Categorize
Monitor
Select
Authorize
Implement
Assess
“Certification and accreditation is the methodology
used to ensure that security controls are established for
an information system, that these controls are
functioning appropriately, and that management has
authorized the operation of the system in is current
security posture.”
- Official (ISC)2 Guide to the CAP CBK (1st ed.)
Measures that protect and defend information and
information systems by ensuring their availability,
integrity, authentication, confidentiality, and non
repudiation. These measures include providing for
restoration of information systems by incorporating
protection, detection, and reaction capabilities.
- CNSS Instruction No. 4009
“The official management decision given by a senior
organizational official to authorize operation of an
information system and to explicitly accept the risk to
organizational operations (including mission, functions,
image, or reputation), organizational assets, individuals,
other organizations, and the Nation based on the
implementation of an agreed-upon set of security
controls.”
- NIST SP 800-37 rev 1
Why are Agencies riddled with security holes?
http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
•
•
•
•
Need consistent management
support
Without management support
people will not fulfill their obligations
to the project
Without management support you
will not have access to needed
resources and funding
The Chief Information Security
Officer (CISO) can keep the program
visible by giving regular updates to
c-level management
Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
• Creation
• Review
• Approval
• Retirement
• Communication
• Compliance
• Exceptions
Development
Implementation
Disposal
Maintenance
•
•
•
•
Awareness
Monitoring
Enforcement
Maintenance
Life-cycle for the development of the documentation for the RMF process
“The Chief Information
Officer, with the support
of the senior agency
information security
officer, works closely
with authorizing officials
and their designated
representatives to ensure
that an agency-wide
security program is
effectively implemented,
that the certifications
and accreditations
required across the
agency are
accomplished in a timely
and cost-effective
manner, and that there
is centralized reporting
of all security-related
activities. “
NIST SP 800-37
“A senior management
official or executive
with the authority to
formally assume
responsibility for
operating an
information system at
an acceptable level of
risk to agency
operations, agency
assets, or individuals.” NIST SP 800-37
“Official responsible for the overall procurement,
development, integration, modification, or
operation and maintenance of an information
system. “ - (NIST SP 800-37)
“Individual responsible for the
installation and maintenance
of an information system,
providing effective information
system utilization, adequate
security parameters, and sound
implementation of established
Information Assurance policy
and procedures.”
CNSS Instruction No. 4009
“The information system security officer often plays an active
role in developing and updating the system security plan as well
as in managing and controlling changes to the system and
assessing the security impact of those changes.“ NIST SP 800-37
The certification agent is an individual, group, or organization
responsible for conducting a security certification, or comprehensive
assessment of the management, operational, and technical security
controls in an information system to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security
requirements for the system. - NIST SP 800-37
“At the discretion of senior agency officials, certain security
certification and accreditation roles may be delegated and if so,
appropriately documented. Agency officials may appoint
appropriately qualified individuals, to include contractors, to
perform the activities associated with any security certification
and accreditation role with the exception of the Chief Information
Officer and authorizing official. The Chief Information Officer and
authorizing official have inherent United States Government
authority, and those roles should be assigned to government
personnel only. Individuals serving in delegated roles are able to
operate with the authority of agency officials within the limits
defined for the specific certification and accreditation activities.
Agency officials retain ultimate responsibility, however, for the
results of actions performed by individuals serving in delegated
roles. “ NIST SP 800-37
Mission
Business Unit
IT
Security
Audit
Head of Agency (CEO)
Audit
Program
Level
IT
Security
Mission
Business
Unit
Risk Executive Function
IG
SISO
CIO
BUM
System
Level
IA
SCA
Independence
ISSM
ISSO
SOD
Middle- Tier
SOD
AO
SO
IO
SA
EU
DoDI 8510.01 & 8500.2
SP 800-37 Rev 1
Head od DoD Components
Head of Agency (CEO)
Principle Accrediting Authority (PAA)
Risk Executive Function and/or
Approving Authority (AA)
Senior Information Assurance Officer
(SIAO)
Senior Information Security Officer
(SISO)
Designated Accrediting Authority
(DAA)
Approving Authority (AA)
Systems Manager
Common Control Provider and/or
Systems Owner
Program Manager
Common Control Provider and/or
System Owner
Information Assurance Manager (IAM)
ISSO and/or SISO
Information Assurance Officer (IAO)
Information Systems Security Officer
(ISSO)
Certification Agent
Security Control Assessor
Management /
Risk
CISM
CISSP
ISSMP
CAP
CISSP
Audit
CISA
GSNA
Network /
Communications
SSCP
CASP
Security+
CISSP
ISSEP/
ISSAP
Software
Dev
CSSLP
Level
Qualifying Certifications
CND Analyst
GCIA, CEH
CND Infrastructure
Support
SSCP, CEH
CND Incident Responder
GCIH, GSIH, CEH
CND Auditor
CISA, CEH, GSNA
CN-SP Manager
CISM, CISSP-ISSEP
“The CNSS is directed to assure the security of NSS against technical
exploitation by providing: reliable and continuing assessments of threats and
vulnerabilities and implementation of effective countermeasures; a technical
base within the USG to achieve this security; and support from the private
sector to enhance that technical base assuring that information systems security
products are available to secure NSS.”
You got to be careful if you don’t know
where you’re going, because you might not
get there.
-- Yogi Berra
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
• Attack
 Accomplished by a threat agent that damages or steals
an organization’s information or physical asset
• Exploit: technique or mechanism used to
compromise a system
• Vulnerability: identified weakness of a
controlled system in which necessary
controls are not present or are no longer
effective
141
142
143
• Use some method of prioritizing risk posed by each category
of threat and its related methods of attack
• To manage risk, you must identify and assess the value of
your information assets
• Risk assessment assigns comparative risk rating or score to
each specific information asset
• Risk management identifies vulnerabilities in an organization’s
information systems and takes carefully reasoned steps to
assure the confidentiality, integrity, and availability of all the
components in organization’s information system
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
Information
Security and Risk
Management
167
168
169
170
171
172
173
174
175
• “The process of determining the maximum acceptable
level of overall risk to and from a proposed activity, then
using risk assessment techniques to determine the initial
level of risk and, if this is excessive, developing a strategy
to ameliorate appropriate individual risks until the overall
level of risk is reduced to an acceptable level.” – Wiktionary
 Risk assessments
 Risk treatment
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210



highly
dependent
dependable
protected
Continuing serious cyber attacks on federal information
systems, large and small; targeting key federal operations
and assets…



Connectivity
Complexity
The weapons of choice are—



Resulting in low-cost, highly destructive attack potential.











Energy (electrical, nuclear, gas and oil, dams)
Transportation (air, road, rail, port, waterways)
Public Health Systems / Emergency Services
Information and Telecommunications
Defense Industry
Banking and Finance
Postal and Shipping
Agriculture / Food / Water / Chemical

-- USA Patriot Act (P.L. 107-56)



90%
partnership
For economic and national security reasons, we need—



The Generalized Model
Unique
Information
Security
Requiremen
ts
Common
The
“Delta”
Information
Security
Requireme
nts
Intelligenc Departme
Federal Civil Agencies
e
nt of
Communit
Defense
y
Foundational Set of Information Security Standards and
Guidance
• Standardized risk management process
• Standardized security categorization
(criticality/sensitivity)
• Standardized security controls
(safeguards/countermeasures)
National
security and non national security information systems
• Standardized security assessment procedures
• Standardized security authorization process




Links in the Security Chain: Management, Operational, and Technical Controls
 Risk assessment
 Security planning, policies, procedures
 Configuration management and control
 Contingency planning
 Incident response planning
 Security awareness and training
 Security in acquisitions
 Physical security
 Personnel security
 Security assessments
 Certification and accreditation
 Access control mechanisms
 Identification & authentication mechanisms
(Biometrics, tokens, passwords)
 Audit mechanisms
 Encryption mechanisms
 Boundary and network protection devices
(Firewalls, guards, routers, gateways)
 Intrusion protection/detection systems
 Security configuration settings
 Anti-viral, anti-spyware, anti-spam software
 Smart cards
Adversaries attack the weakest link…where is yours?






Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A
MONITOR
Security State
Continuously track changes to the
information system that may affect
security controls and reassess
control effectiveness.
SP 800-37
CATEGORIZ
E Information
Define criticality/sensitivity
of
System
information system according to
potential worst-case, adverse
impact to mission/business.
FIPS 200 / SP 800-53
SELECT
Security Controls
Security Life Cycle
Select baseline security controls;
apply tailoring guidance and
supplement controls as needed
based on risk assessment.
SP 800-39
SP 800-70
AUTHORIZE
IMPLEMENT
Information System
Security Controls
Determine risk to organizational
operations and assets, individuals,
other organizations, and the Nation;
if acceptable, authorize operation.
SP 800-53A
ASSESS
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements for information system).
Implement security controls within
enterprise architecture using sound
systems engineering practices; apply
security configuration settings.







“Building information security into the
infrastructure of the organization…
so that critical enterprise missions and
business cases will be protected.”
Example: An Enterprise Information System
FIPS 199
Mapping
Information
Types to FIPS
199 Security
Categories
LOW
MODERATE
HIGH
Confidentiality
The loss of confidentiality
could be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
severe or catastrophic
adverse effect on
organizational operations,
organizational assets, or
individuals.
Integrity
The loss of integrity could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
The loss of availability could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
SP 800-60
Availability
Master Security Control Catalog
Complete Set of Security Controls and Control Enhancements
Minimum Security Controls
Minimum Security Controls
Minimum Security Controls
Low Impact
Information
Systems
Baseline #1
Moderate Impact
Information
Systems
Baseline #2
High Impact
Information
Systems
Baseline #3
Selection of a subset of security
controls from the master catalog—
consisting of basic level controls
Builds on low baseline. Selection
of a subset of controls from the
master catalog—basic level
controls, additional controls, and
control enhancements
Builds on moderate baseline.
Selection of a subset of controls
from the master catalog—basic
level controls, additional controls,
and control enhancements




Minimum Security Controls
Low Impact
Information
Systems
Low
Baseline
Minimum Security Controls
Moderate Impact
Information
Systems
Moderate
Baseline
Minimum Security Controls
High Impact
Information
Systems
High
Baseline
Tailored Security
Controls
Tailored Security
Controls
Tailored Security
Controls
Enterprise #1
Enterprise #2
Enterprise #3
Operational Environment #1
Operational Environment #2
Operational Environment #3
Cost effective, risk-based approach to achieving adequate information
security…
Authorization Boundary
Organizational Information System
Subsystem
Component
Subsystem
Component
Subsystem
Component
System Guard
Local Area Network
Alpha
Local Area Network
Bravo
 System security plan reflects information system decomposition with
adequate security controls
assigned to each subsystem component.
 Security assessment procedures tailored for the security controls in each
subsystem component
and for the combined system-level controls.
 Security assessment performed on each subsystem component and on
system-level controls not
covered by subsystem assessments.
 Security authorization performed on the information system as a whole.
Applying the Risk Management Framework to Information Systems
Output from Automated
Support Tools
Authorizat
ion
Package
SECURITY PLAN
including updated
Risk Assessment
Near Real Time Security
Status Information
SECURITY
ASSESSMENT
REPORT
PLAN OF ACTION
AND
MILESTONES
INFORMATION SYSTEM
CATEGORIZE
Information System
MONITOR
SELECT
Security State
Security Controls
AUTHORIZE
Information System
Risk
Management
Framework
ASSESS
Security Controls
IMPLEMENT
Security Controls
Artifacts
and
Evidence
Extending the Risk Management Framework to Organizations
RISK EXECUTIVE FUNCTION
Enterprise-wide Oversight, Monitoring, and Risk Management
Security Requirements
Policy Guidance
SP
Authorization
Decision
SAR
SP
INFORMATION
SYSTEM
RMF
INFORMATION
SYSTEM
RISK
MANAGEMENT
FRAMEWORK
POAM
Authorization
Decision
SAR
SP
INFORMATION
SYSTEM
INFORMATION
SYSTEM
SAR
POAM
POAM
SP
SP
SAR
POAM
Authorization
Decision
POAM
SP
Authorization
Decision
SAR
Common Security Controls
(Infrastructure-based, System-inherited)
SAR
POAM
Authorization
Decision
Authorization
Decision
Managing Risk at the Organizational Level
RISK EXECUTIVE FUNCTION
Coordinated policy, risk, and security-related activities
Supporting organizational missions and business processes
Mission / Business
Processes
Information
System
Mission / Business
Processes
Information
System
Mission / Business
Processes
Information
System
Information
System
Information system-specific considerations








Establish organizational information security priorities.
Allocate information security resources across the organization.
Provide oversight of information system security categorizations.
Identify and assign responsibility for common security controls.
Provide guidance on security control selection (tailoring and supplementation).
Define common security control inheritance relationships for information systems.
Establish and apply mandatory security configuration settings.
Identify and correct systemic weaknesses and deficiencies in information systems.
Organization
One
Business / Mission
Information Flow
INFORMATION
SYSTEM
INFORMATION
SYSTEM
System Security Plan
System Security Plan
Security Assessment Report
Organization
Two
Security Information
Plan of Action and Milestones
Determining risk to the organization’s
operations and assets, individuals, other
organizations, and the Nation; and the
acceptability of such risk.
Security Assessment Report
Plan of Action and Milestones
Determining risk to the organization’s
operations and assets, individuals, other
organizations, and the Nation; and the
acceptability of such risk.
The objective is to achieve visibility into and understanding of prospective partner’s information security
programs…establishing a trust relationship based on the trustworthiness of their information systems.
 Information security requirements must be considered
first order requirements and are critical to mission and
business success.
 An effective organization-wide information security
program helps to ensure that security considerations
are specifically addressed in the enterprise architecture
for the organization and are integrated early into the
system development life cycle.
 Provides a common language for discussing information
security in the context of organizational missions, business
processes, and performance goals.
 Defines a collection of interrelated reference models that are
focused on lines of business including Performance, Business,
Service Component, Data, and Technical.
 Uses a security and privacy profile to describe how to integrate
the Risk Management Framework into the reference models.
 The Risk Management Framework should be integrated into all
phases of the SDLC.





Initiation (RMF Steps 1 and 2)
Development and Acquisition (RMF Step 2)
Implementation (RMF Steps 3 through 5)
Operations and Maintenance (RMF Step 6)
Disposition (RMF Step 6)
 Reuse system development artifacts and evidence (e.g., design
specifications, system documentation, testing and evaluation
results) for risk management activities.










(Security Categorization)
(Minimum Security Requirements)
(Security Planning)
(Risk Assessment)
(Risk Management)
(Certification & Accreditation)
(Recommended Security Controls)
(Security Control Assessment)
(National Security Systems)
(Security Category Mapping)

(Operational environments)
 Security controls
 Configuration settings

(Laboratory environments)
 Security functionality (features)
 Configuration settings
Trustworthiness
Information
System
IT
Product
IT
Product
IT
Product
Trustworthiness
Trust
Relationshi
p
IT
Product
Information
Information
System
System
IT
Product
IT
Product
Functionality and Assurance
Functionality and Assurance
Operational Environment
Operational Environment
Producing evidence that supports the grounds for confidence in the design,
development, implementation, and operation of information systems.


 Frequently Asked Questions
 Publication Summary Guides (Quickstart Guides)
 Formal Curriculum and Training Courses













And finally…
