Management Class
Security Control Families

ID Class
CA Management
PL Management
PM Management
RA Management
SA Management
AT Operational
CM Operational
CP
IR
Operational
Operational
MA Operational
MP Operational
PE Operational
PS
SI
Operational
Operational
AC Technical
AU Technical
IA
SC
Technical
Technical
Family
Security Assessment and Authorization
Planning
Program Management
Risk Assessment
System and Services Acquisition
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
10
8
6
6
19
# of
6
5
11
5
9
4
14/40
8
13/84
19
14
8
34/75

 XX-1 Policy and Procedures

Graphic
Summaries
Table Summaries
Bulleted
Summaries
Executive Summaries,
Overviews, Introductions
8

AC-1 Access Control
AT-1 Security Awareness and Training
AU-1 Audit and Accountability
CA-1 Security Assessment and Authorization
CM-1 Configuration Management
CP-1 Contingency Planning
IA-1 Identification and Authentication
IR-1 Incident Response
MA-1 System Maintenance
MP-1 Media Protection
PE-1 Physical and Environmental Protection
PL-1 Security Planning
PM-1 Information Security Program Plan
PS-1 Personnel Security
RA-1 Risk Assessment
SA-1 System and Services Acquisition
SC-1 System and Communications Protection
SI-1 System and Information Integrity
 SP 800-12
The Handbook
 SP 800-100
Manager’s Handbook

Security Assessment &
Authorization
CA-2 Security Assessments
CA-3 Information System Connections
CA-5 Plan of Action and Milestones
CA-6 Security Authorization
CA-7 Continuous Monitoring
 Core RMF
Documents
 800-47 (SLA)
 800-137 (CM)

PL-2 System Security Plan
PL-4 Rules of Behavior
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning
CA-5 Plan of Action and Milestones -37
CP-2 Contingency Plan -34
CM-9 Configuration Management Plan -128
IR-8 Incident Response Plan -61
PM-1 Information Security Program Plan
PM-8
RMF
4.1
Critical Infrastructure Plan
Security Assessment Plan -53a
 800-18 (RMF)
 800-100 (PM)
 OMB M-03-22 (Privacy)

PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6
Information Security Measures of
Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
 800-30
 800-37 (RMF)
 800-39 (RMF)
 800-100
 800-55 - Performance
 800-60
 800-65 - CPIC
 FIPS 199
 HSPD 7 – Critical
Infrastructure
 OMB 02-01 - SSP

Program Management
Overview
 Information Security Program Plan (PM)
 Critical Infrastructure Plan (HSPD 7)
 Capital Planning and Investment Control (SP 800-65)
 Measures of Performance (SP 800-55)
 Enterprise Architecture and Mission/Business Process
Definition

Information Security
Program Plan
 Defines Security Program Requirements
 Documents Management and Common Controls
 Defines Roles, Responsibilities, Management
Commitment and Coordination
 Approved by Senior Official (AO)
 Appoint Senior Information Security Officer

 HSPD-7 Critical Infrastructure Identification,
Prioritization, and Protection
 Essential Services That Underpin American Society
 Protection from Terrorist Attacks
– Prevent Catastrophic Health Effects or Mass Casualties
– Maintain Essential Federal Missions
– Maintain Order
– Ensure Orderly Functioning of Economy
– Maintain Public's Morale and Confidence in Economic and
Political Institutions
 Strategic Improvements in Security

Capital Planning &
Investment Control
 Investment Life Cycle
 Integrating Information Security into the CPIC Process
 Roles and Responsibilities
– Identify Baseline
– Identify Prioritization Criteria
– Conduct System- and Enterprise-Level Prioritization
– Develop Supporting Materials
– IRB and Portfolio Management
– Exhibits 53 and 300 and Program Management

Integrating Information Security into the CPIC Process

 If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?
 Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?
 This directive establishes a national policy for Federal departments and agencies to identify and prioritize
United States critical infrastructure and key resources and to protect them from terrorist attacks.
 The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?

 Metric Types
 Metrics Development and Implementation Approach
 Metrics Development Process
 Metrics Program Implementation
– Prepare for Data Collection
– Collect Data and Analyze Results
– Identify Corrective Actions
– Develop Business Case and Obtain Resources
– Apply Corrective Actions

 “Am I implementing the tasks for which I am responsible?”
 “How efficiently or effectively am I accomplishing those tasks?”
 “What impact are those tasks having on the mission?”

Metrics Program Implementation

Business Performance Service
Information Type
(SP 800-60)
Technical
Data

 Business-driven
 Proactive and collaborative across the Federal government
 Architecture improves the effectiveness and efficiency of government information resources

Defining Mission/Business
Processes
 Defines mission/business processes with consideration for information security and the resulting risk to the organization;
 Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

RA-2 Security Categorization
RA-3 Risk Assessment
RA-5 Vulnerability Scanning
 800-30r1 (draft)
 800-37
 800-40 -
Patch Management
 800-70 - Checklists
 800-115 - Assessments

Patch and Vulnerability
Management Program
 Create a System Inventory
 Monitor for Vulnerabilities, Remediations, and Threats
 Prioritize Vulnerability Remediation
 Create an Organization-Specific Remediation Database
 Conduct Generic Testing of Remediations
 Deploy Vulnerability Remediations
 Distribute Vulnerability and Remediation Information to Local
Administrators
 Perform Automated Deployment of Patches
 Configure Automatic Update of Applications Whenever
Possible and Appropriate.
 Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning
 Vulnerability Remediation Training

 In which NIST special publication might you find guidance for the performance measurement of information systems?
 Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk
Management Framework?
 What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management
Framework?
 Where can information about vulnerabilities be found?

SA-2 Allocation of Resources
SA-3 Life Cycle Support
SA-4 Acquisitions
SA-5 Information System Documentation
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing
SA-12 Supply Chain Protection
SA-13 Trustworthiness
 800-23 – Acquisition
Assurance
 800-35 – Security
Services
 800-36
– Security
Products
 800-53a
 800-64 - SDLC
 800-65 - CPIC
 800-70 - Checklists

General Considerations for
Security Services
 Strategic/Mission
 Budgetary/Funding
 Technical/ Architectural
 Organizational
 Personnel
 Policy/Process

 Identification and Authentication
 Access Control
 Intrusion Detection
 Common Criteria Evaluation and Validation Scheme
 Firewall
 Public Key Infrastructure
 Malicious Code Protection
 NIST Cryptographic Module
Validation Program
 Vulnerability Scanners
 Forensics
 Media Sanitizing

Considerations for Selecting
Information Security Products
 Organizational
 Product
 Vendor
 Security Checklists for IT Products
 Organizational Conflict of Interest

Management Security Controls
Key Concepts & Vocabulary
 XX-1 Policy & Procedures
 CA - Security Assessment and Authorization
 PL – Planning Family & Family Plans
– Information Security Program Plan (PM)
– Critical Infrastructure Plan (HSPD 7)
 PM - Program Management
– Capital Planning and Investment Control (SP 800-65)
– Measures of Performance (SP 800-55)
– Enterprise Architecture (FEA BRM)
 RA - Risk Assessment
– Security Categorization
– Risk & Vulnerability Assessments
 SA - System and Services Acquisition