As a final summary, we have in this course, discussed, prepare for authorization using NIST specification 800-30, 800-39, 800-53, 800-59, 800-60, 137, 160, 161, 181, and FIPS 199 and 200. The purpose of the prepare step was to prepare to carry out essential activities for the risk management framework process. Categorization using your FIPS 199 and you're NIST 800-60 to define the criticality and sensitivity of a system. After we categorized our system as either low, moderate, or high, we went to the selecting of the controls using our FIPS 200, Special Publication 800-30, and Special Publication 800-53 to select the baseline controls and then start tailoring them for our organization. The baselines are selected based on our FIPS 199 classification of low, moderate, or high. After we selected our baselines, we then went into the implementation of the controls using our Special Publication, 800-18, 800-34. and 800-70 in order to implement security controls. Once we implemented the security controls based on our baselines, we then went into the assessing of those controls using NIST Special Publication 800-53 A to determine the security controls effectiveness and make sure that they were implemented correctly, operating as intended and producing the desired outcome. After the controls have been assessed, we then get ready to get the system authorized using Special Publication 800-37 to determine if the risks are acceptable and then authorize the system. The authorization is done by the authorizing official. The purpose of this step is to provide the organizational accountability by requiring the senior management official to determine if the security and privacy risks have been mitigated to an acceptable level for the organization. The authorizing official makes this determination based on the package that's submitted to them for accreditation. The accreditation package, if you remember, has the System Security Plan, SSP, the Security Assessment Report, SAR, and the plan of action and milestone to include any artifacts such as your app scans, Nessus scans, policies, procedures, or any other documentation that can be used in order to give the authorizing official a clear vision of the risks and operation of the system. Once the authorizing official has given the authorization to operate, then we get into the last step which is monitor using NIST Special Publication 800-37 and 800-53 A to track changes and reassess controls effectiveness if needed. Once the authorization to operate has been granted and we get into the monitoring or continuous monitoring program, the system stays authorized as long as there is no major change to the systems configuration or risk. Remember, in order to stay authorized, the system must have a continuous monitoring program in place to reassess the controls on an ongoing basis. Finally, when the system reaches its end of life, the system has to be decommissioned. That involves the sanitization of all of the data and the system itself using the NIST 800-88 and its recommendations of clearing, purging, or destruction. Look at table 5-1 of 800-88 for sanitization methods and suggestions. That is the process from cradle to grave for the risk management framework and all of the six steps. On this screen, you see a memory exercise that I put together to help you remember the step number, the step itself, the tasks that are associated with each step, keywords, primary roles, primary references, what part of the system development lifecycle phase it exists in, and what artifacts are produced by the step. For step one categorize we have three tasks. 1-1 which falls under categorize the System. 1-2, which falls under describe the system, and 1-3, which falls under register the system. The primary roles here are the Information Security Officer and the Information Owner. The primary references are 800-60 and FIPS199 as well as 800-18. This is all part of the system development lifecycle initiation phase. The artifact that they feed is the system security plan. The same process is carried out for the other two steps, select and implement. Here we have the remaining steps. Step number 4 is assess. It has four tasks. 4-1, prepare for the assessment. 4-2, assess the controls. 4-3, report on the assessment, and 4-4 remediate. The primary roles here are the Security Control Assessor, the Information Security Officer, and the Common Control Provider. The primary references are 800-53A and 800-115. The artifacts produced here are the Security Content Automation Protocol, the Security Assessment Report, Appendix I, and the Security Assessment Report, Appendix F. It's the same process for the other two controls. Step number 5, authorize, and step number 6, monitor.
