Presenter

Presentation Notes

© 2016 Maze & Associates Revision 10 (March 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Presenter

Presentation Notes

Picture: Empire Mine, Nevada City, CA; Photo by Donald E. Hester all rights reserved Read: NIST SP 800-37 Rev 1, Appendix D Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 49-62 Read: DoDI 8500.2 Read: NSTISSI No. 4009 RMF Roles and Responsibilities

Presenter

Presentation Notes

Roles and Responsibilities Head of Agency or CEO Risk Executive (function) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Information Owner/Custodian Information System Owner (System Owner) Information Systems Security Officer (ISSO) Security Control Assessor (Certifying Agent) Authorizing Official (AO) Approving Authority (AA) Common Control Provider Approving Authority Designated Representative Different C & A frameworks use different names e.g. NIST, DCID 6/3, DITSCAP, DIACAP, NIACAP, ISO See NIST SP 800-37 Rev 1 Appendix D and CNSS Instruction No. 4009

Presenter

Presentation Notes

Roles and Responsibilities Auditor System Administrator/Manager Business Unit Manager Project Manager Risk Analyst Facility Manager Executive Management Authorization Advocate User Representative Information Security Architect Information Systems Security Engineer Different C & A frameworks use different names e.g. NIST, DCID 6/3, DITSCAP, DIACAP, NIACAP, ISO See NIST SP 800-37 Rev 1 Appendix D and CNSS Instruction No. 4009

Presenter

Presentation Notes

Head of Agency Head of Agency or Chief Executive Officer (CEO) Highest level senior official or executive Overall responsibility to provide information security Ensure security is commensurate with risk to organization Responsible for security of 3rd party use or operation of systems Responsible to ensure security is integrated into strategic and operational planning Responsible to ensure personnel are trained sufficiently Establish appropriate accountability and commitment to create a climate that promotes due diligence NIST SP 800-37 Rev 1 Appendix D The agency head ultimately is responsible for deciding the acceptable level of risk for their agency. System owners, program officials, and CIOs provide input for this decision. Such decisions must reflect policies from OMB and standards and guidance from NIST (particularly FIPS 199 and FIPS 200). An information system’s Authorizing Official takes responsibility for accepting any residual risk, thus they are held accountable for managing the security for that system. OMB M-10-15 - FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

Presenter

Presentation Notes

Risk Executive Function Looks at risk from the program level Organization-wide perspective Overall strategic goals and objectives Risk to the organization’s mission Creates a consistent risk management approach (organization-wide) Addresses the organization’s risk tolerance (risk appetite) Provides oversight Provides sharing of risk related information NIST SP 800-37 Rev 1 Appendix D

“The Chief Information Officer, with the support of the senior agency information security officer, works closely with authorizing officials and their designated representatives to ensure that an agency-wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities. “ NIST SP 800-37

Presenter

Presentation Notes

Senior Information Security Officer (SISO) AKA: Senior Agency Information Security Officer (SAISO) Chief Information Security Officer (CISO) Senior manager in charge of Information Security Accountable for most aspects of security within an organization Liaison between CIO and other roles Security is primary duty Head of the RMF program within the organization Establish the program Enforce the program Responsible for the success of a RMF program Government employee only May serve as AO Designated Representative or security control assessor

Presenter

Presentation Notes

Information Owner / Steward Agency official with statutory management or operational authority for specific information Establish rules of behavior for that information Establish polices and procedures for Generation Collection Processing Dissemination Disposal Retention Provide input to information system owners on protect requirements NIST SP 800-37 Rev 1 Appendix D; FIPS 200; CNSSI-4009 You may have seen Data Owner or Custodian as a title for this role in the past “The information owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.” NIST SP 800-37 Information owner typically owns business process Aware of the required protection for the data Establish impact level on the business process

“A senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.” -NIST SP 800-37

Presenter

Presentation Notes

Authorizing Official Designated Representative Acts on behalf of an Authorizing Official Handles day to day activities Can be empowered for certain decisions Approve system security plans Approve monitoring Implement Plan of Action and Milestones (POA&M) Complete authorization package The only thing the designated representative cannot do is make the authorization decision and sign the authorization document NIST SP 800-37 Rev 1 Appendix D;

“Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. “ - (NIST SP 800-37)

“Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.” CNSS Instruction No. 4009

“The information system security officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.“ NIST SP 800-37

Presenter

Presentation Notes

Auditor Provides independent (unbiased) Assess controls Assess program Ensures documentation is adequate Weaknesses identified Corrective actions specified Example: Security Control Assessor Inspector General

Presenter

Presentation Notes

Inspector General (IG) Program level audit Ensure compliance with FISMA and other government policies Provides independent (unbiased) assessment of the RMF program Looks at individual program components Ensures documentation is adequate Weaknesses identified Corrective actions specified “In the United States, an Inspector General (IG) is a type of investigator charged with examining the actions of a government agency, military organization, or military contractor as a general auditor of their operations to ensure they are operating in compliance with general established policies of the government, to audit the effectiveness of security procedures, or to discover the possibility of misconduct, waste, fraud, theft, or certain types of criminal activity by individuals or groups related to the agency's operation, usually involving some misuse of the organization's funds or credit. In the United States, there exist numerous Offices of Inspector General (OIGs) at the federal, state, and local levels.” Retrieved 22-JUN-2010 from http://en.wikipedia.org/wiki/Inspector_General IG evaluations are intended to independently assess if the agency is applying a risk-based approach to their information security programs and the information systems that support the conduct of agency missions and business functions. When reviewing the assessment in support of an individual security authorization, for example, the IG would generally assess whether: 1) the assessment was performed in the manner prescribed in NIST guidance and agency policy; 2) controls are being implemented as stated in any planning documentation; and 3) continuous monitoring is adequate given the system impact level of the system and information. OMB M-10-15 - FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

Presenter

Presentation Notes

IG findings may get press

The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. - NIST SP 800-37

Presenter

Presentation Notes

Other Roles Common Control Provider Individual or group responsible for the development implementation, monitoring and assessment of common controls Agency-wide, center-wide, campus-wide, building-wide Information Security Architect Ensures security has been adequately addresses in all aspects on enterprise architecture Information Systems Security Engineer Ensures security requirements are effectively integrated in to information technology NIST SP 800-37 Rev 1 Appendix D; CNSSI-4009

Presenter

Presentation Notes

IT Security Program Steering Committee Provides high-level oversight Provides direction Indirect supervision Advisory group to the program Does not exercise authority

Presenter

Presentation Notes

Business Unit Manager Note this term is not used by NIST but the role and function is alluded too. Responsible for the mission and/or business operations Often function as information owner or AO Might be a higher level manager or director Disseminate security information to subordinates Report security incidents to higher management Respond to security incidents Determine resources Set priorities Generally not an ‘IT’ person

Presenter

Presentation Notes

Project Manager May work for the system owner for complex system security plans May aid the CIO or CISO in the overall program implementation

Presenter

Presentation Notes

Facility Manager Responsible for physical security Responsible for environmental controls

Presenter

Presentation Notes

Executive Management Crucial Role Establish Policy Enforce Policy Allocate Resources Maintain visibility of program

Presenter

Presentation Notes

User Representative Represents a user group or community Looks out for the interests of users “The person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.” CNSS Instruction No. 4009

Presenter

Presentation Notes

DoD Specific Roles Information Assurance Manager Individual responsible for the information assurance of a program, organization, system, or enclave. AKA: Information Systems Security Manager (ISSM) Information Assurance Officer Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program. AKA: Information Systems Security Officer (ISSO)

Presenter

Presentation Notes

CIRT Computer Incident Response Team Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. AKA Cyber Incident Response Team (CIRT) Computer Security Incident Response Team (CSIRT) Computer Incident Response Center (CIRC) Computer Incident Response Capability (CIRC) Source: CNSSI 4009

“At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and authorizing official. The Chief Information Officer and authorizing official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. “ NIST SP 800-37

Mission

Business Unit

IT

Security

Audit

IG

IA

SCA

SISO

ISSM

ISSO

CIO

SO

SA

BUM

IO

EU

Program Level

System Level

Audit Security IT Business Unit

Middle- Tier

Independence

Mission

AO

Risk Executive Function

Head of Agency

SOD

SOD

DoDI 8510.01 & 8500.2 SP 800-37 Rev 1Head od DoD Components Head of Agency (CEO)Principle Accrediting Authority (PAA) Risk Executive Function and/or Authorizing Official

(AO)Senior Information Assurance Officer (SIAO) Senior Information Security Officer (SISO)Designated Accrediting Authority (DAA) Authorizing Official (AO)Systems Manager Common Control Provider and/or Systems OwnerProgram Manager Common Control Provider and/or System OwnerInformation Assurance Manager (IAM) Information Systems Security Manager (ISSM) [a

level between ISSO & SISO or either of those roles]Information Assurance Officer (IAO) Information Systems Security Officer (ISSO)Certification Agent Security Control Assessor

Presenter

Presentation Notes

Discussion Who is best suited for the roll of Authorization Official? The best suited person to determine the risk the system has to the sensitivity and criticality to the operations of the business unit (division, directorate etc…) would be someone in management within that business unit. The CIO who seems like a good choice to be Authorization Official is actually detrimental. How is the CIO qualified to assess and accept risks to the operations of a business unit? For example, the business unit has a mission to accomplish and know better than anyone in IT how much down time they can withstand and still meet their mission. Shouldn’t it be management in the business unit that makes that determination? After all it is their mission. In addition, who could best get the end user to “buy in” and follow policy, the CIO or their boss? Business unit managers make the case that this is an IT problem and that the best person to understand the “IT risk” is the CIO or IT manager. Therefore they often support the CIO as the Authorization Official. However, the purpose of an independent security assessment (audit) is to give the AO factual information about security posture of the information systems. This way the AO does not have to determine for themselves if the security is adequate. This frees the AO for having to understand IT security concepts. The independent assessor (auditor) who does understand the IT security concepts can determine if it is adequate and what level of risk the system would operate at.

Presenter

Presentation Notes

Documenting roles and responsibilities Document contact information for each role In other documents, refer to the roles not the person Letters of appointment May create contact database Picture: Sample System Security Plan from Centers for Disease Control and Prevention

Presenter

Presentation Notes

Job descriptions Describe responsibilities Don’t forget the C & A responsibilities Outline expectations of performance Used for accountability

Presenter

Presentation Notes

Position sensitivity designations

Presenter

Presentation Notes

Personnel transitions Make sure individuals have adequate replacements before they leave, if possible Overlapping smooth transition Acclimatize the individual with the C & A process and organizational specifics Make sure they understand their new roles and responsibilities

Presenter

Presentation Notes

Time requirements RMF duties do not require full time, unless you dedicate the tasks Collateral duties to normal ones Dedicated employee help with consistency Size of the organization Number of systems

Presenter

Presentation Notes

Expertise requirements Skills and abilities Project management System development life-cycle Technical controls Operational controls IT terminology Security terminology Clear background Administrative skills – technical writing skills Certifications like CAP, CISSP, CISA, CISM

Presenter

Presentation Notes

Using contractors Want to have stability in the following positions, thus employees are preferred CIO, CISO System Owner AO ISSO Need for independence, often contractors used for certifying agent Contractors can make for effective partners Need to have background checks, statements of work, contracts and timetables

Presenter

Presentation Notes

Routine duties Scheduling Reporting Providing advice Meetings Quality control Monitor compliance Intermediary Offer solutions Educate and train Systems development Explain technical issues to non-technical management

Presenter

Presentation Notes

Organizational skills Well organized Proficient in RMF and C & A Project management skills Scheduling Task lists Meeting notes Manage email

What certifications do you think are beneficial for RMF employees and contracts to have?

CISSP

CISM

CISSP ISSMP

CAP CISA

GSNA

SSCPCASP

Security+

CISSP ISSEP/ ISSAP

CSSLP

Management / Risk Audit

Software Dev

Network / Communications

Presenter

Presentation Notes

(ISC)2 Certifications (ISC)2 International Information Systems Security Certification Consortium, Inc. Website: www.isc2.org Certifications Associate of (ISC)² SSCP: Systems Security Certified Practitioner CAP: Certified Authorization Professional CSSLP: Certified Secure Software Lifecycle Professional CISSP: Certified Information Systems Security Professional CISSP Concentrations: ISSEP, ISSAP, ISSMP Professional Certification (ISC)2 certifications require ongoing continuing education to maintain certification. Associate of (ISC)²: Pass the SSCP or CISSP exam but do not have the required work experience. SSCP: Covers seven areas of practice or domains: Access Controls, Cryptography, Malicious Code and Activity, Monitoring and Analysis, Networks and Communications, Risk, Response and Recovery, Security Operations and Administration CAP: Covers seven domains of knowledge aligned with NIST Risk Management Framework CSSLP: Covers seven domains of knowledge concerning secure software development CISSP: Cover 10 broad domains of information systems security. The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024:2003. CISSP Concentrations ISSAP: Information Systems Security Architecture Professional ISSEP: Information Systems Security Engineering Professional ISSMP: Information Systems Security Management Professional (ISC)², CISSP, CAP, ISSAP, ISSEP, ISSMP, SSCP and CBK are registered certification marks of (ISC)², Inc.

Presenter

Presentation Notes

ISACA Certifications Information Systems and Control Association (ISACA) Certifications CISA: Certified Information Systems Auditor CISM: Certified Information Systems Manager CGEIT: Certified in the Governance of Enterprise IT CRISC: Certified in Risk and Information Systems Control Website www.isaca.org Professional Certification ISACA certifications require ongoing continuing education to maintain certification. CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. CRISC recognizes a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor and maintain IS controls to mitigate such risk. The CGEIT certification program was designed specifically for professionals charged with satisfying the IT governance needs of an enterprise. The American National Standards Institute (ANSI) has accredited the CISA & CISM certification under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organization, accredits other organizations to serve as third-party product, system and personnel certifiers CISA, CISM, CGEIT, CRISC and ISACA are registered certification marks of ISACA

Presenter

Presentation Notes

CompTIA Certifications CompTIA certifications Website: www.comptia.org Certifications A+ - Computer Support Technician Network+ - Network Support Technician Security+ - Entry level security certification CASP - CompTIA Advanced Security Practitioner RFID+ - RFID professionals CTT+ - Certified Technical Trainer Project+ - IT Project Management Others: Server+, Linux+, CTP+, CDIA+, PDI+ The CompTIA A+ certification is the industry standard for computer support technicians. The international, vendor-neutral certification proves competence in areas such as installation, preventative maintenance, networking, security and troubleshooting. The CompTIA Network+ certification is the sign of a competent networking professional. It is an international, vendor-neutral certification that proves a technician’s competency in managing, maintaining, troubleshooting, installing and configuring basic network infrastructure. CompTIA Security+ is an international, vendor-neutral certification that proves competency in system security, network infrastructure, access control and organizational security. CompTIA RFID+ is an international, vendor-neutral certification for IT professionals with six to 24 months of experience in RFID technologies. CompTIA CTT+ is an international, vendor-neutral certification that covers core instructor skills, including preparation, presentation, communication, facilitation and evaluation in both a classroom and virtual classroom environment The CompTIA Project+ certification is an international, vendor-neutral certification that covers the entire project life cycle from initiation and planning through execution, acceptance, support and closure

Presenter

Presentation Notes

SANS Institute Certifications Website: www.giac.org Certifications GIAC (Global Information Assurance Certification) GSNA (GIAC Systems and Network Auditor) G7799 (GIAC Certified ISO-17799 Specialist) GCFE (GIAC Certified Forensics Examiner) GCFA (GIAC Certified Forensic Analyst) GREM (GIAC Reverse Engineering Malware) GLEG (GIAC Legal Issues) GISP (GIAC Information Security Professional) GCPM (GIAC Certified Project Manager Certification) GISF (GIAC Information Security Fundamentals)

Presenter

Presentation Notes

SANS Institute Certifications (cont.) Website: www.giac.org Certifications GIAC (Global Information Assurance Certification) GSEC (GIAC Security Essentials Certification) GWAPT (GIAC Web Application Penetration Tester) GCED (Certified Enterprise Defender) GCFW (GIAC Certified Firewall Analyst) GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) GCWN (GIAC Certified Windows Security Administrator) GCUX (GIAC Certified UNIX Security Administrator) GPEN (GIAC Certified Penetration Tester) GAWN (GIAC Assessing Wireless Networks)

Presenter

Presentation Notes

SCP Certifications Security Certified Program (SCP) Website: www.securitycertified.net Certifications: SCNS - Security Certified Network Specialist SCNP - Security Certified Network Professional SCNA - Security Certified Network Architect

Presenter

Presentation Notes

Inspector General Institute Association of Inspectors General Website: http://inspectorsgeneral.org Certifications: Certified Inspector General (CIG) Certified Inspector General Auditor (CIGA) Certified Inspector General Investigator (CIGI) Is recognized by the National Association of State Boards of Accountancy (NASBA)

Presenter

Presentation Notes

DoDD 8570 All IA (Information Assurance) jobs require certification. IAT Information Assurance Technical IAM Information Assurance Management IASAE Information Assurance System Architecture and Engineering

Level Qualifying CertificationsCND Analyst GCIA, CEHCND Infrastructure Support

SSCP, CEH

CND Incident Responder GCIH, GSIH, CEHCND Auditor CISA, CEH, GSNACN-SP Manager CISM, CISSP-ISSEP

Presenter

Presentation Notes

Organizational placement of RMF function Where it will be able to be the most effective? Reach the highest and lowest parts of the organizational chart As wide as the enterprise CISO may work for the CIO or COO for whistle blower

Presenter

Presentation Notes

Purple flowers under the Golden Gate Bridge

Presenter

Presentation Notes

Key Agencies & Organizations The U.S. Government Accountability Office (GAO) is known as "the investigative arm of Congress" and "the congressional watchdog." GAO supports the Congress in meeting its constitutional responsibilities and helps improve the performance and accountability of the federal government for the benefit of the American people. Source: www.gao.gov The management side of OMB oversees and coordinates the Federal procurement policy, performance and personnel management, information technology (e-Government) and financial management. In this capacity, OMB oversees agency management of programs and resources to achieve legislative goals and Administration policy. Source: www.whitehouse.gov/omb/ Office of Management and Budget (OMB) Department of Homeland Security (DHS) National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Depart of Defense (DoD) Defense Information Systems Agency (DISA) Committee on National Security Systems (CNSS) National Security Council (NSC) National Security Telecommunication and Information Systems Security Committee (NSTISSC) U.S. Government Accountability Office (GAO) Office of the Inspector General (OIG) CIO.gov

Presenter

Presentation Notes

http://csrc.nist.gov/

Presenter

Presentation Notes

http://csrc.nist.gov/

Presenter

Presentation Notes

Other Resources from NIST The National Vulnerability Database (NVD) http://nvd.nist.gov/ The Security Content Automation Protocol (S-CAP) http://scap.nist.gov/ The Federal Desktop Core Configurations (FDCC) now US Government Configuration Baseline (USGCB) http://usgcb.nist.gov/ The NIST Checklist Program http://csrc.nist.gov/checklists/ http://checklists.nist.gov/

Presenter

Presentation Notes

Department of Homeland Security (DHS) Oversees critical infrastructure protection Operates the United States Computer Emergency Readiness Team (US-CERT) Oversees implementation of the Trusted Internet Connection initiative Has primary responsibility within the executive branch for the operational aspects of Federal agency cybersecurity (FISMA) Subject to general OMB oversight See OMB M-10-28

Presenter

Presentation Notes

DHS FISMA Activities Overseeing: the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report the agencies’ cybersecurity operations and incident response and providing appropriate assistance annually reviewing the agencies’ cybersecurity programs See OMB M-10-28

Presenter

Presentation Notes

Office of Management and Budget (OMB) Leads the interagency process for cybersecurity strategy and policy development (Cybersecurity Coordinator) Responsible for the submission of the annual FISMA report to Congress Responsible for the development and approval of the cybersecurity portions of the President’s Budget Provide oversight See OMB M-10-28

“The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.”

Presenter

Presentation Notes

Cyber Command Mission USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

Presenter

Presentation Notes

Summary People are the most important part of the process The right people make the program

Presenter

Presentation Notes

Class Discussion: Roles & Responsibility What are some of the biggest challenges within your current role? How would you respond to a BUM, information owner or AO who says RMF is an IT issue and that he/she does not need to be involved? If staffing is an issue, what roles would you combine? Which roles would you not combine? In order to have a successful RMF program you have been tasked to make an education system for your organization. What are some key features you would include? Why are certifications important for staff with roles and responsibilities in the RMF?