together in order to authorize the system to operate either fully or at an interim level. The assessment process is supported by NIST 800-37 and 800- 30 guide for conducting risk assessments. The authorization objectives of this step are to obtain an authority to operate for the system. Documenting risk management decisions in the security control selection process is imperative so that authorizing officials can have access to the necessary information to make informed authorization decisions for organizational information systems. Without it, the authorizing officials understanding of the assumptions made constraints and rationale supporting those risk management decisions may impact the authorization to operate. 800-53's certification and authorization controls are geared towards the authorization to operate process. Authorization tasks are the POA&M development. The security authorization package. The risk determination. The risk acceptance. The information system owner is the primary role for tasks one and two of the risk management framework steps. The authorization official is the primary role for tasks three and four of the risk management framework. The Chief Information Officer, CIO, Senior Information security officer, SISO. Or other designated organizational officials at the senior leadership level assigned responsibility for the development, implementation, assessment, authorization and monitoring of common controls to appropriate entities, either internal or external to the organization. The final step in the process is the risk management framework step 6. Here NIST Special Publication 837 Guide for applying the risk management framework to federal information systems. NIST Special Publication 853 A, guide for assessing the security controls and federal information systems and organizations come into play. This step is all about proof the organizations can produce evidence from the operational environment that contributes to the assurance of functionality and ultimately security capability. In other words, ensuring the controls are operating and maintaining system security within the acceptable risk tolerances. Operational evidence includes, for example, flow reports, reports on remediation action, the results of security incident reporting and the results of organizational continuous monitoring activities. This evidence helps determine the effectiveness of the deployed security controls, changes to the information system and environments of operation. As well as compliance with federal legislation policies, directives, regulations and standards. The monitoring objectives under this step are to operate and maintain system security within acceptable risk tolerances, update system security and safely, as well as conduct mission successfully. The Office of Management and Budget O and B. Policy requires that organizations conduct ongoing authorizations of information systems. By implementing continuous monitoring programs. Continuous monitoring programs can satisfy the old three year reauthorization requirements so separate reauthorization processes are no longer necessary. Through the employment of comprehensive continuous monitoring processes. Critical information contained in authorization packages such as the security plan, security assessment reports, and the plan of action and milestone is updated on an ongoing basis. Providing authorization officials and information system owners with an up to date status of the security state of the organizational information systems and environment of operation. To reduce the administrative costs of security reauthorization. Authorization officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. In other words, aggregating essential information from SRS, poems and SPS to enable security authorization decisions through continuous monitoring in the monitoring tasks. All of these play a part in the continuous monitoring process. System and environmental changes, ongoing security control assessments, ongoing remediation actions, key updates, security status reporting, ongoing risk determination and acceptance. And finally, system removal and decommissioning. Cyber supply chain risk management. First, supply chains consist of organizations or vendors that design, produce, source and deliver products and services to your organization. The cyber supply chain risk management process is really all about identifying. Assessing and mitigating the risks associated with the distributed and interconnected nature of technology, products and service supply chains. It covers the entire life cycle of the system, including design, development, distribution, deployment, acquisition, maintenance and destruction. As supply chain threats and vulnerabilities may intentionally or unintentionally compromised technology, product or service at any stage. Increasing adoption of supply chain risk management standards, practices and guidelines requires that we have a greater awareness. And understanding of the risks associated with time sensitive interdependencies throughout the supply chain, including in and between critical infrastructure sectors and sub sectors. This understanding is vital to enable organizations to assess their risk prioritize and allow for timely mitigation. Some of the elements of the supply chain risk management are simple supplier buyer models. Technology minimally includes IT, OT, CPS, and IoT internet of things. Applicable for public and private sector, including not for profit. And aligns with federal guidelines. Supply chain risk management practices for federal information system and organizations special publication 801-161. In this course, we discussed the RMF steps which are summarized on this screen. Step 1, the categorization identifies the systems and security objectives. Step 2, the selection is where we identify the controls. Both of these feed the system security plan. The third step, implementation or implement is where we integrate the controls and then we have the assessment phase. This is where we test and verify the controls. This is where the security assessment report and the plan of action and milestone are created. The 5th step, the authorized step is where the approval process comes in and this is where we get our authorization declaration or our decision to operate the system or not. And the final step to monitor stage. This is where we maintain our system all the way up until the point when it is finally decommissioned. We also discussed the RMF outputs and finally, supply chain risk management
