Management Class
Security Control Families
ID Class
CA Management
PL Management
PM Management
RA Management
SA Management
AT Operational
CM Operational
CP
IR
Operational
Operational
MA Operational
MP Operational
PE Operational
PS
SI
Operational
Operational
AC Technical
AU Technical
IA
SC
Technical
Technical
Family
Security Assessment and Authorization
Planning
Program Management
Risk Assessment
System and Services Acquisition
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
10
8
6
6
19
# of
6
5
11
5
9
4
14/40
8
13/84
19
14
8
34/75
XX-1 Policy and Procedures
Graphic
Summaries
Table Summaries
Bulleted
Summaries
Executive Summaries,
Overviews, Introductions
8
AC-1 Access Control
AT-1 Security Awareness and Training
AU-1 Audit and Accountability
CA-1 Security Assessment and Authorization
CM-1 Configuration Management
CP-1 Contingency Planning
IA-1 Identification and Authentication
IR-1 Incident Response
MA-1 System Maintenance
MP-1 Media Protection
PE-1 Physical and Environmental Protection
PL-1 Security Planning
PM-1 Information Security Program Plan
PS-1 Personnel Security
RA-1 Risk Assessment
SA-1 System and Services Acquisition
SC-1 System and Communications Protection
SI-1 System and Information Integrity
SP 800-12
The Handbook
SP 800-100
Manager’s Handbook
Security Assessment &
Authorization
CA-2 Security Assessments
CA-3 Information System Connections
CA-5 Plan of Action and Milestones
CA-6 Security Authorization
CA-7 Continuous Monitoring
Core RMF
Documents
800-47 (SLA)
800-137 (CM)
PL-2 System Security Plan
PL-4 Rules of Behavior
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning
CA-5 Plan of Action and Milestones -37
CP-2 Contingency Plan -34
CM-9 Configuration Management Plan -128
IR-8 Incident Response Plan -61
PM-1 Information Security Program Plan
PM-8
RMF
4.1
Critical Infrastructure Plan
Security Assessment Plan -53a
800-18 (RMF)
800-100 (PM)
OMB M-03-22 (Privacy)
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6
Information Security Measures of
Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
800-30
800-37 (RMF)
800-39 (RMF)
800-100
800-55 - Performance
800-60
800-65 - CPIC
FIPS 199
HSPD 7 – Critical
Infrastructure
OMB 02-01 - SSP
Program Management
Overview
Information Security Program Plan (PM)
Critical Infrastructure Plan (HSPD 7)
Capital Planning and Investment Control (SP 800-65)
Measures of Performance (SP 800-55)
Enterprise Architecture and Mission/Business Process
Definition
Information Security
Program Plan
Defines Security Program Requirements
Documents Management and Common Controls
Defines Roles, Responsibilities, Management
Commitment and Coordination
Approved by Senior Official (AO)
Appoint Senior Information Security Officer
HSPD-7 Critical Infrastructure Identification,
Prioritization, and Protection
Essential Services That Underpin American Society
Protection from Terrorist Attacks
– Prevent Catastrophic Health Effects or Mass Casualties
– Maintain Essential Federal Missions
– Maintain Order
– Ensure Orderly Functioning of Economy
– Maintain Public's Morale and Confidence in Economic and
Political Institutions
Strategic Improvements in Security
Capital Planning &
Investment Control
Investment Life Cycle
Integrating Information Security into the CPIC Process
Roles and Responsibilities
– Identify Baseline
– Identify Prioritization Criteria
– Conduct System- and Enterprise-Level Prioritization
– Develop Supporting Materials
– IRB and Portfolio Management
– Exhibits 53 and 300 and Program Management
Integrating Information Security into the CPIC Process
If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?
Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?
This directive establishes a national policy for Federal departments and agencies to identify and prioritize
United States critical infrastructure and key resources and to protect them from terrorist attacks.
The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?
Metric Types
Metrics Development and Implementation Approach
Metrics Development Process
Metrics Program Implementation
– Prepare for Data Collection
– Collect Data and Analyze Results
– Identify Corrective Actions
– Develop Business Case and Obtain Resources
– Apply Corrective Actions
“Am I implementing the tasks for which I am responsible?”
“How efficiently or effectively am I accomplishing those tasks?”
“What impact are those tasks having on the mission?”
Metrics Program Implementation
Business Performance Service
Information Type
(SP 800-60)
Technical
Data
Business-driven
Proactive and collaborative across the Federal government
Architecture improves the effectiveness and efficiency of government information resources
Defining Mission/Business
Processes
Defines mission/business processes with consideration for information security and the resulting risk to the organization;
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
RA-2 Security Categorization
RA-3 Risk Assessment
RA-5 Vulnerability Scanning
800-30r1 (draft)
800-37
800-40 -
Patch Management
800-70 - Checklists
800-115 - Assessments
Patch and Vulnerability
Management Program
Create a System Inventory
Monitor for Vulnerabilities, Remediations, and Threats
Prioritize Vulnerability Remediation
Create an Organization-Specific Remediation Database
Conduct Generic Testing of Remediations
Deploy Vulnerability Remediations
Distribute Vulnerability and Remediation Information to Local
Administrators
Perform Automated Deployment of Patches
Configure Automatic Update of Applications Whenever
Possible and Appropriate.
Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning
Vulnerability Remediation Training
In which NIST special publication might you find guidance for the performance measurement of information systems?
Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk
Management Framework?
What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management
Framework?
Where can information about vulnerabilities be found?
SA-2 Allocation of Resources
SA-3 Life Cycle Support
SA-4 Acquisitions
SA-5 Information System Documentation
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing
SA-12 Supply Chain Protection
SA-13 Trustworthiness
800-23 – Acquisition
Assurance
800-35 – Security
Services
800-36
– Security
Products
800-53a
800-64 - SDLC
800-65 - CPIC
800-70 - Checklists
General Considerations for
Security Services
Strategic/Mission
Budgetary/Funding
Technical/ Architectural
Organizational
Personnel
Policy/Process
Identification and Authentication
Access Control
Intrusion Detection
Common Criteria Evaluation and Validation Scheme
Firewall
Public Key Infrastructure
Malicious Code Protection
NIST Cryptographic Module
Validation Program
Vulnerability Scanners
Forensics
Media Sanitizing
Considerations for Selecting
Information Security Products
Organizational
Product
Vendor
Security Checklists for IT Products
Organizational Conflict of Interest
Management Security Controls
Key Concepts & Vocabulary
XX-1 Policy & Procedures
CA - Security Assessment and Authorization
PL – Planning Family & Family Plans
– Information Security Program Plan (PM)
– Critical Infrastructure Plan (HSPD 7)
PM - Program Management
– Capital Planning and Investment Control (SP 800-65)
– Measures of Performance (SP 800-55)
– Enterprise Architecture (FEA BRM)
RA - Risk Assessment
– Security Categorization
– Risk & Vulnerability Assessments
SA - System and Services Acquisition