Upload
buicong
View
217
Download
0
Embed Size (px)
Citation preview
Risk Management Framework
- An Introduction
Mark L. Spencer, CISSPISSA Distinguished Fellow
Agenda
HistoryDoD Risk Management Framework ProcessStep 1 – Categorize the SystemStep 2 – Select Security ControlsStep 3 – Implement Security ControlsStep 4 – Assess Security ControlsStep 5 – Authorize SystemStep 6 – Monitor Security Controls
2
HistoryPrevious environmentFederalDoD Intelligence Community (IC)Consensus on standardsFederal uses NIST Special Publication (SP) 800-53DoD uses NIST SP 800-53 and CNSSI 1253 IC uses NIST SP 800-53 and CNSSI 1253 Overlays for specific implementation needs
3
Introduction to RMF
Risk Management FrameworkNot a modification of DIACAPBest to look at the change as that was then...this
is nowNew TermsReferences changingNew requirements
4
ReferencesDoDI 8500.01, “Cybersecurity”DoDI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology (IT)”CNSSI 1253, “Security Categorization and Control Selection for National Security Systems”NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”
5
Information Assurance Is Now Cybersecurity
Old DoDD 8500.01E Information Assurance (IA) Measures that protect and
defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
New DoDI 8500.01 Cybersecurity Prevention of damage to,
protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
6
New TermsOld Term New Term
Certification and Accreditation (C&A) Process Risk Management Framework (RMF)
Certification Security Control Assessment
Accreditation Authorization
System Security Authorization Agreement (SSAA) System Security Plan (SSP)
Certification Test and Evaluation (CT&E) /Security Test and Evaluation (ST&E) Report
Security Assessment Report (SAR)
Designated Accrediting Authority (DAA) Authorizing Official (AO)
DAA Rep Delegated Authorizing Official (DAO)
Information Assurance Manager (IAM) Information System Security Manager (ISSM)
Information Assurance Officer (IAO) Information System Security Officer (ISSO)
Program Manager Information System Owner (ISO)*
7
DoD RMF Process8
Step 1 – Categorize the System
DoDI 8510.01 provides detailed guidance on the RMF process for DoDDirects use of CNSSI 1253
Initiate the Security PlanRegister the system with the DoD Component
Cybersecurity Program Assign qualified personnel to RMF roles
9
Categorization Method Based on FIPS 199LowModerateHighImpact on organizations or individuals
10
Does not equate to MAC levels or Confidentiality levels from previous systems
Information TypesAn information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management), defined by an organization or, in some instances, by a public law, executive order, directive, policy, or regulation. [See NIST SP 800-60 (Volumes I and II) for example methodology to determine information types.]
11
Applying Information Types
The generalized format for expressing the security category (SC) of an information type is:SC information type = {(confidentiality, value),
(integrity, value), (availability, value)}
where the acceptable values are low, moderate, or high.
12
Categorization ValuesBoth FIPS 199 and NIST 800-53 apply the concept of a high-water mark (HWM) when categorizing information systems using the worst-case potential impact of a loss of confidentiality, integrity, or availability of information or of an information system as the basis for categorization.
CNSSI 1253 does not use HWM.
13
Categorization Process2 PartsDetermine impact values:
(i) for the information type(s)processed, stored, transmitted, or protected by the information system; and (ii) for the information system
14
Information Type Identification - 1
1. Identify all the types of information processed, stored, or transmitted by an information system, determine their provisional security impact values, and adjust the information types’ provisional security impact values.
15
Information Type Identification - 22. Determine the security category for the
information system (see FIPS 199) and make any necessary adjustments (see NIST SP 800-60, Volume I, Section 4.4.2).
The security category of a system should not be changed or modified to reflect management decisions to allocate more stringent or less stringent security controls.
16
NSS Impact Categorization
For NSS categorize in context of: Organization Overall National Interest
17
All DoD systems apply the NSS control set
Essential Items to Consider
Federal
SC=(conf=H, Int=M, Avail= L)SC=(conf=M, Int=M, Avail=L)SC=(conf=M, Int=L, Avail=L)
SC= HIGH
NSSSC=(conf=H, Int=M, Avail= L)SC=(conf=M, Int=M, Avail=L)SC=(conf=M, Int=L, Avail=L)
SC=(conf=H, Int=M, Avail=L)
Impact categories do not equate to classifications Different treatment of information system
categorization from Federal RMF
18
Low ImpactThe potential impact is Low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.
19
Low Impact - AmplificationA limited adverse effect means that the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectivenessof those functions is noticeably reduced; (ii) result in minor damage to organizational, critical infrastructure, or national security assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
20
Moderate ImpactThe potential impact is Moderate if the loss of confidentiality, integrity, or availability could be expected to have a seriousadverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.
21
Moderate Impact - AmplificationAMPLIFICATION: A serious adverse effect means
that the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to performits primary functions, but the effectiveness of those functions is significantly reduced; (ii) result in significant damage to organizational, critical infrastructure, or national security assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals exceeding mission expectations.
22
High ImpactThe potential impact is High if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States.
23
High Impact - AmplificationAMPLIFICATION: A severe or catastrophic
adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational, critical infrastructure, or national security assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals exceeding mission expectations.
24
Focus of Security ObjectivesFocus of Confidentiality (C), Integrity (I), and Availability (A). The C and I objectives are largely focused on reading and
writing (disclosure and modification). The I objective is also concerned with the correctness of
actions.The A objective is more concerned with survivability and
ensuring that the resources were there when needed. The A objective is also concerned with consequence
management and countering certain activities aimed at denial of service.
25
Impact Determination - ConfidentialityLook at impacts for loss of confidentialityDoes it expose classified information Is it protected under other statutesHow does it effect YOUR mission capabilityHow does it effect the security of the Nation
26
Impact Determination - IntegrityLook at impacts for loss of integrityDoes loss of correctness effect your missionHow does it effect YOUR mission capabilityHow does it effect the security of the Nation
27
Impact Determination - Availability
Look at impacts for loss of availabilityDoes loss of availability effect your missionHow much loss can you sustain and still
accomplish your missionHow does it effect YOUR mission capabilityHow does it effect the security of the Nation
28
Availability - example29
How long can your system be ineffective before it has an effect on your mission or
missions you support?
Other Step 1 ActionsAssign qualified personnel to RMF rolesAuthorizing Official (AO)Authorizing Official Designated Representative (AODR)Security Control Assessor (SCA) Information System Owners (ISO)Program or System Managers (PM/SM) Information System Security Manager (ISSM) Information System Security Officers (ISSO) Information System Security Engineer (ISSE)User Representative (UR)
30
Other Step 1 ActionsInitiate the Security Plan (eMASS)Register the system with DoD Component Cybersecurity ProgramDITPRSAP
31
Step 2 – Select Security Controls
Use CNSSI 1253 to select the initial security control set
Identify the applicable overlays Overlays may add or subtract security
controls Overlays may provide additional guidance
Tailor (modify) the control set Response to increased risk or changes to risk
tolerance
32
Step 2 – Select ControlsSelect an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions
33
Security ControlsSecurity safeguards/countermeasures prescribed for information systems or organizations(i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements. Security controls serve as a common management language for establishing cybersecurity needs.
34
Key Assumptions for NSS
All users of the systems are cleared for access to the information stored, processed, or transmitted by the system and have formal access approval to all the information stored, processed, or transmitted by the system; some users may not have a need-to-know for all the information.
35
Key Assumptions for NSS
The systems are multi-user (either serially or concurrently) in operation. The systems are housed in a physical complex.
[Systems or environments that diverge from these assumptions may require tailoring of the selected controls and enhancements.]
36
Using CNSSI 1253 CNSSI 1253Select appropriate security controlsBased on impact levels
NIST SP 800-53Use selection of controls from CNSSI 1253Extract text of controls CNSSI 1253Assign parameters when available
37
Security Control BaselineThe process for selecting security controls for a NSS is a four-step process:
1. Select the initial set of security controls.
2. Select and apply security control overlays.
3. Tailor the set of security controls.4. Supplement the tailored set of security
controls.
38
Initial Set of Security ControlsUse the security categorization of the systemConfidentiality levelIntegrity levelAvailability level
39
Initial Control Set Use CNSSI 1253 to select the initial security
control set Identify the applicable overlays Overlays may add or subtract security
controls Overlays may provide additional guidance
Determine the control text from NIST SP 800-53 Tailor (modify) the control set Response to increased risk or changes to risk
tolerance Supplement controls, as necessary
40
CNSSI 1253“X” = Security Controls from NIST Baselines
“+” = Security Controls Added for Protection of NSS
Not all DoD ISs are NSS, however, the same standards and processes under the RMF also apply to ISs that are not NSSs
41
Identify OverlaysNational Security System (NSS) [1253]Space PlatformCross-Domain Solution (CDS)Intelligence (FOUO)Classified InformationPrivacy
42
Apply Overlays
Apply applicable overlays Add controls Delete controls Establish parameters
43
OverlaysMust read each overlay to consider applicabilityOverlays have slightly different formatsMultiple overlays might applyDocument all overlay modifications to initial control set in the SP
44
OverlaysNSS overlay In CNSSI 1253, Appendix D, Table D-1Security Control Parameter Values, CNSSI 1253,
Appendix E
ID Control Text Defined Value for NSS
PE-6 b. [Assignment: organization-defined frequency]
[Assignment: organization-defined events or potential indications of events]
b. At least every 90 days if not otherwise defined in formal organizational policy.
Not appropriate to define at the CNSS level for all NSS.
45
NIST SP 800-53 AC-7 UNSUCCESSFUL LOGON ATTEMPTS Control: The information system: a. Enforces a limit of [Assignment: organization-defined number]
consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
Supplemental Guidance: This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5.
46
Sample Control Extraction
AC-7 UNSUCCESSFUL LOGON ATTEMPTSControl: The information system:a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; andb. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
ID TITLEConfidentiality Integrity Availability
L M H L M H L M H
AC-7 Unsuccessful Logon Attempts X X X X X X X X X
47
Organization-Defined Parameter Values Values for organization-defined parameters in National Security Systems [CNSSI 1253, APPENDIX J]Based on the risk tolerance or threat scenario for an NSS, some authorizing officials may allow or require systems to diverge from this standardAdditional technology may be added, or architectural implementations may be modified to adequately mitigate applicable risks
48
Enhancements
49
Enhancements (con’t)
50
Sample Control Extraction
AC-7 UNSUCCESSFUL LOGON ATTEMPTSControl: The information system:a. Enforces a limit of 3 consecutive invalid logon attempts by a user during a 15 minutes time period; andb. Automatically locks the account/node for at least 15 minutes or until released by an administrator when the maximum number of unsuccessful attempts is exceeded.
ID TITLEConfidentiality Integrity Availability
L M H L M H L M H
AC-7 Unsuccessful Logon Attempts X X X X X X X X X
51
Control Correlation Identifiers AC-7 CCI-000043 - The organization defines the maximum number of consecutive
invalid logon attempts to the information system by a user during an organization-defined time period.
CCI-001423 - The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.
CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-002236 - The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.
CCI-002237 - The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.
CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded."
52
Common Control Identification
Common controls are security controls that are inheritable by one or more organizational information systems.
53
Tailor Controls Add controls Delete controls Establish parameters
Document all tailoring in the Security Plan
54
Tailoring the Control SetNot a requirementAlign with operational considerations and environmentOnly remove if absolutely necessaryDOCUMENT DOCUMENT DOCUMENT
55
Documenting Tailoring Decisions
Map specific rationale to risk-based decisionsAccount for every selected control and assign to the organization or information system ownerDocument rationale for not implementing any controlDocument scoping of controls and selection or specification of compensating controlsDocument in the SP
56
Supplementing Control SetsBase on risk assessments and local conditionsInclude:environment of operationorganization-specific security requirementsspecific threat informationcost-benefit analysisspecial circumstances
57
SP DocumentationSet of resulting security controlsSupporting rationale for selectionInformation system use restrictionsCommon controls inherited from external providersMinimum requirements for common controls
58
Step ThreeImplement the Security ControlsSpecified in the SPEarly involvement by ISSE to translate security control
requirements into system specifications Integrate the information system security engineering of
cybersecurity requirements and cybersecurity testing considerations into the program’s overall systems engineering processDocument the requirement and testing approach in the
program’s Systems Engineering Plan (SEP)
59
Implement Security ControlsDocument control implementation Status in the SPDescribe the control implementationPlanned inputsExpected behaviorExpected outputs
60
Additional Implementation GuidanceUse the Knowledge Service (KS)DoD recommended security control
implementationsSystem Security DesignAddress in preliminary design reviewsAddress in critical design reviewsUse inheritance where possibleFollow mandatory configuration settingsFederal policiesDoD policies
61
Step 4 Assess ControlsAssess Security ControlsAssessment planAssess security controlsRecord compliance statusAssign severity categoriesPrepare the Security Assessment Report (SAR)Conduct remediation activities on non-compliant controls
62
AssessmentDoD uses ACASNessusChecks compliance against STIGs and SRGs
Verifies SP contains references and artifacts
63
Security Assessment Report (SAR)
DocumentIssuesFindings (C, NC, NA)Assigned severity categoriesRecommendations
64
Step 5 Authorization Decision
Authorize the SystemPOA&MSubmit package (SP, SAR, POA&M) to AORisk determinationDecision
65
Package Contents
SPSARPOA&MInheritance documentation
66
SP DocumentationSet of resulting security controlsSupporting rationale for selectionInformation system use restrictionsCommon controls inherited from external providersMinimum requirements for common controls
67
POA&MIdentifies remediation or mitigation tasksSpecifies resources, milestones and scheduled completion datesPermanent recordItems updated, but not removedLifecycle document
68
Risk DeterminationOrganizational operations (mission, functions, image, or reputation)Organizational assetsIndividualsOther organizationsThe Nation
69
DecisionRisk acceptanceSupporting documentationATO, IATT, DATO
70
Step 6 MonitorMonitor Security ControlsDetermine impact of changes to the system or
environmentAssess selected controls annuallyConduct needed remediationUpdate SP, SAR, and POA&MReport security status to AOAO reviews reported status Implement system decommissioning strategy
71
72