The RMF: New Emphasis on the Risk Management Framework for Government Organizations
-
Upload
tripwire -
Category
Technology
-
view
135 -
download
3
Transcript of The RMF: New Emphasis on the Risk Management Framework for Government Organizations
![Page 1: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/1.jpg)
The RMF: New Emphasis on the Risk Management Framework for Government Organizations
Sean Sherman Security and Compliance Consultant
![Page 2: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/2.jpg)
Synopsis
There is a problem for any large and dispersed organization to communicate and coordinate. For the US Government, this challenge is particularly important because providing essential services to the country is almost completely reliant on the security of our data, applications, networks and processes.
This presentation is aimed at improving understanding of the Risk Management Framework (RMF) - a process framework that promises to help align security efforts, increase security awareness and improve risk management. How is that possible? What is the big picture? This presentation will try to align the objectives to practical advice on what to do next.
![Page 3: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/3.jpg)
What is the RMF?
Risk Management Framework is most commonly associated with the NIST SP 800-37 guide “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”, which has been available for FISMA compliance since 2004.As a result of the Joint Task Force Transformation Initiative Interagency Working Group, every agency of the US government must now abide by this process. It is recently integrated into DoD instructions and many organizations are creating new guidance for compliance to the RMF.
![Page 4: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/4.jpg)
A Consistent Process
![Page 5: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/5.jpg)
An Effort to Consolidate Reference Docs
RMF is part of core agency references: NIST SP 800-37, DoDI 8501.01, ICD 503 Step 1 References: FIPS Publication 199; NIST Special Publications 800-30, 800-39,
800-59, 800-60; CNSS Instruction 1253. Step 2 References: FIPS Publications 199, 200; NIST Special Publications 800-30,
800-53, 800-53A; CNSS Instruction 1253. Step 3 References: FIPS Publication 200; NIST Special Publications 800-30, 800-53,
800-53A; CNSS Instruction 1253; Web: SCAP.NIST.GOV. Step 4 References: NIST Special Publication 800-53A, 800-30, 800-70. Step 5 References: OMB Memorandum 02-01; NIST Special Publications 800-30,
800-39, 800-53A. Step 6 References: NIST Special Publications 800-30, 800-39, 800-53A, 800-53,
800-137; CNSS Instruction 1253.
![Page 6: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/6.jpg)
Transition is MandatoryBe clear: all systems are expected to migrate to the same ATO process.
The Joint Task Force Transformation Initiative Working Group is a joint effort across executive agencies to build a single methodology for C&A/A&A.
DITSCAP and DIACAP content is merged into the new guidance. DoD entities and organizations will use revised 8500 Series guidance. All expiring accreditations and new request for accreditation must use RMF guidelines (shorter accreditation cycles for more sensitive systems)
800-37 and ICD 503 is expected to replace DCID 6/3 guidance.
The process at the operations level is evolutionary.
![Page 7: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/7.jpg)
Why?
1. Standards across government = alignment of controls, language improve the possibility of Reciprocity
2. Focus on Risk = as a means to address diversity of systems, components, custom environments vs. prescribing one size fits all
3. Address security sooner = Baking security into systems vs. bolting security on.
4. Continuous monitoring, roll up reporting = better federal enterprise security.
![Page 8: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/8.jpg)
Whom does it effect?
![Page 9: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/9.jpg)
Benefits?
![Page 10: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/10.jpg)
How to start: Storyboard success
A pilot project can help design successful activities Choose experts
Expect to learn
Debrief and examine
Possible scenarios Development project
New Software
Upgrade
Vendor tools
![Page 11: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/11.jpg)
Key Take-aways
1. Risk Management focus will improve threat awareness but increases the amount of information to process.
2. Ask, how do our processes align with new guidance? 3. Speed it up! Expect mandated shorter period of authorization based on the
sensitivity of data/criticality of the application.4. Use Automation – to increase capacity, reduce dependence on single point of
failure, create improved sensitivity to the environment, improved reporting.
![Page 12: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/12.jpg)
The Risk Management FrameworkHow Tripwire fits into the Risk Management Framework
![Page 13: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/13.jpg)
Recap
The Risk Management Framework is taken from NIST SP 800-37 guide “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”, which has been available for FISMA compliance since 2004
![Page 14: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/14.jpg)
What does Tripwire do?
History of gathering data around: Change
Configuration
Vulnerabilities
Inventory
Logs
![Page 15: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/15.jpg)
Steps to the Risk Management Framework
![Page 16: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/16.jpg)
Step 1 Categorize Information Systems
![Page 17: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/17.jpg)
Step 2 Select Security Controls
![Page 18: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/18.jpg)
Example of Policy content in TE
![Page 19: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/19.jpg)
IP360 Risk Matrix
![Page 20: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/20.jpg)
Security Controls - TLC
![Page 21: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/21.jpg)
Step 3 Implement Security Controls
![Page 22: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/22.jpg)
Example of Security Control Policy in TE
![Page 23: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/23.jpg)
Step 4 Assess Security Controls
![Page 24: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/24.jpg)
Example in TE of Assessing Security Controls
![Page 25: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/25.jpg)
Step 5 Authorize Information System
![Page 26: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/26.jpg)
Report showing compliance for use for ATO
![Page 27: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/27.jpg)
Step 6 Monitor Security Controls
![Page 28: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/28.jpg)
Monitor Security Controls - TE
![Page 29: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/29.jpg)
Monitoring Security Controls TE & TLC
![Page 30: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/30.jpg)
Monitor Security Controls – IP360 Vulnerabilities
![Page 31: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/31.jpg)
Why Tripwire?
Standards Focus on Risk Address security sooner Continuous monitoring Risk Management Focus Automation and improved reporting
![Page 32: The RMF: New Emphasis on the Risk Management Framework for Government Organizations](https://reader035.fdocuments.in/reader035/viewer/2022062412/58d0b1131a28ab1d3a8b4e3b/html5/thumbnails/32.jpg)
Additional Resources
NIST sp 800-37 Guide:http://csrc.nist.gov/publications/PubsSPs.html#800-37
Tripwire Adjusting to the reality of the RMF:https://www.tripwire.com/register/adjusting-to-the-reality-of-the-risk-management-framework-rmf/