NIST Risk Management Framework (RMF) Process NISP

GCA StakeholdersNIST Risk Management Framework (RMF) ProcessJULY 2017DSS CI/IOCategorization &Coordination ControlDiscussion with GCACoordinate withISR/CISAStartISSM/ISSONISP WorkflowSTEP 1:CATEGORIZEFinal SSP, CertificationStatement, RAR, POA&M,and SSP Supporting ArtifactsThreatProfileInitial SSP w/identified controls,RARUpdated SSP w/ functionaldescription of securitycontrol implementation,POA&M (if applicable)STEP 2: SELECTControls SubmitInitial / Revise PackageRepeatSSP andSupporting ArtifactsInitial SSP, RARUpdated POA&M, UpdatedSSP, Status Reports,Decommissioning Strategy (asnecessary) and ContinuousMonitoring StrategySTEP 4: ASSESSTest / ISSMCertify SystemSTEP 6:MONITORMonitoring Phase: ISSM is responsiblefor ensuring the security posture ismaintained. Assess impact of changes tothe system upon the environment.Review selected controls annuallySTEP 3:IMPLEMENTReturntoStep 3ISSM Builds System /Update ConfigurationSSPwith tailoredcontrolsAuthorizationOfficial (AO)Final SSP, SSP SupportingArtifacts, POA&M (ifapplicable), SAR, andAuthorization LetterSTEP 5:AUTHORIZESTEP 5:AUTHORIZEAO Deny SystemAO Approves SystemFinal SSP, SSPSupporting Artifacts,POA&M (ifapplicable), SAR, andAuthorization LetterYESNONOConcur?Existing ActiveAuthorization?STEP 2: tion andControls SelectionInitial SSP w/identifiedcontrols, RARFinal SSP,CertificationStatement, RAR,POA&M, and SSPSupportingArtifactsYESUse Systems Returnvice DenialSTEP 6: MONITORISSP Return SSP withRationale to IndustryISSP continuallyassesses systempostureUpdated POA&M, UpdatedSSP, Status Reports,Decommissioning Strategy (asnecessary) and ContinuousMonitoring StrategyISSP Update OBMSVulnerability Table &Security AssessmentReportNOSTEP 4: ASSESSTest ISSM CertifySystemSchedule / ConductOn-Site VisitAuthorizationRecommendation?YESATO LetterUpdate OBMSInclude ArtifactsForward to AOKEYStart SecurityAssessment Reportand complete OBMSinputsComplete SARAuthorizationLetterINTERNAL PROCESSEXTERNAL PROCESSSTARTEXTERNAL CONTROLPROCESSDOCUMENTDECISIONPROCESS VARIABLETEAM LEAD (TL)MANUALSTOPTL Assigns anISSP/SCASTORAGEASSOCIATIONRETURN

DSS Risk Management Framework (RMF) Process – Step 1 (Categorize)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18HomepageAOISSP/SCAGCA/StakeholdersDSS IO/CIISSMStartCollect KeyDocuments(Contract, DD 254,RAR, SCG, etc.)DetermineSystem sAuthorizationBoundaryCurrent RAROnRecord?YesHigherImpact LevelsJustified?NoYesPrepare RiskAssessmentReport (RAR)Obtain GCA /StakeholderApproval(SSP Artifact)Coordinate withCompany sAssigned DSS ISR/CISAProvide ProgramRisk Assessment/Threat DataInformationGCA / StakeholderApproval MemoNoDetermine FinalCategorization ofIS & InformationThere-in(Default M-L-L)Update SSP(Description, AuthBoundary, SystemType, etc.)GotoRMFStep-2

DSS Risk Management Framework (RMF) Process – Step 2 (Select Security Controls)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18ISSMHomepageFromRMFStep-1Identify BaselineSecurity ControlsForIS CategorizationTailor SecurityControls AsNeededREF: RAR, SCG,Contract, etc.NIST SP 80053v4DSSOverlayDevelopCONMONStrategyEmail ISSP of DSSRMF Step 1/2OBMS SubmissionNoDSSOverlay(DD 254, SOW, RAL)Email ISSM of DSSRMF Step 1/2OBMS SubmissionReturn OBMSRecord back toSubmitter (ISSM)UploadCategorization &ImplementationConcurrence Forminto OBMSCompleteCategorization &ImplementationConcurrence FormCompleteCategorization &ImplementationNon-ConcurrenceFormNoNoNotify ISSMof RALRequirementReviewRMF PkgSubmissionYesConcurw/Cat & SecCtrlSelection?YesAORequiresRAL?To Step 4Part (B)Proceed w/DATOActionYesSevereIssues w/RMF red-OutSecCtrlsJustification(DD 254, SOW)NoISSP-TL / AOTailored-OutSecCtrls?Submit SSP, RAR,CONMONStrategy, &YesArtifacts intoOBMSUNCLAS Docs OnlyTailored SecCtrlApprovalToRMFStep-3ISSP/SCAUpdate SSP withTailored SecurityControls &JustificationCNSSI 1253Overlay(s)GCA/StakeholdersDAAPMUpdate SSP withBaseline SecurityControlsCoordinateTailored SecCtrlswith ISSP-TL / AO

DSS Risk Management Framework (RMF) Process – Step 3 (Implement Security Controls)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18HomepageImplementation ToolsTailoredSSPSTIGViewerDAAPMUpdated SSP(UNCLAS Docs Only)SCAPComplianceChecker (SCC)ToolManualConfigurationISSMNAO GroupPolicy ConfigToolFromRMFStep-2GCAAOISSP/SCAVarious ApplicablePoliciesImplementTechnical SecurityControls onSystem(s)Continuity ofOperations (COOP)PlanDisaster RecoveryPlan (DRP)Develop anagement (CM)PlanIncident ResponsePlan (IRP)Update SSP withSecurity ng PlanStart POA&MAs cts

DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (A)HomepageFromRMFStep-3Conduct InitialAssessment toEnsure SecurityControls Operatingas IntendedUpdate SSP withActual SecurityControl StateInformationDevelop/UpdatePOA&M withResidualVulnerabilitiesUpdated SSPPOA&MDownload ValidationTools and Install onSystem for SCA OSV(STIG Viewer, SCC,etc.)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18Submit Final RMFAuthorizationPackage via OBMS(UNCLAS Docs Only)Email ISSPofOBMSSubmissionAssessment ored SSPParametersAOISSP/SCASCAP ComplianceChecker (SCC)NIST SecurityControlsSTIG ViewerToolISSM ired)RAR(Required)COOP, DRP, etc.CM PlanCCB CharterContract Info(DD 254, SOW, RFP)MOU/MOA/ISAIRPSecurity Awareness&Training PlanRAL(s)All Other RelevantArtifacts(Policy)ToRMFStep-4B

DSS Risk Management Framework (RMF) Process – Step 4 (Assess Security Controls) – Part (B)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18HomepageFromRMFStep-4ADownloadRMF Auth Pkgfrom OBMSReviewRMF Auth PkgDocumentationRMF AuthPackageAcceptable?YesConfirm ISSMinstalled latestSTIG/SCAPToolsConduct OSVand Assess ISAgainst SSP andCurrent PolicySchedule OSVwith ISSMNoNoISSP/SCAGotoStep 5PartAssessment ToolsDAAPMOther PolicyTailored SSP&ArtifactsSecurityControlsRMF Pkgand/or OSVIssues?InitiateDATOPackageVerify POA&MReflects AllVulnerabilitiesNoFromStep 2Record PlanReview TRAP &Vulnerabilitiesin OBMSYesUnsatSAR?DocumentWeaknesses/Deficiencies InSARFromStep 5Upload SAR &Support Docsinto OBMSSCAPComplianceChecker (SCC)STIGViewerToolEmail DATOPackage toISSP-TLAOISSP-TLQC CheckDATO PackageDATO PkgPass QCCheck?YesEmail DATOPackage toAONoSend DATO PkgBack to ISSPwithCorrectionsUpload DATOLtr in OBMS &CloseoutRecordSign DATOLetter & Emailto ISSM/DSSStaffStopYesCorrect on theSpotand/orUpdate POA&M

DSS Risk Management Framework (RMF) Process – Step 5 (Authorize Information System)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18ISSP-TLISSP/SCAHomepageFromStep-4Part (B)InitiateATOPackageRecordTerms &Conditions inATO LetterRecordOSV TRAP &Vulnerabilitiesin OBMSQC CheckATO PackageATO PkgPass QCCheck?Email ATOPackage toISSP-TLYesEmail ATOPackage toAOAOAcceptsRisk?AOTo Step 4Part (B)Upload ATO Ltrin OBMS &CloseoutRecordCoordinateDATO Actionwith ISSPNoSend ATO PkgBack to ISSPwithCorrectionsNoReturn ATO Pkgto ISSP-TL withRisk ConcernsISSMGotoStep 6YesSign ATO Ltrand Email toISSM/DSS Staff

DSS Risk Management Framework (RMF) Process – Step 6 (Monitor Security Controls)Source: DAAPM Ver. 1.1Author: A.E. Carbone/IOFSA Revised: 2017/05/18HomepageImplementCONMONStrategyAssess SecurityControl SubsetIAW CONMONStrategyMitigate RiskBased onCONMONResultsUpdate SSP &POA&M opImplementDecommissionStrategyYesSubmit ISDecommissionAction in CASubmit StatusReports to ISSPIAW CONMONStrategyReview ISSM sStatus ReportAcceptableRisk?YesFile StatusReportPrepareDecommissionLetterCreate ISFDEntryNoEmailDecommissionLetter /UpdateRisk MitigationStrategyAODevelop RiskMitigationStrategy withISSMApproveMitigationStrategyUpload DecomLtr in OBMS &CloseoutRecordEmailDecommisionLtr toISSM/DSS StaffSignDecommisionLetter

Verify POA&M Reflects All Vulnerabilities Correct on the Spot and/or Update POA&M Email DATO Package to AO No Yes RMF Auth Package Acceptable? Initiate DATO Package Record Plan Review TRAP & Vulnerabilities in OBMS Email DATO Package to ISSP-TL QC Check DATO Package No Yes Sign D