Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1www.phacil.com
Headquarters Office800 N. Glebe Rd, Ste 700
Arlington, VA 22203
Phone: 703-526-1800
Presenters:
West Coast Office 601 California St, Ste 1710
San Francisco, CA 94108
Phone: 703-526-1800
Fred J. Foster and Gary Desilets
Implementing a Risk Management Framework
(RMF) Methodology
24-26 February 2014
2
Agenda
Introduction – DSS Mission and DSS CIO Vision
The Challenge
The Role of Automation
Example: the Test Plan
Getting It All Under Control
Enterprise Risk Management
Continuous Monitoring
Summary
3
DSS Mission and VisionDSS Mission
On behalf of the Department of Defense and other U.S. Government Departments and Agencies, the Defense Security Service supports national security and the
warfighter through our security oversight and education missions. DSS oversees the protection of U.S. and foreign classified information and technologies in the
hands of industry under the National Industrial Security Program (NISP) and serves as the functional manager for the DoD security professional development program. We provide security education, training, and professional development services as the functional manager for the DoD security professional development
program, and for other U.S. Government personnel and contractor employees, and representatives of foreign governments, as required.
program, and for other U.S. Government personnel and contractor employees, and representatives of foreign governments, as required.
DSS CIO VisionTo be the recognized partner that brings technology and programs together to unleash the power of information in achieving the DSS mission. By delivering
an all-inclusive set of tools, services, and data management capabilities, the CIO can enable success across the agency and the National Industrial Security Program.
4
Timeline
9/22/13, DSS Information Assurance (IA) Service Support Contract Award
12/27/13, DSS Data Center Operations Runbook including NIST SP 800-53 Controls w/ CNSSI 1253 reference
3/12/14, RMF replaces DoD Information Assurance Certification and Accreditation Process (DIACAP)o DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD IT,
March 12, 2014, as amended
o RMF replaces DIACAP and manages the lifecycle cybersecurity risk to DoD IT…
Automated RMF Methodology Tools and Techniques o System Security Documentation
o Security Test and Evaluation (T&E) Plan and Checklist
Contract Award
9/22/13
Runbook Released12/27/13
RMF Replaces DIACAP3/12/14
Automated RMF
Methodology
5
The Challenge
The system assessment and authorization (A&A) process
Past issues have never been satisfactorily resolved
Short-term system A&A issues detract attention from long-term enterprise risk management
Control Cost and Time
Requirements
Improve Compliance and Documentation
6
DoD Risk Mitigation Model
7
RMF and Best Practices
CNSSI 1253 ControlSA-10 Developer Configuration Management
DSS Data Center Operations Standard Operating Procedures Runbook
CNSSI 1253 ControlPL-2(2) System Security Plan Functional Architecture
7.4.1 Master Network Diagram UpdateThe addition of new systems requires an update of the Master Network Diagram. The Master Network
Diagram is a Visio document that illustrates all devices and systems in the DSS Enterprise. The diagram is
located on the Portal Master Diagram Folder and can be downloaded and subsequently edited. The diagram
must be updated in a manner consistent with the current style of the diagram. The updated diagram must be
submitted via email to the OCIO N&I Data Center Chief for approval and acceptance. Upon approval, the
diagram will be uploaded by the OCIO N&I Data Center Chief or designee to the Portal Master Diagram
Folder.
…
…
6. Data Center Operations/ Tasking Guide IntroductionThis document defines the appropriate processes for Defense Security Service (DSS) Data Center
Operations (DCO) personnel to follow in assigning tasks or projects to Information Technology System
Support (ITSS) Systems Administration contract staff, as well as DSS expectations of contract staff in
updating task and project progress, establishing and adhering to deadlines, and communicating effectively
with relevant stakeholders. The ultimate goal of this document is to simplify and normalize tasking to
facilitate effective tracking, reporting, metrics adherence, and greater consistency in meeting deliverable
expectations.
8
Best Practices
Much of the A&A process deals with selecting, implementing, and testing best practices:
oNIST SP 800-53 Controls per CNSSI 1253
oDISA STIGs
Great stuff! But is this the system security ceiling, or the floor?
Best Practices
Emerging Threats
Enterprise Needs
A&A starts with applying best practices. From there, it can be tailored to counter emerging threats and meet the needs of Enterprise Risk Management.
9
O
O
O
The Role of AutomationA Governance, Risk, and Compliance (GRC) software tool can facilitate the A&A process. With appropriate user input, automation can:
Build an initial baseline of controls
Adjust the set of controls for
overlays and tailoring
Assemble a system security plan
Build the test plan
Organize test results for risk analysis
Create the RMF body of evidence and authorization documents in standard format
Archive data associated with the process
10
Example: the Test Plan
Project Test Plan
Sources • Regulations/ Instructions/
Technical Guidance • Applicability and Inheritance
of Requirements • System Hardware/
Operating System(s)• System Software • System Locations
11
Getting It All Under Control
Recommendation: Optimize your GRC tool to support your A&A process and optimize your process to take advantage of the tool
Workflow and Roles
System Security Plan
oImport Selected Controls and Related Data
oAssemble With or Without Control Descriptions and Guidance
Other Documents How much can you gain by integrating your GRC tool with your A&A process?
12
Enterprise Risk Management More Complex - At the enterprise level,
risk management is a more complex and multifaceted undertaking
Risk Executive (Function) - Under RMF, the Risk Executive was introduced to link system-level risk management to enterprise-level risk management
Specifics - Organizations define many of the specifics for their own risk managemento For example: enterprise cybersecurity
policy/procedures, acceptable system-level risks, creating meaningful metrics …
oDesign as processes where applicableoAllow for agility in meeting new threats, changed
conditionsoAdd measures to counter advanced persistent threats
A&A process
doesn't say much about how the Risk Executive should interact with Enterprise-level Risk Management.
13
Other Risk-Based Initiatives
Trusted Supply Chain
oEstablish Information Communications Technology Supply Chain Risk Management (ICT SCRM) Implementation Process
oQualify vendors and service providers
Continuous Service Improvement (CSI)
oEffective compliance with security mandates
oCost-efficient best practices
14
Continuous Monitoring
What about continuous monitoring?
Continuous Monitoring is an important part of the RMF
It’s a candidate for automation
Not included here only because we are still working on it
We will have something positive to report in the not-too-distant future!
15
Summary
Apply Automated tools to the A&A process
Integrate Security Controls into Governance, Acquisition, and Operations documentation
Continuous Service Improvement for the A&A process
RMF
Automated A&A
Integration
Continuous Improvement
16
References
• CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems, March 15 2012, as amended
• DoD Instruction 8500.01, Cybersecurity, March 14 2014
• DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 12 2014
• NIST SP 800-18, (rev 1), Guide for Developing Security Plans for Federal Information Systems, February 2006
• NIST SP 800-37 (rev 1), Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010
• Popick, P. R. (2013). Requirements Challenges in Addressing Malicious Supply Chain Threats. Insight, Vol. 16 Issue 2, 23-27
• NIST SP 800-53 (rev 4), Security and Privacy Controls for Federal Information Systems and Organizations, April 2013
17
Questions?
18
Points of Contact
Fred J. Foster, PMP, ITIL v3 Gary Desilets, CISSP
Lead Systems Engineer, Phacil Inc.
Cybersecurity Specialist, Phacil Inc.
Defense Security Service Defense Security Service
Office: 571-305-6040 Office: 571-305-6474
Mobile: 703-362-4323
[email protected] [email protected]
[email protected] [email protected]
Graphics/Technical Editing John Wooleyhan Phacil, Inc.