Risk Management Framework (RMF) Next
Headquarters U.S. Air ForceIntegrity - Service - ExcellenceRisk Management Framework (RMF) NextCapt Jacob T. MirelesSAF/CIO A6Z28 Aug 20181
AgendanWhat is RMF NextnCurrent RMF ChallengesnCyberWorxnRMF Next ScopenFoundational PillarsnGuidancenApproachnOutcomesnNext StepsIntegrity - Service - Excellence2
RMF NextRMF Next is the initiative to apply design thinking to theimplementation of the RMF with the objective of implementingrisk management in a manner that:n Supportsinnovation by shortening the dev-to-warfightertimelinen Maximizesn Developsreciprocity and inheritance policiesan enterprise risk management methodologyIntegrity - Service - Excellence3
Current RMF ChallengesnThreat Integrationn Make decisions based on threatnRisk Decision Makern Is it the AO, mission owner, mission area owner, all/none?nInconsistency of Implementationn Every AO has developed their own risk modelnSkills Gap and Trainingn What is required to perform the roles (NICE Framework)n Having a certification is not enoughnCulture: Security must be a priorityIntegrity - Service - Excellence4
CyberworxnCyberworx Design Think vs. Lean Six Sigma Process Improvementn Not focused on looking at the current processn Complete redesign using Discovery and Ideation Cyberworx processn Includes Voice of the Customer (VOC) – the Warfightern Discovery event held at Scott AFB, January 2018n Design Sprint Event held at USAFA, April 2018nPain Pointsn Inaccurate security posturen No consistencyn Laboriousn Considered a hindranceIntegrity - Service - Excellence5
Use Case’sUse Case Teams were established by utilizing prior CyberWorxworking groupn Team# 2 – Migrate to the Cloudn Team# 3 – Software as a Service (SaaS)n Team# 4 – Cyber Defense Systemn Team# 5 – Industrial Control Systemsn Team# 6 – Enclave Systemn Team# 8 – Education and Training SystemsIntegrity - Service - Excellence6
Foundational TenantsRMF ceKnowledge ManagementIntegrity - Service - Excellence7
GuidancenLeverage new NIST SP 800-37 Revision 2n LinksTier 1 and Tier 3 bettern Step “0” Preparen Cybersecurity Frameworkn Privacy Risk Managementn SecDevOpsn Supply Chain Risk Management (SCRM)n Alternative Control SelectionIntegrity - Service - Excellence8
ApproachnPrepares the organization to manage security and privacy risksn Tier 1 and Tier 3nEach foundational team consisted of members from SAF and across theMAJCOMsnWeekly SAF and bi-weekly team meetings ensured collaboration ofstakeholdersnAnalyze Step – 0 Tasks and OutcomesnLeverage the “Foundational Tenets” to identify deliverables to enable“Outcome”n Tier 1 – USAF Organization ProspectivenTier 3 – USAF System/Use Case ProspectiveIntegrity - Service - Excellence9
NIST 800-37 Rev 2, Step 0 (Prepare)Integrity - Service - Excellence10
Tier 1 Step 0 (Prepare) - ApproachStep 0 “Prepare”Foundational TenetsDOCUMENTATIONPotential Inputs Org securityand privacypolicies andprocedures Org chartsGOVERNANACETask 1 - Identify andassign individuals tospecific rolesassociated withsecurity and privacyrisk managementAUTOMATIONPotential Outputs MMUNICATIONPOLICYCONTROLSGAP ANALYSISWhat do we have?What do we need?Integrity - Service - ExcellenceIndividuals are identifiedand assigned key roles forexecuting the RiskManagement Framework.11
Tier 1 Step 0 (Prepare) - OutcomesNIST 800-37 rev 2RMF StepsPrepareStep nsFoundational Work ProductsDocumentationPolicyControlsAutomationTask 1 - Risk Management RolesIndividuals are identified and assigned[GV1] RMF Roles andkey roles for executing the RiskResponsibilities MatrixManagement Framework.[CM1] RMF Role BasedTraining Plan (SCA roleonly)[DO 1] RMF Role BasedTraining Requirements Flowchart (SCA role only)[PO 1] Draft AF RiskManagement Strategy(annotated outline)[CO 1] Step 0 CommonControls Matrix[AU 1] Automation Strategy(PowerPoint)Task 2 - Risk Management StrategyA risk management strategy for theorganization that includes adetermination and expression oforganizational risk tolerance isestablished.[CM2] CommunicationsPlan /Form[DO 2] Proposed job aidsfor Risk ManagementStrategy[PO 1] Draft AF RiskManagement Strategy(annotated outline)[CO 1] Step 0 CommonControls Matrix[AU 1] Automation Strategy(PowerPoint)Task 3 - Risk Assessment - Organization[GV3] Diagram of proposedAn organization-wide risk assessment isgovernance structure withcompleted or an existing riskRisk Executive Functionassessment is updated.(REF)N/A[DO 3] Comments on draft [PO 2] Comments on draft[CO 1] Step 0 CommonRisk Assessment Strategy Risk Assessment StrategyControls Matrixfrom A4from A4[GV3] Diagram of proposedgovernance structure withRisk Executive Function(REF)N/ADO 3] Comments on draft [PO 2] Comments on draft [CO 2] List ofRisk Assessment Strategy Risk Assessment Strategy Organizational Tailoredfrom A4from A4Control BaselinesTailored control baselines forTask 4 - Organization-wide Tailored Control Baselines andorganization-wide use are establishedProfiles (Optional)and made available.[GV2] List of governancebodies to execute andmaintain RMF Next[AU 2] Turbo TAX ATOProof of Concept[AU 3] ARAD Controls forSystem MonitoringAutomationTask 5 - Common Control IdentifiticationCommon controls that are available forinheritance by organizational systemsare identified, documented, andpublished.[GV3] Diagram of proposedgovernance structure withRisk Executive Function(REF)N/ADO 3] Comments on draft [PO 2] Comments on draft[CO 3] List of CommonRisk Assessment Strategy Risk Assessment StrategyControl Providersfrom A4from A4[AU 4] Organizational RiskTolerance Baseline (ORTB)Controls for AutomationTask 6 - Impact-Level Prioritization (Optional)A prioritization of organizationalsystems with the same impact level isconducted.[GV4] Revised IT SystemCategorization ChecklistN/ADO 3] Comments on draft [PO 2] Comments on draft[CO 1] Step 0 CommonRisk Assessment Strategy Risk Assessment StrategyControls Matrixfrom A4from A4[AU 1] Automation Strategy(PowerPoint)Task 7 - Continuous Monitoring Strategy - OrganizationAn organization-wide strategy formonitoring control effectiveness isdeveloped and implemented.[GV5] Evaluation of DTRAcontinuous monitoringsolution[DO 4] Proposed updates to [PO 3] proposed updates to [CO 1] Step 0 CommonCM StrategyCM StrategyControls Matrix[AU 5] Proposedautomation requirementsfor CM[CM3] RMF KnowledgeService - KnowledgeManagement ProceduresAdjudicate-DraftIncomplete-Draft Not ApplicableIntegrity - Service - ExcellenceNeeds Work12
Next StepsnStaff Tier 1 organizational documentsnnnTier 3 system level step 0 AnalysisnnnAnalyze Step – 0 tasks and identify essential activitiesUsing the six foundational pillarsDevelop enterprise ISCM strategynnCybersecurity TAGHAF staffing process (as required)IAW DOD guidance (i.e. NDAA 1653)Collaborate with DoD CIO Tier II reform effortsIntegrity - Service - Excellence13
QuestionsnPOC: Capt Jacob T. MirelesnNIPR email: jacob.t.mireles2.mil@mail.milnComm Phone: 703-692-6157Integrity - Service - Excellence14
Integrity - Service - Excellence15
Integrity - Service - Excellence16
Task 3 -Risk Assessment -Organization An organization-wide risk assessment is completed or an existing risk assessment is updated. [GV3] Diagram of proposed governance structure with Risk Executive Function (REF) N/A [DO 3] Comments on draft Risk Assessment Strategy from A4 [PO 2] Comments on draft from
https://nist.gov/rmf NIST RMF Quick Start Guide CATEGORIZE STEP nist.gov/rmf Frequently Asked Questions (FAQs)RISK MANAGEMENT FRAMEWORK RMF NIST NIST Risk Management Framework (RMF) Categorize Step . ecurity categorization standards for information and systems provide a common framework and understanding for expressing security
RMF for DoD IT – recommended for DoD employees and contractors that require detailed RMF knowledge and skill train-ing; covers the RMF life cycle, documentaon, security controls, and transion from DIACAP to RMF. RMF for Federal Agencies – recommended for Federal “civil” agency (non-DoD) employees and contractors that re-
Establishes the cybersecurity Risk Management Framework (RMF) for DoD Systems (referred to in this issuance as "the RMF") and establishes policy, assigns responsibilities, and prescribes procedures for executing and maintaining the RMF. Establishes and applies an integrated enterprise-wide decision structure for the RMF that includes
Introduction to the NISP RMF A&A Process Student Guide July 2020. Center for Development of Security Excellence. Page 2-1 . Lesson 2: The Risk Management Process . Introduction . Objectives . Risk management is the backbone of the Risk Management Framework (RMF) Assessment and Authorizatio
Formerly DIACAP Dimensions And Tomorrow November, 2015 Volume 5, Issue 3 In the last issue of RMF Today and Tomorrow, we examined the importance of System Categorization (“Step 1” of RMF) and discussed its overarching principles. In this issue, we will walk through the
CONTROLLING YOUR TV (English) 1. Press Power key to turn on the TV. 2. Press and hold [VOL(-)] key and [MIC] key for 2 seconds initiate pairing with TV. 3. All paring transaction is behind the scene and no setup is required. Control del televisor (Spanish) 1. Pulse la tecla de encendido para encender el televisor . 2.
RMF refers to NIST’s categorizations STIG checks form the bulk of the compliance testing that will be done as part of the RMF process. Accounts for 50% of the testing involved in a typical system. Application STIG is mapped to NIST’s categorizations through Control Correlation Identifier (CCI) Fortify (SCA,
the transition to RMF from DIACAP. Added DoD RMF terms and references. Added statement that DISN connection approval requirements will follow the DoD CIO published DIACAP to RMF timeline and instructions. Deleted Defense Red Switch Network (DRSN) now Multilevel Secure Voice . Deleted DISN
