Risk Management Ramework Today - BAI RMF Resource Center
Risk Management Framework TodayFormerly DIACAP Dimensions And TomorrowSystem Categorization “Step by Step”By Lon J. Berman, CISSPIn the last issue of RMF Today andTomorrow, we examined the importanceof System Categorization (“Step 1” ofRMF) and discussed its overarchingprinciples. In this issue, we will walkthrough the categorization process stepby step.Step 1: Identify Information TypesThe first and perhaps most importantstep in the system categorization processis the determination of the “informationtypes” that are stored and processed bythe system. So what exactly is aninformation type? The formal definition,per FIPS 199, is “A specific category ofinformation (e.g., privacy, medical,proprietary, financial, investigative,contractor sensitive, securitymanagement) defined by an organizationor in some instances, by a specific law,Executive Order, directive, policy, orregulation.” In practice, each systemowner or organization needs todetermine the types of information storedand processed on their own system(s).November, 2015Volume 5, Issue 3In this issue:System Categorization “Step by Step”1What is STIG Viewer?2Top Ten—STIGs3Security ControlSpotlight—A LittleGood News4Training for Today and Tomorrow5NIST Special Publication (SP) 800-60 isa key resource to aid system owners inidentifying information types. SP 800-60is entitled “Guide for Mapping Types ofInformation and Information Systems toSecurity Categories”. Volume 1 isconcerned mostly with the categorizationprocess itself, while Volume 2(“Appendices”) is essentially a “catalog”of information types commonly stored orprocessed by government informationsystems, along with suggestedcategorizations for each type.System owners should carefully reviewSP 800-60 Volume 2 and identify therelevant information types. A complete“description” is given for each informationtype to aid in identifying the ones mostrelevant to any particular informationsystem. In most cases, only a handful ofthe numerous information typesdescribed in Volume 2 will be applicable.If there is information stored or processedby the system that does not readily “fit”into any of these predefined informationtypes, system owners are free to “invent”their own information type(s) as needed.Steps 2 and 3 then need to be completedfor each identified information type.Step 2: Provisional CategorizationSP 800-60 Vol 2 provides “provisional”categorization for each information type.The provisional categorization isessentially a recommendation forcategorization of the particularinformation type in the absence of any“special factors” (see below).SP 800-60 Vol 2 provides the provisionalcategorization for each information type inthe following format:“Security Category {(confidentiality,X), (integrity, X), (availability, X)}”In each case, “X” can be either High,Moderate or Low.This is followed by a narrative descriptionthat provides justification for each of thethree elements of the provisionalcategorization, i.e., confidentiality,integrity and availability.If the system owner has identifiedinformation categories that are not listedin SP 800-60 Vol 2, it is his/herresponsibility to come up with provisionalcategorization levels for confidentiality,integrity and availability, as well asproviding justification for each.See System Categorization, Page 2
Risk Management Framework Today And TomorrowWhat is STIG Viewer (and why are there two answers)? Page 2By Kathryn M. Farrish, CISSPSecurity Technical ImplementationGuides (STIGs) are published periodicallyby the Defense Information SystemsAgency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, suchas operating systems, database management systems, web servers, network devices, etc.Compliance with applicable STIGs is oneof the key requirements of the RMF Assessment and Authorization (A&A) process. Applying and reviewing multipleSTIGs across numerous information system components can present a dauntingadministrative challenge. A number oftools have been developed to assist system owners and their support staff.DISA itself publishes a tool called theSTIG Viewer. This is an application thatruns on a Windows workstation. STIGs,published by DISA in XML format, can beuploaded into this tool and used to create checklists into which assessment results can be entered and managed. Additional features allow for searching of individual STIGs (or multiple STIGs) for particular subject areas or keywords.Completely separate, but similarlynamed, is www.stigviewer.com. This is aweb-based service provided by a company called Unified Compliance. It providesaccess to Unclassified STIG content,along with various searching and reporting functions. It is regularly updated asDISA releases new STIG content.System Categorization, from Page 1Step 3: Adjust for Special Factors“The system owner should be prepared tobrief the AuthorizingOfficial (AO) ifrequested .”SP 800-60 Vol 2 describes various“special factors” that may affect theprovisional categorization. The systemowner needs to review these, determine ifany are applicable, and adjust thecategorization for that information typeaccordingly.Once Step 2 and Step 3 have beencompleted for each identified informationtype, it is time to proceed to Step 4.Step 4: Categorize the InformationSystem as a WholeTo determine the “final” categorizationof the information system as a whole,the system owner simply chooses amongall the information types for the highestvalue for Confidentiality, the highestvalue for Integrity, and the highest valuefor Availability.The overall categorization of theinformation system is expressed as:Confidentiality-X, Integrity-X,Availability-X (where “X” is either High,Moderate or Low) - for example“Confidentiality-Moderate, IntegrityModerate, Availability-Low”(“M-M-L” for short).This is the complete categorizationprocess for DoD systems, as well as forNational Security Systems (NSS) locatedoutside DoD. For non-NSS locatedoutside DoD, the system owner takesthe additional step of choosing thehighest value among the categorizationlevels for confidentiality, integrity andavailability, resulting in a single system-wide categorization level of High,Moderate or Low.Step 5: Document ResultsThe system owner should carefullydocument each of the categorizationsteps, with appropriate justification,and be prepared to brief theAuthorizing Official (AO) if requested.
Risk Management Framework Today And TomorrowPage 3Top Ten—STIGsBy Annette LeonardThe Defense Information SystemsAgency (DISA) is responsible fordeveloping security guidance forconfiguring DoD information systems.An extensive collection of SecurityTechnical Implementation Guides(STIGs) is published at http://iase.disa.mil/stigs/Pages/index.aspx.STIGs contain detailed configurationguidance (settings) for commonly-usedsoftware products and other systemcomponents. Most of these documentsare updated on a regular basis.CCI-000363 (part of security control CM6) states “The organization definessecurity configuration checklists to beused to establish and documentconfiguration settings for theinformation system technology productsemployed.” The assessment procedurefor this CCI goes on to state “DoD hasdefined the security configurationchecklists as DoD security configurationor implementation guidance, e.g.,STIGs, SRGs ”Our “Top Ten” list in this issuehighlights the STIGs (or families ofSTIGs) that DoD information systemowners are most likely to encounter.10. Application Security andDevelopment STIG. This STIG is a littledifferent than most because it concernsthe software development processrather than configuration of a particularsystem component. Any system wherethere is software development activitygoing on will need to comply.9. Remote Desktop STIGs. This familyof STIGs covers remote desktoptechnologies such as Citrix, which willbe applicable to any system utilizingsuch technologies.8. Network STIGs. This is an extensivefamily of STIGs that cover everythingfrom specific network devices, such asrouters and firewalls, to network designfeatures such as infrastructure andDMZ. Systems encompassing networks,such as data centers, will need to payattention to STIGs in this family.7. Office Automation STIGs. Manysystems (not just workstations) includeoffice automation products such asMicrosoft Office (Word, Excel, etc.).There are available STIGs for numerousversions of these products.6. Host Based Security System (HBSS)STIGs. DoD policy requires HBSS on allinformation systems. These STIGsprovide configuration specifications fornumerous HBSS modules.5. Antivirus STIGs. All systems arerequired to incorporate antivirustechnologies and there are STIGsavailable to cover the most popularcommercial products, such asSymantec and McAfee.4. Web Browser STIGs. Systems thatinclude web browsers will need to payattention to this family of STIGs thatcovers products such as InternetExplorer, Mozilla Firefox and Netscape.3. Web Server and Application ServerSTIGs. Modern information systemsrely on at least some web technology.This family includes STIGs for popularweb servers such as Apache andMicrosoft Internet Information Server(IIS), as well as application serverssuch as Tomcat and JBoss.2. Database STIGs. Most systems relyon database technology. The STIGs inthis family cover the most popularcommercial database managementsystems (DBMS), including Oracle andMicrosoft SQL Server. A more generalDatabase Security Requirements Guide(SRG) is available to cover other DBMS.1. Operating System STIGs. Nearlyevery system owner will need to beconcerned about the STIGs thatpertain to the specific operatingsystems in use within the systemboundary. STIGs in this family includeWindows (numerous versions for bothservers and workstations), UNIX/LINUX(numerous versions), Mainframe, Mac,and Virtualization (VMWARE).
Risk Management Framework Today And TomorrowPage 4Security Control Spotlight—A Little Good News?By Kathryn M. Farrish, CISSPImagine this dialog between Edward, aSystem Owner, and Christine, hisInformation System Security Manager(ISSM):Edward (System Owner): “Now that we’vecompleted our System Categorization,have you built the Security ControlBaseline for our system?”Christine (ISSM): “Yes, sir, I have. Oursystem has been categorized as “Moderate-Moderate-Moderate (M-M-M)”. There areabout 400 Security Controls in ourbaseline, and these break down into alittle over 1,600 CCIs (Control CorrelationIdentifiers, roughly equivalent toassessment objectives).”Edward: “So we need implementationstatements and documentation artifactssupporting 1,600 items?”Christine: “I’m afraid so. But I do havegood news. I just saved 15% on my carinsurance .”“.the existenceof the DoD-levelpolicy gives everyDoD system anautomatic pass.”Oh, wait, wrong dialog. What she reallysaid was:Christine: “I’m afraid so. But I do havegood news. About 25% of those have beendeclared ‘automatically compliant’ byDoD!”“Automatically compliant?” What exactlydoes that mean? Simply put, it means thatevery DoD system is compliant by virtue ofan existing policy or procedure at the DoDlevel. Let’s look at a couple of examples:CCI-000101 (part of security control AT-1)states: “The organization disseminates asecurity awareness and training policy toorganization-defined personnel or roles.”The DoD-provided assessment procedurefor this CCI states: “DoD Components areautomatically compliant with this CCIbecause they are covered by the DoD levelpolicy, DoDD 8570.01.” In other words,the existence of the DoD-level policy givesevery DoD system an automatic “pass” onthis CCI.CCI-000348 (part of control enhancement CM-5(2)) states: “The organization defines afrequency to conduct reviews of informationsystem changes.” The DoD-providedassessment procedure for this CCI states:“The organization being inspected/assessedis automatically compliant with this CCIbecause they are covered at the DoD level.DoD has defined the frequency as every 90days or more frequently as the organizationdefines for high systems AND at leastannually or more frequently as theorganization defines for low and moderatesystems.” In other words, the existence ofDoD-mandated minimum review frequenciesgives every DoD system an automatic“pass”.In most cases, only one or two of the CCIsassociated with a particular control will beautomatically compliant. The system ownerwill still be responsible for implementationand documentation artifacts to address theremainder of the control.Even after subtracting the automaticallycompliant items, there is still a frighteninglylarge number of items that must beaddressed by the system owner. Still, we’lltake any “freebies” we can get!Just for fun, here are the statistics onautomatic compliance for a few of thepossible system categorizations:Moderate-Moderate-Moderate system: 403 controls/enhancements 1,631 CCIs total 426 automatically compliant CCIs (26%)Moderate-Moderate-Low system: 381 controls/enhancements 1,584 CCIs total 419 automatically compliant CCIs (26%)Low-Low-Low system: 310 controls/enhancements 1,376 CCIs total 388 automatically compliant CCIs (28%)
Risk Management Framework Today And TomorrowTraining for Today and TomorrowBAI currently offers three training programs:Contact Us! RMF for DoD IT – recommended for DoD employees and contractors that requiredetailed RMF knowledge and skill training; covers the new RMF life cycle and NISTsecurity controls, the CNSS enhancements, and the transition from DIACAP toRMF. The program consists of a one-day “Fundamentals” class, followed by athree-day “In Depth” class. RMF for Federal Agencies – recommended for federal “civil” agency employeesand contractors (non-DoD); covers RMF life cycle and NIST security controls. Program consists of a one-day “Fundamentals” class, followed by a three-day “InDepth” class. Information Security Continuous Monitoring (ISCM) – recommended for all; priorknowledge of RMF recommended. This is a three-day “In Depth” program.RMF Today and Tomorrowis a publication of BAI Information Security, Fairlawn,Virginia.Phone: 1-800-RMF-1903Fax: 540-808-1051Email: rmf@rmf.orgRegularly-scheduled classes through March, 2016 are as follows:RMF for DoD IT (Fundamentals and In Depth) 7-10 DEC 2015 (Colorado Springs / Online Personal Classroom )25-28 JAN 2016 (National Capital Region / Online Personal Classroom )15-19 FEB 2016 (Virginia Beach)22-25 FEB 2016 (Huntsville / Online Personal Classroom )21-24 MAR 2016 (Colorado Springs / Online Personal Classroom )RMF for Federal Agencies (Fundamentals and In Depth) 14-17 MAR 2016 (Online Personal Classroom )Information Security Continuous Monitoring 16-18 FEB 2016 (Online Personal Classroom )For the most up-to-date training schedule, pricing information and any newly-addedclass dates or locations, please visit http://register.rmf.org.On-line registration and payment is available at http://register.rmf.org. Paymentarrangements include credit cards, SF182 forms, or purchase orders.Classroom training. We offer regularly-scheduled classroom training at our trainingcenters in Colorado Springs, Huntsville, National Capital Region (DC area) and VirginiaBeach.Online Personal ClassroomTM training. This method enables you to actively participate in our regularly-scheduled instructor-led classes from the comfort of your homeor office.On-site training. Our instructors are available to present one or more of our trainingprograms at your site. All you need is a group of students (normally at least 8-10) anda suitable classroom facility. Cost is dependent upon class size, so please contact usat 1-800-RMF-1903 (763-1903) to request an on-site training quotation. Note we canalso provide Online Personal Classroom training to a “private” group of studentsfrom your organization.Page 5
Formerly DIACAP Dimensions And Tomorrow November, 2015 Volume 5, Issue 3 In the last issue of RMF Today and Tomorrow, we examined the importance of System Categorization (“Step 1” of RMF) and discussed its overarching principles. In this issue, we will walk through the
A Brief Self-Introduction Jinbin Bai Department of Computer Science, Nanjing University bai.jinbin@foxmail.com December 12, 2020 Jinbin Bai (NJU) https://jb-bai.github.io December 12, 2020 1/20. Overview 1 About Me 2 Research Experience 3 Selected Courses Projects 4 Activities and .
Formerly DIACAP Dimensions And Tomorrow April, 2014 Volume 4, Issue 2 The wait is over! RIP DIACAP!! At long last, DoD has announced the start of transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This tran
cte college credit. n evada cte c urriculum f ramework 2013 re vised: 03/05/2015 architectural & civil engineering 2 n evada d epartment of e ducation c urriculum f ramework for a rchitectural & c ivil e ngineering p rogram t itle: a rchitectural & c ivil e ngineering s tate s kill s tandards: a
BAI is the financial services industry’s leading professional organization focused on enhancing employee and organizational performance. Through ground-breaking research and an award-winning magazine, Banking Strategies, BAI provides the latest insights on complex, strategic issues in financial services. Through seminars, graduate schools and conferences—including the
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
ba[h]i/ bahiḑpi'ok ba[h]i s- Stat [Neutr: indef s-ba[h]i; def s-bai k. Dur: s-bai ka-d. Interr: s-bai ka-him]: to be ripe ex: 'Id 'o sbai. It is ripe. — Sbahi 'o. It is ripe. —
sva. EaI krSanadasa (SaMBauBaa[) damaPBaa[ naMda (baI a) hstao EaI maaohnaBaa[ krSanadasa naMda EaI AaoQavarama Ba ta EaI maMgaladasa manaP gaaorI (naanaI vamaaoTI) hstao rupala, hotala Anao saagar EaI baI a BaanauSaalaI mahaJna T/sT Anao baI a Baanauyauqa sak-la EaI AODa BaanauSaala
Araling Panlipunan . 2 Araling Panlipunan 2 Ma. Ther Inilimbag sa Pilipinas ng _ Department of Eduction-Instructional Materials Council Secretariat (DepEd-IMCS) Office Address: nd 2 Floor Dorm G, PSC Complex Meralco Avenue, Pasig City Philippines 1600 Telefax: (02) 634-1054 or 634-1072 E-mail Address: imcsetd@yahoo.com Mga Bumuo ng Kagamitan ng Mag-aaral Consultant: Zenaida E. Espino .
