Accelerating Time-to-ATOs:

Compliance as a Mission Driver

Steve Horvath, VP Strategy & Vision

Workshop Agenda

2

10 am

• Brief introduction to Telos and our journey in Risk Management & Compliance

• History of Product and Services in Cyber

• Best Practices and Pitfalls to avoid in the NIST RMF Process

• How the CSF fits into the NIST RMF

11 am (10 Min Break)

• The power of Inheritance to save time

• How to use Tailored Baselines and Overlays

• Drawing an effective and efficient Security Boundary

• Why workflow and access control matter for the A&A/RMF Process

12 noon - Lunch

• 45 min of open discussion (Xacta 360 demo’s available in Lobby)

• Xacta 360 FedRamp Template lite demo (Milica Green - Telos)

1 pm

• Why is the A&A process so difficult? Interpreting the Intent of an IA control

• Important new aspects of the NIST SP 800-37 rev2 and 800-53 rev5

• Governance @ Scale (Brett Miller - AWS)

Telos Corporation offers solutions that assure the

security of enterprise information and deliver that

information to users when and where they need it.

Ashburn, VAHeadquartered in

1968Founded in

500+Full-Time Staff

For the last 20 years, we’ve focused on…

Cyber Security Secure Mobility Identity Management

Conduct assessments for and defend the

most attacked networks in the world

Launched the first commercial

web-based application to automate risk

management and security compliance;

today, the dominant provider to the U.S.

government

Selected by Amazon Web Services

(AWS) for cloud compliance solutions

Xacta solution is the database of record

for the U.S Intelligence Community

Provided the largest deployment of enterprise

wireless LANs to the U.S. Department of

Defense

Designed, installed and deployed secure

mobility solutions for U.S. Air Force, Air Guard,

Army, Army Guard and DISA

Chosen by DISA to design, implement and

sustain an integrated enterprise campus Wi-Fi,

guest access, and mobile device management

capability

Designed specialized deployable secure

mobility solutions for U.S. Air Force and Army

requirements

Integrator of record for the largest identity

management application in the U.S. federal

government

Assure the identity of more than 10 million

personnel in U.S. armed forces and related

personnel worldwide

Authorized by the FBI to provide

real-time identity background checks

Identity vetting application deployed at over

60 airports and airlines across the U.S.

Select Telos Customers

Xacta Product Suite

7

For participants in an Agency’s or Organization’s RMF Process:

Best Practices

• Get security involved early in the development and design phase so you are not playing catch-up

• Leverage Enterprise Services and Inheritance whenever possible

• Take the time to document your system correctly, work with Agency ISSEs or DAOs to provide the appropriate level of fidelity

• Self-Assess the system and document your findings

• Automate, especially Step 6 - Monitor

Pitfalls to Avoid

• Every Agency or Organization implements the RMF in their own way, make sure you adequately research the process

• Ensure your system is ready for testing when the Security Assessors arrive

• Store required RMF documents (Body of Evidence) in a repository and carefully control access

Best Practices & Pitfalls of the NIST RMF

Best Practices & Pitfalls of the NIST RMF

8

For the Enterprise:

Best Practices

• Understanding your Agency or Organization’s risk tolerance

• Build common control provider projects for policies and validate them continuously

• Create and make available resources to educate customers of your organization about the RMF as implemented at your

Agency or Organization

• Communicate throughout the process with the stakeholders to ensure they know where the system is in the RMF

• Strongly encourage or require customers to conduct a system’s self assessment before scheduling Security Assessors

• Consider Overlays or a Tailored Baseline for your Agency or Organization to reduce the burden for your stakeholders, if

applicable

• Enable Automation for Stakeholders by providing or approving tools for use

Pitfalls to Avoid

• Approvals throughout the workflow process are valuable, but use those gates sparingly and only when necessary

• Protect aggregate data and manage access control according to sensitivity of information (not everyone needs to see

vulnerability data, and certainly not for the entire organization)

How does the CSF fit into the RMF

9

If your agency is currently conducting a robust RMF program, you are already well on your way to proving CSF compliance

Risk Management Framework (RMF)

• Focused on the details of categorizing and assessing a capability (Business or Mission Function)

• Activities typically exist within a stated security boundary

• Requires a very in-depth understanding of the system and documentation of its security functions

• What components make up the system

• What function(s) does the system perform

• What types of users, what environment does the system exist in, etc.

Cybersecurity Framework (CSF)

• Organizationally focused, more broadly applicable to Agency or Organization’s overall security posture and awareness of

Cybersecurity (Identify, Protect, Detect, Respond, Recover)

• Provides a mechanism to communicate up and down the Organization (from the user-base, to the security operations staff,

all the way to the Board Room)

• Helps Organizations gauge current and targeted profiles

Break (10 Min)

10

AWS Shared Responsibility Model

11

Inheritance as a force multiplier

12

NIST SP 800-53 Rev 4 total number of controls & enhancements: 965

The standard NIST baselines before tailoring or overlays:

There are only a couple of ways to reduce the overall number of IA Controls your program is responsible for:

1. Attempt to tailor some out (negotiate with DAO/AO).

2. Inherit both Common Controls and Shared Controls to the maximum extend possible.

Common Controls: The Agency or Organization recognizes a group or individual to be responsible for that control and allows

the control to be provided to others within the Agency or Organization.

Hybrid or Shared Controls: The Agency or Organization allows the control to be provided, but recognizes a portion of the

control still must be met by the consuming program or system.

Authorizing Officials (or Designees) have the final word on what controls are ultimately applicable to the system

Low - 140 Applicable Controls

Moderate - 277 Applicable Controls

High - 357 Applicable Controls

Tailored Baselines

13

• NIST encourages the use of organizationally defined, Tailored Baselines, which are intended

to take the Agency or Organization’s mission and operating environment into account. Tailoring

can be more or less stringent than the NIST Standard Baselines.

• For the Enterprise, tailoring a set of custom baselines for the agency can be very

advantageous, reducing the number of controls that system owners are beholden to.

• Tailored Baselines need to be well documented and agreed upon by the Authorizing Official and

should include a formal assessment by the Risk Executive (Function) and the Agency’s CISO.

A Cautionary Note: Even with well defined and documented custom Tailored Baselines for an Agency

or Organization, moving off the NIST Standard Baseline may result in difficulties with Reciprocity

Overlays

14

Definition (from NIST SP 800-53 rev 5):

A specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information

employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The

overlay specification may be more stringent or less stringent than the original security control baseline specification and can be

applied to multiple information system.

An overlay is a set of controls that are automatically tailored in or out of a baseline, most commonly due to: functions, mission

or environmental factors. Aside from the automated means to apply the same control set, based on a pre-defined situation

(like Cross Domain Solutions or Systems that process Privacy Information), they can and usually do include critical

supplemental guidance.

The US Intelligence Community has been building and implementing overlays for the last few years (Int-A, Int-B, Int-C).

High Valued Assets (HVA) Overlay

There is currently an effort across the federal government to identify HVAs. NIST is working with DHS to build overlays of

required controls that are required for HVAs. The overlay and associated IA controls will be mandated for these HVAs. OMB

will be pushing mandated controls for certain types of systems. Overall this will reduce the amount of tailoring necessary.

Security Boundary

15

A Security Boundary is the focal point of an RMF-based Assessment & Authorization, sometimes

referred to as an “Assessment Boundary." How you draw your boundary ends up having major

implications for the program as well as the organization.

Why is this important?

1. Security Relevant Changes

2. Inheritance Models

Security Relevant Change (Cloud)

(Borrowed from John Nicely)

• New service/system that supports consumer use

• Change is security relevant to an existing authorization.

• Alters the threat model within a system with responsibility to:

• store, process, or transport data;

• authenticate and/or authorize consumer access;

• generate, store, manage, protect and/or provision account credentials

• Change results in major modifications to existing documented security controls

Workflow and Roles make a difference in RMF

16

How do you eat an Elephant?

Workflow

• Establishing a carefully curated workflow can enable more resources to simultaneously and continually work on the

Assessment & Authorization of a system.

• Enabling Approvals within the workflow (although not many) as “Gates” can ensure System Owners or Program Managers

avoid rework due to misunderstandings or mistakes associated with categorization or implementing controls.

Roles

The intent of the Assessment & Authorization process is to validate a system has been tested for cybersecurity weaknesses

that could impact its mission as well as place other members of the Organization or the Organization’s capabilities at risk. As a

result, the contents of the Body of Evidence for a system includes highly sensitive information (Vulnerability Data, Software and

Hardware Architecture, Location, System environment, Network Interfaces, and ultimately the Risk Analysis).

It is highly suggested that an Agency or Organization as well as the System Owner/Program Manager establish roles that

enable the restriction of sensitive data to only those who have a need for it.

Lunch (45 Min)

Xacta 360 Demo’s Available in Lobby

17

Xacta 360 FedRamp Demo

18

19

AC - 2 ACCOUNT MANAGEMENT

Control :

a. Define and document the types of system accounts allowed for use within the system in support of organizational missions and business functions ;

b. Assign account managers for system accounts;

c. Establish conditions for group and role membership;

d. Specify authorized users of the system , group and role membership, and access authorizations (i.e., privileges ) and other attributes (as required) for each account ;

e. Require approvals by [ Assignment: organization - defined personnel or roles ] for requests to create system accounts;

f. Create , enable , modify , disable , and remove system accounts in accordance with [ Assignment: organization - defined policy, procedures , and conditions ] ;

g. Monitor the use of system accounts;

h. Notify account managers within [ Assignment: organization - defined time - period for each situation ]:

1. When accounts are no longer required;

2. When users are terminated or transferred; and

3. When individual system usage or need - to - know changes for an individual ;

i. Authorize access to the system based on:

1. A valid access authorization;

2. Intended system usage; and

3. Other attributes as required by the organization or associated missions and business functions;

j. Review accounts for compliance with account management requirements [ Assignment: organization - defined frequency ];

Why is it so difficult to understand IA Controls?

20

A little larger, still just one control…

AC - 2 ACCOUNT MANAGEMENT

Control :

a. Define and document the types of system accounts allowed for use within the system in support of organizational missions and business functions ;

b. Assign account managers for system accounts;

c. Establish conditions for group and role membership;

d. Specify authorized users of the system , group and role membership, and access authorizations (i.e., privileges ) and other attributes (as required) for each account ;

e. Require approvals by [ Assignment: organization - defined personnel or roles ] for requests to create system accounts;

f. Create , enable , modify , disable , and remove system accounts in accordance with [ Assignment: organization - defined policy, procedures , and conditions ] ;

g. Monitor the use of system accounts;

h. Notify account managers within [ Assignment: organization - defined time - period for each situation ]:

1. When accounts are no longer required;

2. When users are terminated or transferred; and

3. When individual system usage or need - to - know changes for an individual ;

i. Authorize access to the system based on:

21

Context is key…

AC - 2 ACCOUNT MANAGEMENT

Supplemental Guidance: System account types include, for example, individual, shared, group, system, guest, anonymous, emergency, developer/manufacturer/vendor,

temporary, and service. The identification of authorized users of the system and the specification of access privileges reflects the requirements in other controls in the

security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by appropriate organizational personnel responsible for approving

such accounts and privileged access, including, for example, system owner, mission/business owner, or chief information security officer. Organizations may choose to

define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example,

restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements and mission/business

requirements. Failure to consider these factors could affect system availability.

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when

there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations

and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary

accounts are not to be confused with infrequently used accounts including, for example, local logon account s used for special tasks or when network resources are

unavailable. Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for

example, when shared/group, emergency, or temporary accounts are no longer required; or when individuals are transferred or terminated. Some types of system accounts

may require specialized training.

22

What about Control Enhancements (3 of 15!!!!)

AC 2 Control Enhancements:

(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT Employ automated mechanisms to support the management of system accounts.

Supplemental Guidance : The use of automated mechanisms can include, for example, using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage.

Related Controls : None.

(2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY AND EMERGENCY ACCOUNTS Automatically [ Selection: remove; disable ] temporary and emergency accounts after [ Assignment: organization - defined time - period for each type of account ].

Supplemental Guidance : This control enhancement requires the removal or disabling of both temporary and emergency accounts automatically after a predefined time - period has elapsed, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

Related Controls : None.

(3) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS Automatically disable accounts when the accounts:

(a) Have expired; (b) Are no longer associated to a user; (c) Are in violation of organizational policy; (d) Are no longer used by applications, services, or the system; and (e) Have been inactive for [ Assignment: organization - defined time - period ] .

Supplemental Guidance : None.

Related Controls : None.

23

Ok, let’s pick a slightly simpler one…

SC - 28 PROTECTION OF INFORMATION AT REST

Control : Protect the [ Selection (one or more): confidentiality; integrity ] of [ Assignment: organization - defined information ] at rest.

Supplemental Guidance : This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information

when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of this control is not on the type of storage device or frequency of access but rather the state of

the information. System - related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection and prevention systems, filtering routers, and

authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity

protection can be achieved, for example, by implementing Write - Once - Read - Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may

employ other security controls including, for example, frequent scanning to identify malicious code at rest and secure off - line storage in lieu of online storage.

Related Controls : AC - 3, AC - 6, AC - 19, CA - 7, CM - 3, CM - 5, CM - 6, CP - 9, MP - 4, MP - 5, PE - 3, SC - 8, SC - 13, SC - 34, SI - 3, SI - 7 , SI - 16 .

Control Enhancements:

(1) PROTECTION OF INFORM ATION AT REST | CRYPTOGRAPHIC PROTECTION

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [ Assignment: organization - defined information ] when at rest on [ Assignment: organization - defined

system components ].

Supplemental Guidance : This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage . It also applies to limited quantities of media generally

associated with system components in operational environments including, for example, portable storage devices, notebook computers, and mobile devices . Selection of cryptographic mechanisms is based on the

need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the

flexibility to encrypt all information on storage devices or encrypt specific data structures including, for example, files, records, or fields. Organizations employing cryptographic mechanisms to protect information

at rest also consider cryptographic key management solutions.

Related Controls : AC - 19, SC - 12.

Important updates coming to NIST Documents…

24

NIST SP 800-37 rev 2

• The RMF continues to be a six-step process, but a new central step has been added, called “Prepare”

• Merging of Security and Privacy concerns

• Removal of “Federal” from title, easing adoption for Commercial, State and Local Governments

NIST SP 800-53 rev 5

• Consolidated Catalog (no appendices for Program Management or Privacy)

• Structure of controls is actually different, more Outcome-based

NIST CSF 1.1

• New Category for Supply Chain

• Further guidance for Understanding Tiers

Governance @ Scale

Brett Miller - AWS

25

26

Questions

Steve Horvath

sph@telos.com

Contact Information

Visit Telos.com

27