NIST Risk Management Framework (RMF) - FOR BEGINNERS

2.1. INTRODUCTION TO SECURITY COMPLIANCE AND FISMA REQUIREMENTS

2.1.1. UNDERSTANDING SECURITY COMPLIANCE

2.1.2. OVERVIEW OF NIST AND FISMA REQUIREMENTS

NIST has a series of guideline documents called Special Publications (SP) and the Federal Information Processing Standards (FIPS). They all provide valuable information on how to become FISMA compliant. I want you to memorize them all!!

Just kidding, you do not need to memorize anything, all publications are available on the NIST website. The primary documentation I want you to focus on is Special Publication (SP) 800-37. This document is titled: “RISK Management Framework for Information Systems and Organizations”. In my opinion, this document can be used as the central focus to help everything about FISMA compliance make sense. It is hundreds of pages long, but don’t worry, I am going to give a high-level summary of it all.

1. NIST 800-37

Do a google search for the document by typing “800-37 rev 2 site: nist.gov”. take a look through the document. Section 2.2 of the document tells you all the steps required for a network to be FISMA compliant. This chart is a summary of what we call the Risk Management Framework (RMF).

• Step 0 shows us how to Prepare the network

• Step 1 detail how we categorize that same network

• In step 2, we select our security controls

• Step 3 we will implement our security controls

• Steps 4, the security controls are assessed

• In step 5, we authorize the system

• And Step 6 – we conduct continuous monitoring

  
  

Don’t worry, we are going to go over each of these steps in detail and show you how to apply them in real world scenarios, so they make sense to you. Remember earlier, I said FISMA compliance can be broken up into two parts: Part 1 where the System security plan is drafted and Part 2, where the same plan is assessed by an assessor. After completing steps 0-3, you should be able to produce the System security plan. And after completing steps 4 & 5, that plan should be assessed, and the organization should have its ATO. Step 6 are security activities that you do outside of trying to pursue your ATO. Let’s go through it, starting with step 0.

2.1. RMF STEP 1 – Security Categorization

2.1.1. NIST GUIDANCE DOCUMENTS

2.1.2.NIST 800-53 REV 4

2.1.3.Security Categorization RATING

2.1.4.CIA

2.3. SECURITY CATEGORIZATION PART 2

2.3.1. LOW, MEDIUM AND HIGH CATEGORY

2.3.2. INFORMATION TYPES AND INFORMATION SYSTEMS

2.3.3. SECURITY CATEGORIZATION INTERVIEW WITH JAMES COMMENT PEACE AGENT MANAGER

2.3.4. CATEGORIZING THE INFORMATION SYSTEM

2.3.5. DOP NETWORK SECURITY CATEGORIZATION

2.4. RMF STEP 1-Security Categorization part 3

2.4.1. Security Compliance is Qualitative analysis

2.4.2.PTA and BIA

2.4.3.Asking the right Questions

2.4.4.Security Categorization Cheat Sheet

In this video, we're diving into System Level Tasks as part of the Risk Management Framework (RMF) Step 0. Here, we'll cover crucial steps that help in preparing your system for security categorization. These tasks go beyond the organizational level to focus on the unique elements of your system.

? Topics Covered:

• Mission or Business Focus (Task P-8): Defining your organization's mission to align system functions.

• System Stakeholders (Task P-9): Identifying key Points of Contact (POC) such as system owners, security managers, and admins.

• Asset Identification (Task P-10): Listing essential hardware and software assets within your system.

• Authorization Boundary (Task P-11): Understanding the scope of control and responsibility within your network.

• Identify Information Types (Task P-12): Cataloging information types critical for calculating system security categorization.

• Information Life Cycle (Task P-13): Examining how information is created, processed, shared, stored, and disposed of within your system.

In this video, I simplify each task, offering tips and real-world examples to make the process easier. Whether you’re new to the RMF or need a refresher, this video is designed to guide you through each system-level task.

2.6. Components of a system and technical description

2.6.1. Overview of the SSP Document

2.6.2.Components of a system/technical Description

2.6. Components of a system/technical Description part 2

2.6.1 What we’ve covered so far

2.6.1 System environment

2.6.3.System interconnections

2.6.4.Applicable laws, regulations and policies

2.6.5. Conclusion

RMF step 2 – Select security controls

Introduction to NIST 800-53B

• SECURITY CONTROL FORMAT IN NIST 800-53

• IMPLEMENTATION STATEMENT PRACTICE (CA-3)

• Implementation Statement CA-3a

• Strategy for writing a good implementation statement

2.9. Pep Talk! – Intro to the SSP simulation

2.10. SSP Simulation – Editing the Cover Page

2.10.1.  Meet Joey Perez, the ISSM

2.10.2.  Meet your project Partner

2.10.3.  The SSP Template from Fed Ramp

2.10.4.  SSP - Cover Page Section

2.10.5.  SSP - Prepared by Section

2.10.6.   SSP – Record of Changes and Revision History Section

1.1.  SSP Simulation – Editing Security Categorization

The process to determine the level of security placed on your digital identity is quite detailed, but once you understand it, it’s pretty easy to follow. Digital identity considers three different identity categories. These categories are:

• IAL

• AAL

• FAL

In the last video you had learned how to determine your Identity Assurance Level. Now let’s find out what each of the three levels mean.

Table 4-1 of the NIST Publication 800-63-3 has a good summary chart of what is required for each IAL. I will give you a high level of each.

• Monday 1:30 PM - Let’s get the digital identity section done shall we. You should know how to complete the digital identity worksheet from the last video! Like security categorization, we as analysts and contractors are NOT allowed to decide if the impact categories are low, moderate or high. We will need to interview a full-time DOP mission expert that understands how things may impact the organization’s mission goals.  The same mission area experts that answered our security categorization questions should be able to provide impact level recommendations for digital identy. Section 2.3 says that we can use NIST 800-63-3 to guide their decision.

• Let’s move on to section 3 shall we…

We will fill out the system owner information on table 3-1. We know this information, so I will enter it here.

2.14.  SSP Simulation – Completing the General system description and user types

2.14.1.   System function or purpose

2.14.2.   Information System Components and Boundaries

2.14.3.   Types of Users

2.15. SSP Simulation – Describing the network architecture, envrionment and inventory

2.15.1.   Network Architecture

2.15.2.    System Environment and Inventory

2.15.3.   Data flow

2.15.4.   Ports, Protocols and Services

3.1.   RMF Step 4 Assessing security controls Part 1

3.1.1. The Independent Assessor

3.1.2.  Drafting the Security Assessment Plan & Testing Methodology

3.2. The Security Assessment Report – From Objective to Assessment Result

3.2.1.  The Security Assessment Report (SAR) Template

3.2.2.  Assessment Objective (Determine If Statement)

3.2.3.  Examine, interview and test

3.2.4.  Observation and Evidence

3.2.5. Implementation status

3.2.6.Assessment Result

3.3. The Security Assessment report Cont’d

3.3.1. Identified Risk

3.3.2. Risk Likelihood

3.3.3. Impact level

3.3.4.  Risk Exposure level

3.3.5.  Risk statement

3.3.6.  Recommendation for mitigation

3.3.7.  SSP Implementation Statement Differential

3.3.8.  Assessor POC

3.4. RMF STEP 5 Authorize the Information System

3.4.1. Drafting the POA&M

3.4.2.Unique identifier and Control

3.4.3. Weakness detector, Source Identifier, Plugin ID, Asset identifier, POC

3.4.4. Resource Required, Overall remediation plan, original detection date

3.4.5. Scheduled completion date, Planned Milestones, Milestone & Status Change, vendor  details & risk details

3.4.6. False Positive, operational requirement, deviation rational, supporting documents

3.6. RMF step 5 contd & rmf step 6 - monitor the security controls

3.6.1.                Step 5 complete – obtain the ATO

3.6.2.                rmf Step 6 – Monitor the Security Controls

3.6.3.                System A&A Frequency

3.6.4.                Introduction to Simulation #2 – Security Assessment

3.6. Assessment Simulation – Introductions and preparation for the assessment

3.6.1. The assessor meet Stefan

3.6.2.  The assessor Meet me, the ISSO

3.6.3.  Assessor Drafts the SAP

3.6.4.  Getting ready for the kick off meeting

3.7. Sample security assessment  kick off Meeting

3.8 Security Assessment Simulation – Completing the SAR

3.8.1 Fed ramp SAR template

3.8.2. The security test case procedure template is the DOP SAR

3.8.3. Assessing Security control AC-2.h

3.9. Secuirty Assessment simulation – completing the SAR part 2

3.9.1. Assessing Security control AC-2.j

3.10 Security Assessment simulation – Introduction to the POA&M

3.10.1 Joey ASKS you to begin drafting a POA&M List

3.10.2 Control AT-3 is selected as the example for the first POA&M

3.11  Secuirty Assessment simulation – POA&M# 1- At-3

3.12 Security Assessment simulation – Submit the Authorization Package (RMF Step 5) and receive the ATO

3.13 Phase 1 Completion – Pep Talk!

3.13.1 Advise to those that don’t like security compliance

3.13.2 Advise to those that don’t like security Engineering