1www.phacil.com

Headquarters Office800 N. Glebe Rd, Ste 700

Arlington, VA 22203

Phone: 703-526-1800

Presenters:

West Coast Office 601 California St, Ste 1710

San Francisco, CA 94108

Phone: 703-526-1800

Fred J. Foster and Gary Desilets

Implementing a Risk Management Framework

(RMF) Methodology

24-26 February 2014

2

Agenda

Introduction – DSS Mission and DSS CIO Vision

The Challenge

The Role of Automation

Example: the Test Plan

Getting It All Under Control

Enterprise Risk Management

Continuous Monitoring

Summary

3

DSS Mission and VisionDSS Mission

On behalf of the Department of Defense and other U.S. Government Departments and Agencies, the Defense Security Service supports national security and the

warfighter through our security oversight and education missions. DSS oversees the protection of U.S. and foreign classified information and technologies in the

hands of industry under the National Industrial Security Program (NISP) and serves as the functional manager for the DoD security professional development program. We provide security education, training, and professional development services as the functional manager for the DoD security professional development

program, and for other U.S. Government personnel and contractor employees, and representatives of foreign governments, as required.

program, and for other U.S. Government personnel and contractor employees, and representatives of foreign governments, as required.

DSS CIO VisionTo be the recognized partner that brings technology and programs together to unleash the power of information in achieving the DSS mission. By delivering

an all-inclusive set of tools, services, and data management capabilities, the CIO can enable success across the agency and the National Industrial Security Program.

4

Timeline

9/22/13, DSS Information Assurance (IA) Service Support Contract Award

12/27/13, DSS Data Center Operations Runbook including NIST SP 800-53 Controls w/ CNSSI 1253 reference

3/12/14, RMF replaces DoD Information Assurance Certification and Accreditation Process (DIACAP)o DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD IT,

March 12, 2014, as amended

o RMF replaces DIACAP and manages the lifecycle cybersecurity risk to DoD IT…

Automated RMF Methodology Tools and Techniques o System Security Documentation

o Security Test and Evaluation (T&E) Plan and Checklist

Contract Award

9/22/13

Runbook Released12/27/13

RMF Replaces DIACAP3/12/14

Automated RMF

Methodology

5

The Challenge

The system assessment and authorization (A&A) process

Past issues have never been satisfactorily resolved

Short-term system A&A issues detract attention from long-term enterprise risk management

Control Cost and Time

Requirements

Improve Compliance and Documentation

6

DoD Risk Mitigation Model

7

RMF and Best Practices

CNSSI 1253 ControlSA-10 Developer Configuration Management

DSS Data Center Operations Standard Operating Procedures Runbook

CNSSI 1253 ControlPL-2(2) System Security Plan Functional Architecture

7.4.1 Master Network Diagram UpdateThe addition of new systems requires an update of the Master Network Diagram. The Master Network

Diagram is a Visio document that illustrates all devices and systems in the DSS Enterprise. The diagram is

located on the Portal Master Diagram Folder and can be downloaded and subsequently edited. The diagram

must be updated in a manner consistent with the current style of the diagram. The updated diagram must be

submitted via email to the OCIO N&I Data Center Chief for approval and acceptance. Upon approval, the

diagram will be uploaded by the OCIO N&I Data Center Chief or designee to the Portal Master Diagram

Folder.

…

…

6. Data Center Operations/ Tasking Guide IntroductionThis document defines the appropriate processes for Defense Security Service (DSS) Data Center

Operations (DCO) personnel to follow in assigning tasks or projects to Information Technology System

Support (ITSS) Systems Administration contract staff, as well as DSS expectations of contract staff in

updating task and project progress, establishing and adhering to deadlines, and communicating effectively

with relevant stakeholders. The ultimate goal of this document is to simplify and normalize tasking to

facilitate effective tracking, reporting, metrics adherence, and greater consistency in meeting deliverable

expectations.

8

Best Practices

Much of the A&A process deals with selecting, implementing, and testing best practices:

oNIST SP 800-53 Controls per CNSSI 1253

oDISA STIGs

Great stuff! But is this the system security ceiling, or the floor?

Best Practices

Emerging Threats

Enterprise Needs

A&A starts with applying best practices. From there, it can be tailored to counter emerging threats and meet the needs of Enterprise Risk Management.

9

O

O

O

The Role of AutomationA Governance, Risk, and Compliance (GRC) software tool can facilitate the A&A process. With appropriate user input, automation can:

Build an initial baseline of controls

Adjust the set of controls for

overlays and tailoring

Assemble a system security plan

Build the test plan

Organize test results for risk analysis

Create the RMF body of evidence and authorization documents in standard format

Archive data associated with the process

10

Example: the Test Plan

Project Test Plan

Sources • Regulations/ Instructions/

Technical Guidance • Applicability and Inheritance

of Requirements • System Hardware/

Operating System(s)• System Software • System Locations

11

Getting It All Under Control

Recommendation: Optimize your GRC tool to support your A&A process and optimize your process to take advantage of the tool

Workflow and Roles

System Security Plan

oImport Selected Controls and Related Data

oAssemble With or Without Control Descriptions and Guidance

Other Documents How much can you gain by integrating your GRC tool with your A&A process?

12

Enterprise Risk Management More Complex - At the enterprise level,

risk management is a more complex and multifaceted undertaking

Risk Executive (Function) - Under RMF, the Risk Executive was introduced to link system-level risk management to enterprise-level risk management

Specifics - Organizations define many of the specifics for their own risk managemento For example: enterprise cybersecurity

policy/procedures, acceptable system-level risks, creating meaningful metrics …

oDesign as processes where applicableoAllow for agility in meeting new threats, changed

conditionsoAdd measures to counter advanced persistent threats

A&A process

doesn't say much about how the Risk Executive should interact with Enterprise-level Risk Management.

13

Other Risk-Based Initiatives

Trusted Supply Chain

oEstablish Information Communications Technology Supply Chain Risk Management (ICT SCRM) Implementation Process

oQualify vendors and service providers

Continuous Service Improvement (CSI)

oEffective compliance with security mandates

oCost-efficient best practices

14

Continuous Monitoring

What about continuous monitoring?

Continuous Monitoring is an important part of the RMF

It’s a candidate for automation

Not included here only because we are still working on it

We will have something positive to report in the not-too-distant future!

15

Summary

Apply Automated tools to the A&A process

Integrate Security Controls into Governance, Acquisition, and Operations documentation

Continuous Service Improvement for the A&A process

RMF

Automated A&A

Integration

Continuous Improvement

16

References

• CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems, March 15 2012, as amended

• DoD Instruction 8500.01, Cybersecurity, March 14 2014

• DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 12 2014

• NIST SP 800-18, (rev 1), Guide for Developing Security Plans for Federal Information Systems, February 2006

• NIST SP 800-37 (rev 1), Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010

• Popick, P. R. (2013). Requirements Challenges in Addressing Malicious Supply Chain Threats. Insight, Vol. 16 Issue 2, 23-27

• NIST SP 800-53 (rev 4), Security and Privacy Controls for Federal Information Systems and Organizations, April 2013

17

Questions?

18

Points of Contact

Fred J. Foster, PMP, ITIL v3 Gary Desilets, CISSP

Lead Systems Engineer, Phacil Inc.

Cybersecurity Specialist, Phacil Inc.

Defense Security Service Defense Security Service

Office: 571-305-6040 Office: 571-305-6474

Mobile: 703-362-4323

Frederick.Foster.ctr@dss.mil gary.desilets.ctr@dss.mil

ffoster@phacil.com gdesilets@phacil.com

Graphics/Technical Editing John Wooleyhan Phacil, Inc.