RMF Step 5 Authorize Information System Plan of Action and Milestones (POA&M) Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken Security Authorization Package Assemble the security authorization package and submit the package to the authorizing official for adjudication Risk Determination Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation Risk Acceptance Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable
Presenter
Presentation Notes
Picture: Battle site Bull Run; Photo by Donald E. Hester all rights reserved
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
NIST SP 800-37 Rev 1, § 2.1
The purpose of this POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.OMB M-02-01
“The POA&M describes the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.” NIST SP 800-100
Presenter
Presentation Notes
Plan of Actions and Milestones (POA&M) The purpose of this POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. OMB M-02-01 “The POA&M describes the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.” NIST SP 800-100
By reflecting the enterprise security needs of an agency, a consolidated POA&M provides a roadmap for continuous agency security improvement, assists with prioritizing corrective action and resource allocation, and is a valuable management and oversight tool for agency officials, Inspectors General, and OMB.- OMB M-02-01
Presenter
Presentation Notes
OMB Requirements Guidance for Preparing and Submitting Security Plans of Action and Milestones (OMB M-02-01) By reflecting the enterprise security needs of an agency, a consolidated POA&M provides a roadmap for continuous agency security improvement, assists with prioritizing corrective action and resource allocation, and is a valuable management and oversight tool for agency officials, Inspectors General, and OMB. - OMB M-02-01
Presenter
Presentation Notes
Remediation plan Applicability of the remediation plan Not needed if the certification process found all controls in place and working as expected The remediation plan is a list of items that need to be done to correct those deficiencies Responsibility System owners have ultimate responsibility May assign authority to remediate to others such as ISSO Cannot transfer responsibility, accountability remains with the system owner You can transfer authority not responsibility
Presenter
Presentation Notes
Risk Remediation Plan Risk remediation plan scope Should include all vulnerabilities detected Should also include vulnerabilities that the risk is likely to be accepted Plan Format At a minimum it should include A weakness A fix A milestone (date) Responsible person Optional inclusion Cross-referencing numbering Risk ranking For a more detailed description of POA&M see OMB Memorandum 02-01 Guidance for Preparing and Submitting Security Plans of Action and Milestones http://www.whitehouse.gov/omb/memoranda_m02-01/
Presenter
Presentation Notes
Items to include in POA&M Column 1 - Describe the weaknesses Column 2 - Responsible office or person Column 3 - Estimated cost Column 4 - Scheduled completion date Column 5 - Key milestones Column 6 - Updates or changes Column 7 - How was the weakness found Column 8 - Status (Ongoing or Completed) This is the required minimum information and suggested format from the OMB (Office of Management and Budget) Agencies or organizations may have additional requirements The following instructions explain how the POA&M should be completed. Attached is one example POA&M for a program and one for a system. Each illustrates the appropriate level of detail required. Once an agency has completed the initial POA&M, no changes should be made to the data in columns 1, 5, 6, and 7. The heading of each POA&M should include the unique project identifier from the exhibits 300 and 53, where applicable. (4) Column 1 -- Type of weakness. Describe weaknesses identified by the annual program review, IG independent evaluation or any other work done by or on behalf of the agency. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Where more than one weakness has been identified, agencies should number each individual weakness as shown in the examples. Column 2 -- Identity of the office or organization that the agency head will hold responsible for resolving the weakness. Column 3 -- Estimated funding resources required to resolve the weakness. Include the anticipated source of funding, i.e., within the system or as a part of a cross-cutting security infrastructure program. Include whether a reallocation of base resources or a request for new funding is anticipated. This column should also identify other, non-funding, obstacles and challenges to resolving the weakness, e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc. Column 4 -- Scheduled completion date for resolving the weakness. Please note that the initial date entered should not be changed. If a weakness is resolved before or after the originally scheduled completion date, the agency should note the actual completion date in Column 9, "Status." Column 5 -- Key milestones with completion dates. A milestone will identify specific requirements to correct an identified weakness. Please note that the initial milestones and completion dates should not be altered. If there are changes to any of the milestones the agency should note them in the Column 7, "Changes to Milestones." Column 6 -- Milestone changes. This column would include new completion dates for the particular milestone. See example. Column 7 -- The agency should identify the source (e.g. program review, IG audit, GAO audit, etc.) of the weakness. Weaknesses that have been identified as a material weakness, significant deficiency, or other reportable condition in the latest agency Inspector General audit under other applicable law, e.g., financial system audit under the Financial Management Integrity Act, etc. If yes is reported, also identify and cite the language from the pertinent audit report. Column 8 -- Status. The agency should use one of the following terms to report status of corrective actions: Ongoing or completed. "Completed" should be used only when a weakness has been fully resolved and the corrective action has been tested. Include the date of completion. See example. Source: OMB M-02-01
Presenter
Presentation Notes
System Level POA&M Source: OMB M-02-01 1. Please see OMB M-01-24 of June 22, 2001, "Reporting Instructions for the Government Information Security Reform Act." 2. OMB Circular A-11 requires that agencies develop capital asset plans for all capital asset acquisition projects and report to OMB, via an exhibit 300, those plans for all major acquisitions. For information technology projects, plans for both major and significant projects must be reported to OMB. Agencies assign a unique identifier to each project and apply it to the exhibit 300 and 53. 3. OMB Circular A-11 requires that agencies report via an exhibit 53, an estimated percentage of the total investment for associated IT security costs. 4. OMB Circular A-11 requires that agencies develop and submit to OMB capital asset plans (exhibit 300) for major acquisition projects. For information technology projects, plans for both major and significant projects must be reported to OMB on an exhibit 300 and 53. The agency assigns a unique identifier to each project and applies it to both exhibits. Source: OMB M-02-01
Presenter
Presentation Notes
Agency or Program Level POA&M Source: OMB M-02-01
Presenter
Presentation Notes
The Plan Using the plan It is a living document and may need regular updates Measure progress When to create the plan Don’t wait for the certification As soon as a vulnerability is found, add it Append additional as needed It will be in a continuous state of update Should not be excessively detailed It will be in close relationship with the CPIC (Capital Planning and Investment Control) Risk mitigation meetings Ongoing like the plan
Presenter
Presentation Notes
Risk Based Remediation A risk assessment will help guide in the prioritization of remediation activities Higher risk vulnerabilities should be addressed before lower risk vulnerability Take into consideration ‘low hanging fruit’ – easy low cost solutions
Presenter
Presentation Notes
POA&M Problems Often items are not addresses on the POA&M The never-ending POA&M items Don’t have the resources (money, staff, etc…) to remediate Items stay on the POA&M indefinitely (in effect ignoring the risk) Agencies are being pressured to remediate POA&M items IG and Assessors look at outstanding items on POA&M to see if items are being addressed in a timely manner (progress) Becomes an audit finding if they are not Solution Risk accept the items if there is no plan to remediate rather than let it stay on the POA&M indefinitely
Presenter
Presentation Notes
Summary The plan lays out what needs to be corrected Ensure that vulnerabilities are not forgotten Used to track corrections Ensures proper documentation of remediation efforts Used in conjunction with capital asset planning and budgeting
Presenter
Presentation Notes
Class Discussion: Remediation Plan What is the purpose of the remediation plan? You have a limited budget and cannot afford to remediate all the missing controls. How do you select which controls to remediate? Do you complete all the inexpensive ‘low hanging fruit’ or do you tackle fewer, more expensive high impact controls? Which way is risk-based? Why do auditors want to see you past remediation plans?
Presenter
Presentation Notes
Essential RMF Documentation Picture: Mt. San Jacinto, Palm Springs, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 6 pg 257-269
Presenter
Presentation Notes
Authority CISO will determine the minimum requirements for the C & A package The package is everything that is submitted for Accreditation System owner compiles the package for review Authorizing official reviews for accreditation
Presenter
Presentation Notes
Security Authentication Package contents At minimum (NIST RMF) Approved System Security Plan (SSP) Security Assessment Report (SAR) Plan of Actions and Milestones (POA&M) Take a minimalist point of view Avoid becoming a paper exercise Exclude unnecessary artifacts Agency defined list NIST SP 800-100
Presenter
Presentation Notes
Additional documents (Standard Artifacts) The certification statement Statement, at a high level, the results of the certification test Prepared by the certifying agent Transmittal Letter Coversheet for the entire package Concise Who prepared the package Why it was prepared Who it goes to What is to be done Contains
Presenter
Presentation Notes
DIACAP Package Comprehensive DIACAP Package System Identification Profile (SIP) DIACAP Implementation Plan (DIP) Supporting documentation for certification (artifacts) DIACAP Scorecard IT Security POA&M Executive DIACAP Package System Identification Profile (SIP) DIACAP Scorecard IT Security POA&M
DoDI 8510.01, November 28, 2007
Presenter
Presentation Notes
DoDI 8510.01, November 28, 2007
Presenter
Presentation Notes
NIACAP Package System Security Authorization Agreement (SSAA) Security Test and Evaluation (ST&E) Penetration Test Results TEMPEST and Red-black Verification Communication Security (COMSEC) compliance validation System Management Analysis Site Evaluation Contingency Plan Evaluation Risk Management Review System Certification Statement Authorization to Operate (ATO)
Presenter
Presentation Notes
Administration A copy will be submitted to the Authorization Official System owner should maintain a copy Central repository is an excellent idea Label the package with appropriate categorization level E.g. Unclassified but Sensitive Controlled Unclassified Information (Since Nov 2010) On November 4, 2010, President Obama signed Executive Order 13556 "Controlled Unclassified Information", which establishes a program for managing this information. It requires a conversation between the Executive Agent (EA), departments or agencies, other stakeholders, and the general public to consolidate and standardize CUI terms and practices.
Presenter
Presentation Notes
Document Update and Control “Providing orderly, disciplined, and timely updates to the security plan, security assessment report, and plan of action and milestones on an ongoing basis, supports the concept of near real-time risk management and ongoing authorization” - NIST SP 800-37 Rev 1 You must maintain strict version control on all documents in the package The package should be updated as needed Database, automation and workflow systems can help facilitate near real-time updates and status
Presenter
Presentation Notes
Summary Documents included depend on the need of the authorizing official Approving authority can require all controls to be in place before authorizing operation Documents showing that management has exercised due diligence The C & A package is designed to provide the authorizing official with the necessary information to make an informed decision Should not overwhelm the authorizing official
Presenter
Presentation Notes
Class Discussion: Documentation If you were an authorizing authority, what documentation would you like to see before you made a decision on a system? An authorizing authority does not have questions about the accreditation package, what might this indicate?
Presenter
Presentation Notes
Assessing Risk Picture: Sea Lions, Pier 39, San Francisco, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 3 pg 149-167
balance the operational and economic costs of protective measures and achieve gains in mission capability
Presenter
Presentation Notes
Background NIST SP 800-39 March 2011 NIST SP 800-30 July 2002 The principal goal of an organization’s risk-management process is to protect the organization and its ability to perform its mission, not just its information assets. Risk cannot be completely eliminated The purpose of risk-management is to “balance the operational and economic costs of protective measures and achieve gains in mission capability” NIST SP 800-100 Cost benefit analysis See NIST SP 800-30; NIST SP 800-100
Organization-wide Risk View “The risk executive (function) is an individual or group within an organization that helps to ensure that: (i) risk-related considerations for individual information systems, to include authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success.” NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Risk Assessment in RMF Support the proper selection of controls To make sure the controls “fit” (tailoring controls) Ensure the controls selected are not excessive Based on realistic need for protection Cost-effective implementation Ensures controls are applicable Control Justification
Presenter
Presentation Notes
Risk Management How do you justify a new firewall? Is it more than you need? Is it less than you need? How does someone outside of IT know it was the right choice? How do you demonstrate due care?
Presenter
Presentation Notes
Risk Management Definitions Risk: the potential for any loss Asset: something of value Probability: the likelihood of an event Control: something that reduces risk (countermeasure, safeguard) Threat: event that has an undesirable impact, potential danger Vulnerability: weakness Exposure: open to threat Residual risk: risk left over after controls are put in place Acceptable risk: risk accepted by management Risk: the potential for any loss Asset: something of value Probability: the likelihood of an event Safeguard: something that reduces risk (countermeasure) Threat: event that has an undesirable impact, potential danger Vulnerability: weakness Exposure: open to threat
Presenter
Presentation Notes
Risk Management Definitions Risk Management: process of reducing risks because it cannot be eliminated Risk Analysis: identify assets and potential losses Risk Assessment: determination of recommended controls that would reduce risk to an acceptable level Vulnerability Assessment: used for the risk analysis, determines vulnerabilities MOF has 5 steps Identify, Analyze, Plan, Track, Control.
Risk Management Process not a goal SDLC (Systems Development Life Cycle) Any change in environment changes your risk level Is never ending – process not goal SDLC Systems Development Life Cycle Any change in environment changes your risk level Risk terrain is like waves in the ocean ever changing
Presenter
Presentation Notes
Risk Management Management’s role Balance cost with operational goals Acceptable levels of risk (risk apatite) Use the risk analysis process for decision-making Cost benefit analysis (ROI) Determine if controls are in place Sign-off forms to take responsibility Risk analysis team
Presenter
Presentation Notes
Risk Management can choose how to deal with risk once they have all the information and recommendations. After they have the results form the risk analysis they can determine how they want to mitigate risks. Mitigating risks to an acceptable level. Any risk remaining is residual risk.
Presenter
Presentation Notes
Risk Analysis Purpose 1st step in Risk Management Ensure that the security program (controls) are adequate and appropriate for the real risks Goals Identify assets Identify risks Connect risks and assets Determine impact Cost vs. benefit Prioritize control selection/implementation Control objectives Impact of occurrence vs. Probability of occurrence
Presenter
Presentation Notes
Risk “Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” NIST SP 800-30
“Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” NIST SP 800-30
Presenter
Presentation Notes
Vulnerability “Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” NIST SP 800-30
“Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” NIST SP 800-30
“Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” NIST SP 800-30
Presenter
Presentation Notes
Threat and Threat-Source “Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” NIST SP 800-30 “Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” NIST SP 800-30
Presenter
Presentation Notes
Risk Assessment Countermeasure & Safeguard are different words for Control
Presenter
Presentation Notes
Typical Risk Analysis Phases We need to determine what we have, what it is worth, what could happen to it, how often it could happen, what the impact would be if it did happen, so that we could determine what controls should be used based on cost, and document everything we discovered. NIST RA Process Systems characterization Threat identification Vulnerability identification Control analysis Risk determination Control recommendations Results documentation CISM Guide pg 97-104
Presenter
Presentation Notes
Phase 1 Identify assets, determine their value and classify them.
Presenter
Presentation Notes
Phase 2 Identify the risks associated with the assets. Threat / Vulnerability pair
Presenter
Presentation Notes
Phase 3 Impact analysis Impact of occurrence vs. Probability of occurrence
Presenter
Presentation Notes
Phase 4 Determine what controls can be used, what the cost associated with each control and recommend controls.
Presenter
Presentation Notes
Phase 5 Documentation Protect yourself, due diligence
NIST SP 800-30
Presenter
Presentation Notes
NIST Risk assessment process System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendation Results Document
Input
• Hardware• Software• System interfaces• Data• People• Mission• Reputation
Output
• System boundary• System functions• Criticality• Sensitivity
System Characterization
Presenter
Presentation Notes
Step 1: System Characterization Also called: Asset identification Input Hardware Software System interfaces Data People Mission Reputation Output System boundary System functions Criticality Sensitivity
Presenter
Presentation Notes
Types of Assets Physical Hardware Buildings Information Data Software Documentation Human Resources Reputation
Presenter
Presentation Notes
Value of Assets
Input
• History of attacks
• Intelligence• Media• Advisories
Output
• Threat statement
Threat Identification
Presenter
Presentation Notes
Step 2: Threat identification Input History of attacks Intelligence Media Advisories Output Threat statement
Presenter
Presentation Notes
Types of Threats Physical Loss Theft Environmental Errors and Omissions Humans Software Malfunction Equipment failure Misuse Attacks Internal or External Intentional or unintentional Action or inaction What controls do we have in place now? How well have they been working? What vulnerabilities do we have? What threats can we identify?
NIST SP 800-30
Presenter
Presentation Notes
Examples of Threats NIST SP 800-30
Input
• Prior risk assessments
• Audit comments• Security test results• Know
vulnerabilities
Output
• List of potential vulnerabilities
• Natural• Environmental• Man-made
Vulnerability Assessment
Presenter
Presentation Notes
Step 3: Vulnerability Identification Input Prior risk assessments Audit comments Security test results Know vulnerabilities Output List of potential vulnerabilities Natural Environmental Man-made
NIST SP 800-30
Presenter
Presentation Notes
Example Vulnerability/Threat Pairs NIST SP 800-30
NIST SP 800-30
Presenter
Presentation Notes
Security Requirements Checklist NIST SP 800-30
Input
• Current controls
• Planned controls
Output
• List of current and planned controls
Control Analysis
Presenter
Presentation Notes
Step 4: Control Analysis Input Current controls Planned controls Output List of current and planned controls
Input
• Threat-source motivation
• Threat capacity• Nature of
vulnerability• Current controls
Output
• Rating
Likelihood Determination
Presenter
Presentation Notes
Step 5: Likelihood Determination Input Threat-source motivation Threat capacity Nature of vulnerability Current controls Output Rating Risk calculation
NIST SP 800-30
Presenter
Presentation Notes
Likelihood Definitions NIST SP 800-30 Impact to Mission? Impact to Assets? Impact to Reputation?
“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.”
Presenter
Presentation Notes
NIST SP 800-39 “Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.”
NIST SP 800-30
Low Medium High
Confidentiality Limited Serious Grave or Catastrophic
Integrity Limited Serious Grave or Catastrophic
Availability Limited Serious Grave or Catastrophic
Presenter
Presentation Notes
Risk Calculation NIST SP 800-30 Impact to Mission? Impact to Assets? Impact to Reputation?
Presenter
Presentation Notes
Risk Analysis Quantitative Formal Numeric Monetary Statistical Qualitative Informal Rating Gut feeling Educated guess Delphi method In some organizations management prefers monetary values to make decisions. In other organizations where money is not focused on as much by management, such as a school, you will not want to use the monetary values. Schools tend to respond to intangible values to students, faculty, and others. Know the business and what is important to them. Used to justify implementation of controls Quantitative Can’t put everything into dollars. Purely quantitative is impossible. Qualitative Need to get experts or professionals, come up with scenarios, determine possible outcomes, how serious is the outcome, rank outcomes. Delphi method is anonymous where participants input ideas
Presenter
Presentation Notes
Impact Analysis Impact What is the asset worth; AV (Asset Value) How bad would it be; EF (Exposure Factor) One time loss; SLE (Single Loss Expectancy) How many times a year; ARO (Annualized Rate of Occurrence) How much loss in a year; ALE (Annualized Loss Expectancy) AV * EF = SLE; SLE * ARO = ALE Must know! Probability When you look at impact don’t forget Potential Loss Delayed Loss
NIST SP 800-30
Presenter
Presentation Notes
Step 7: Risk Determination Risk determination combines the probability (likelihood) of threat exploitation and the magnitude of impact Determines if the controls are adequate
Presenter
Presentation Notes
Prioritize Risks Select Risks with the highest probability and the highest impact potential. Meteorite to hit the data center would be a low probability with a high impact Virus would be a high probability with a potential for a high impact
Presenter
Presentation Notes
Step 8: Control Recommendations Control Recommendations What controls are needed to reduce risk to an acceptable level Need more or fewer controls than the minimum security baseline Consider the following factors Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Organizational policy Operational impact Safety and reliability Safeguard identification Determine what controls can be used, what the cost associated with each control and recommend controls.
Presenter
Presentation Notes
Risk Based Controls should focus on addressing High probability attack High impact attacks Consistent implementation Automated and continuously monitored Additional technical activities should be used to defend systems
Presenter
Presentation Notes
Control Selection Mitigates the risk ALE before the control ALE after the control Control complexity Cost / Benefit Comparison ROI (Return on Investment) Hidden costs Productivity Maintenance
Presenter
Presentation Notes
Control Selection (cont.) Limited resources Time Funding Resources Personnel With limited resources choices have to be made about which security controls are most important A prioritized approach in implementing controls is required Prioritized by greatest risk first
Presenter
Presentation Notes
A Prioritized Baseline of Controls How do we prioritize controls Intelligence Knowledge of actual attacks Controls that can prevent know attacks should be given a higher priority A consensus report has been developed to document 20 critical controls
NIST SP 800-30
Presenter
Presentation Notes
Residual Risk NIST SP 800-30
NIST SP 800-100
Presenter
Presentation Notes
Accepted or Unacceptable Risk NIST SP 800-100
Presenter
Presentation Notes
Step 9: Results Documentation “Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing. “ NIST SP 800-30 Helps senior management make an educated decision on risk acceptance Management may wish to accept residual risk Documentation Risk Assessment Report (RAR) Report on Risk (ROR)
See NIST SP 800-30 Appendix B
Presenter
Presentation Notes
Sample Report See NIST SP 800-30 Appendix B
Presenter
Presentation Notes
Documented Risk Assessment
Presenter
Presentation Notes
How can you react to risks? Reduce the risk (Risk Limitation & Risk Avoidance) Apply countermeasures and controls (mitigation) Don’t do the actions that have the risks (avoidance) Accept the risk (Risk Assumption) Accept the risk with or without controls Transfer the risk (Risk Transference) Buy insurance (mitigation) Reject the risk Denial of Authorization to Operate (DATO) Ignore the risk Pretending the risk is not there does not protect you from the potential outcome Mitigation ongoing effort to reduce the impact of risk Risk Mitigation Options (NIST SP 800-30) Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified) Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat�s exercising a vulnerability (e.g., use of supporting, preventive, detective controls) Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
NIST SP 800-100
Presenter
Presentation Notes
Accepted or Unacceptable Risk NIST SP 800-100
Presenter
Presentation Notes
Evaluation and Assessment OMB A-130, Appendix III Risk assessment is usually repeated at least every 3 years There is a movement to continues monitoring With continuous monitoring comes continuous risk management
Ongoing Risk Determination and Acceptance Threats changes almost daily New vulnerabilities are found daily Systems constantly change Controls fail All of these lead to a change in the risk to the system We must determine if the change to the system is material (significant) A material change in risk requires corrective actions to lower that risk to an acceptable level
Continuous Risk
Management
Control Failure
Assessment Results
Incidents System Changes
Industry Advisories
Business Objective Change
Presenter
Presentation Notes
Inputs for continuous risk management process The Risk Executive Function can assist in the gathering and dissemination of the risk related intelligence or research Continuous Risk Management Control Failure Assessment Results Incidents System Changes Industry Advisories Business Objective Change
Presenter
Presentation Notes
Continuous Risk Analysis
Presenter
Presentation Notes
NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Supply Chain Risk Products and services in the domestic and international supply chain include, for example: Hardware Software, and firmware components for information systems Data management services Telecommunications service providers Internet service providers Risks Introduction of exploitable vulnerabilities or malicious code Availability of services, software, hardware etc… Determining the trustworthiness of information systems Determining the trustworthiness of service providers
Presenter
Presentation Notes
Summary Risk assessment determines and/or verifies requirements for a system A process to value assets Determine potential threats to those assets Determine potential weaknesses in system Determine the impact of a threat vulnerability exploitation Determine what controls will reduce risk to an acceptable level Acceptance of residual risk Document results
Presenter
Presentation Notes
Class Discussion: Assessing Risk What is the objective of a risk assessment? Can we completely remove risk? An authorizing authority is having a difficult time with the concept of residual risk. How would you explain it to him/her? What information do we need in order to start the risk assessment? How do you determine likelihood that threat-agent will exploit a vulnerability? What is the benefit and the danger of using a risk assessment template?
Presenter
Presentation Notes
Documenting the Authorization Decision Picture: Redwoods, Muir Woods, CA; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 6 pg 248-257
“By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or agency individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.”NIST SP 800-100
Presenter
Presentation Notes
The Authorizing (Accrediting) Official (AO) The accreditation letter fixes responsibility for the operation of the system It established accountability for system operation AO owns the business process not the system No system should go into production that has not been authorized “By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or agency individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.” NIST SP 800-100
Presenter
Presentation Notes
The Authorization Decision Document AKA “Accreditation Letter” Contains the authorization decision Authorized to operate (ATO) Not authorized to operate Denial of authorization to operate (DAO or DATO) Should clearly reflect the stipulations of the authorizing official (terms and conditions) Are there any conditions which are excluded Authorization Termination Date Generally limited to a 3 year life span Must understand Personal consequences Operational consequences You may have seen the terms Interim Authorization to Operate (IATO) or Conditional Authorization to Operate (CATO). Note: IATOs and CATOs are not recognized by OMB. In reality they are ATOs with special terms and conditions enumerated or a earlier than normal authorization termination due dates. “An interim authorization to test is a special type of authorization decision allowing an information system to operate in an operational environment for the express purpose of testing the system with actual operational (i.e., live) data for a specified time period. An interim authorization to test is granted by an authorizing official only when the operational environment or live data is required to complete specific test objectives.” NIST SP 800-37 Rev 1 “Some organizations may choose to use the term interim authorization to operate to focus attention on the increased risk being accepted by the authorizing official in situations where there are significant weaknesses or deficiencies in the information system, but an overarching mission necessity requires placing the system into operation or continuing its operation.” NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Conditional and Interim authorization Full accreditation may not be possible Conditional or interim may be used Conditional would state that system could operate under certain circumstances Only if certain controls are in place Interim is often used when the system needs to be in place and functional for business reasons and still lacks all the necessary controls Usually has an expiration date, typically within 6 months
Presenter
Presentation Notes
Conditional and Interim authorization Full accreditation may not be possible Conditional or interim may be used Conditional would state that system could operate under certain circumstances Only if certain controls are in place Interim is often used when the system needs to be in place and functional for business reasons and still lacks all the necessary controls Usually has an expiration date, typically within 6 months
Presenter
Presentation Notes
Typically granted only when an operational environment or live data is required to complete specific test objectives Typically expires at the completion of testing (90 days) The system is not used for operational purposes during the IATT period DoDI 8510.01 Mar 12, 2014 Not considered an authorized system for OMB reporting
Source: www.disa.mil
Presenter
Presentation Notes
Interim Authorization to Operate (IATO) The IATO grants temporary authorization to process information under defined conditions. It should contain: The organization’s letterhead and date of signature The security mode of operations and data sensitivity or classification level Safeguards The defined threat and stated vulnerabilities Interconnections to other systems The level of risk The specific period of time for approval Specific system/suite hardware and software The description of the operations environment The signature and signature block of the Designated Approving Authority (DAA) Source: www.disa.mil
Presenter
Presentation Notes
Organizations Abuse IATOs Use the IATO process to avoid the full RMF (certification and accreditation) process IATO expiration date is not a reasonable period of time IATOs often go on indefinitely Agencies don’t have policies or don’t enforce policies on the use and limitations of IATOs Overstate the number of systems that are authorized IATOs should not be included in an agency’s count of its systems that are certified and accredited OMB does not recognize IATO as a fully authorized system There are no exceptions to the requirements to certify and accredit all Federal Information Systems
“A type authorization is an official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation. This form of authorization allows a single authorization package (i.e., security plan, security assessment report, and plan of action and milestones) to be developed for an archetype (common) version of an information system that is deployed to multiple locations, along with a set of installation and configuration requirements or operational security needs, that will be assumed by the hosting organization at a specific location.”– NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Type Authorization “A type authorization is an official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation. This form of authorization allows a single authorization package (i.e., security plan, security assessment report, and plan of action and milestones) to be developed for an archetype (common) version of an information system that is deployed to multiple locations, along with a set of installation and configuration requirements or operational security needs, that will be assumed by the hosting organization at a specific location.” – NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Leveraged Authorization Accepts the existing authorization of a shared system Review the existing package Determine if the risk is acceptable Consider your risk tolerance Provides opportunities for significant cost savings
Presenter
Presentation Notes
Designation of Approval Authorities Organization must designate who the AOs will be Must be senior officials Must be able to commit resources to the system (budget authority) Each organization will have multiple AOs, usually by business unit or department Joint Authorization Security authorization involving multiple authorization officials. NIST SP 800-37 Rev 1
Presenter
Presentation Notes
Approving Authority Qualifications
“To ensure that the agency's business and operational needs are fully considered, the authorizing official should meet with the system owner prior to issuing the security accreditation decision. In this meeting, the certification and accreditation authorities should clearly explain the rationale for their risk-based decision and, where appropriate, fully explain the terms and conditions of the authorization.”NIST SP 800-100
Presenter
Presentation Notes
Authorization Decision Process Submission of package by system owner to the authorizing official Package should be complete Timing is important System owner should follow up until the authorization is finalized System owner should remediate any open issues promptly “To ensure that the agency's business and operational needs are fully considered, the authorizing official should meet with the system owner prior to issuing the security accreditation decision. In this meeting, the certification and accreditation authorities should clearly explain the rationale for their risk-based decision and, where appropriate, fully explain the terms and conditions of the authorization.” NIST SP 800-100
The Continuous Monitoring phase is an essential component in any security program. During this phase, the status of the security controls in the information system are checked on an ongoing basis. … At a minimum, an effective monitoring program requires the following: •Configuration management and configuration control processes for the information system; •Security impact analyses on changes to the information system; and •Assessment of selected security controls in the information system and reporting of information system security status to appropriate agency officials.
Presenter
Presentation Notes
Actions Following Authorization System owner needs to track any corrective actions Update the approving authority as needed Changes in the environment may impact the security controls Recertification The Continuous Monitoring phase is an essential component in any security program. During this phase, the status of the security controls in the information system are checked on an ongoing basis. … At a minimum, an effective monitoring program requires the following: Configuration management and configuration control processes for the information system; Security impact analyses on changes to the information system; and Assessment of selected security controls in the information system and reporting of information system security status to appropriate agency officials.
Presenter
Presentation Notes
DoDI 8510.01 Mar 12, 2014
Presenter
Presentation Notes
Reauthorization Time-driven When you have reached the authorization termination date Event-driven Occurs when there is a significant change to the information system or its operational environment Significant (material) change to the risk to the system Change in authorization official New authorization official can review the package (if the documents are up-to-date) and sign off to accept the risk If the new authorization official does not accept the risk the reauthorizing process begins
Presenter
Presentation Notes
Authorization Rescission AO may wish to terminate an active ATO or IATO and issue a DATO AO can do it at any time They often have reasons for rescission Policies, procedures, directives, laws etc… are not being followed Violation of the terms and conditions of the ATO Change resulting in a significant change in risk to the system Continuous Monitoring Control failures Assessment results AO should consult with Risk Executive Function
Presenter
Presentation Notes
Summary The final event? Ongoing process! Approval for senior management to operate the system Fixed responsibility and accountability Authorization official may have had little or no interaction with the process up until this point Should not delegate this process This process demonstrates due care has been exercised Establishes accountability
Presenter
Presentation Notes
Class Discussion: Authorization Decision Can an authorizing official sign an accreditation letter before the system has been certified? A signed accreditation letter demonstrates what? What types of conditions might an AO have with an authorization to operate? Why have a time period on conditional or interim authorization to operate?�Why should the system owner and AO meet before the accreditation letter is signed? Why is it a good idea to have the business unit manager or information owner as the AO?