Risk Management Framework: A Lab-Based Approach to Securing Information Systems

Risk Management Framework

A Lab-Based Approach to Securing Information Systems

James Broad

Aaron (AJ) Mitchneck, Technical Editor

Table of Contents

Cover image

Title page

Copyright page

Dedication

Acknowledgments

About the Author

Technical Editor

Companion Website

Chapter 1: Introduction

Book Overview and Key Learning Points

Book Audience

The Risk Management Framework (RMF)

Why This Book Is Different

A Note about National Security Systems

Book Organization

Part 1

Introduction

Chapter 2: Laws, Regulations, and Guidance

Abstract

Chapter Overview and Key Learning Points

The Case for Legal and Regulatory Requirements

Legal and Regulatory Organizations

Laws, Policies, and Regulations

National Institute of Standards and Technology (NIST) Publications

Chapter 3: Integrated Organization-Wide Risk Management

Abstract

Chapter Overview and Key Learning Points

Risk Management

Risk Management and the RMF

Components of Risk Management

Multi-tiered Risk Management

Risk Executive (Function)

Chapter 4: The Joint Task Force Transformation Initiative

Abstract

Chapter Overview and Key Learning Points

Before the Joint Task Force Transformation Initiative

The Joint Task Force Transformation Initiative

Chapter 5: System Development Life Cycle (SDLC)

Abstract

System Development Life Cycle (SDLC)

Traditional Systems Development Life Cycle (SDLC)

Traditional SDLC Considerations

Agile System Development

Chapter 6: Transitioning from the C&A Process to RMF

Abstract

Chapter Overview and Key Learning Points

C&A to RMF

The Certification and Accreditation (C&A) Process

Introducing the RMF (A High-Level View)

Transition

Chapter 7: Key Positions and Roles

Abstract

Chapter Overview and Key Learning Points

Key Roles to Implement the RMF

Part 2

Introduction

Chapter 8: Lab Organization

Abstract

Chapter Overview and Key Learning Points

The Department of Social Media (DSM)

Organizational Structure

Risk Executive (Function)

Chapter 9: RMF Phase 1: Categorize the Information System

Abstract

Chapter Overview and Key Learning Points

Phase 1, Task 1: Security Categorization

Phase 1, Task 2: Information Systems Description

Common Control Providers

Phase 1, Task 3: Information System Registration

Chapter 9 Lab Exercises: Information System Categorization

Chapter 10: RMF Phase 2: Selecting Security Controls

Abstract

Chapter Overview and Key Learning Points

Selecting Security Controls

Chapter 10 Lab Exercises: Selecting Security Controls

Chapter 11: RMF Phase 3: Implementing Security Controls

Abstract

Chapter Overview and Key Learning Points

Phase 3, Task 1: Security Control Implementation

Phase 3, Task 2: Security Control Documentation

Chapter 11 Lab Exercises: Selecting Security Controls

Chapter 12: RMF Phase 4: Assess Security Controls

Abstract

Chapter Overview and Key Learning Points

Assessing Security Controls

Chapter 12 Lab Exercises: Assessing Security Controls

Chapter 13: RMF Phase 5: Authorizing the Information System

Abstract

Chapter Overview and Key Learning Points

Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)

Phase 5, Task 2: Assembly of the Authorization Package

Phase 5, Task 3: Determining Risk

Phase 5, Task 4: Accepting Risk

Chapter 13 Lab Exercises: Authorizing the Information System

Chapter 14: RMF Phase 6: Monitoring Security Controls

Abstract

Chapter Overview and Key Learning Points

Phase 6, Task 1: Monitoring Information System and Environment Changes

Phase 6, Task 2: Ongoing Security Control Assessment

Phase 6, Task 3: Ongoing Remediation Actions

Phase 6, Task 4: Updating the Security Documentation

Phase 6, Task 5: Security Status Reporting

Phase 6, Task 6: Ongoing Risk Determination and Acceptance

Phase 6, Task 7: System Removal and Decommissioning

Chapter 14 Lab Exercises: Monitoring Security Controls

Chapter 15: The Expansion of the RMF

Abstract

Chapter Overview and Key Learning Points

The Transition to the RMF

Future Updates to the RMF Process

Using the RMF with Other Control Sets and Requirements

Conclusion

Appendix A: Answers to Exercises in Chapters 9 through 14

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Appendix B: Control Families and Classes

Appendix C: Security Control Assessment Requirements

NIST SP 800-53A Assessment Methods

Security Control Baseline Categorization

CNSSI 1253 Baseline Categorization

New Controls Planned in Revision 4

FedRAMP Controls

SP 800-53 Security Controls to HIPAA Security Rule

PCI DSS Standards

Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes

Glossary

Common Acronyms in this Book

References

Index

Copyright

Acquiring Editor: Chris Katsaropoulos

Development Editor: Heather Scherer

Project Manager: Malathi Samayan

Designer: Matthew Limbert

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

Copyright © 2013 Elsevier, Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Broad, James.

Risk management framework : a lab-based approach to securing information systems / James Broad.

pages cm

Includes bibliographical references and index.

ISBN 978-1-59749-995-8 (alkaline paper) 1. Computer security–Government policy–United States. 2. Information technology–Security measures–United States. 3. Electronic government information–Security measures–United States. 4. Risk management–Government policy–United States. 5. Information technology–United States–Management. I. Title.

QA76.9.A25B72 2013

005.8–dc23

2013016641

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

ISBN: 978-1-59749-995-8

Printed in the United States of America

13  14  15  12  11  10  9  8  7  6  5  4  3  2  1

For information on all Syngress publications, visit our website at www.syngress.com

Dedication

This book is dedicated to my family.

To my wife, Dee, and my children, Mike and Temara, thank you for your endless support while I spent too many sunny days in front of a computer.

To my sisters, Mary, Teresa, and Lisa, thank you for helping me become the person I am today.

To my father, thank you for showing me anything is possible.

Loaded logging trucks always have the right of way.

— Ed Broad

Acknowledgments

I would like to thank many people who contributed to the writing and publishing of this book.

To Heather and all of the staff at Syngress, thank you for your patience as this first-time author shifted the delivery dates of his book all over the calendar. Your help and guidance have been truly monumental. I have learned so much from all of you throughout this process.

To Dr. Ron Ross and the staff of the National Institute of Standards and Technology (NIST), the Joint Transformation Task Force, and the Committee on National Security Systems (CNSS), thank you for providing such extensive documentation on this subject. Your publications provided the foundation for this book, and in many instances I have quoted from them. Your devotion to information security and information assurance is remarkable.

To Steven Rodrigo, thank you for all the knowledge you have shared with me. Short conversations over coffee and in the hallways have enlightened and informed me more than you will ever know. Your insights on the topics in this book are remarkable. Keep up the good fight.

To those in my past who set me on the path I am on today, thank you all. Of special note are Charles Parker, an Army executive officer who took a young combat arms NCO off the line and put him in front of a computer, and Derrol Trippet, Deputy Director for Information Management, who set me on a full-time information assurance/security career. Thank you both for giving me a chance.

Thank you to the CAT team. You know who you are, and I could not think of a better group to work with.

About the Author

James Broad (CISSP, C|EH, CPTS, Security +, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.

Technical Editor

Aaron (AJ) Mitchneck (Security +, C|EH, MCT, MCP, CSM), works as a Structured Query Language database administrator (SQL DBA) and Internet technology (IT) security engineer. He is currently contracted in Sierra Vista, Arizona, helping to develop and maintain security policies and standards and ensuring compliance throughout the organization.

As an IT and security professional for more than fifteen years, AJ has experience in security engineering and penetration testing, as well as standards and compliance for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Risk Management Framework (RMF).

Companion Website

This book has companion material including all of the referenced materials, extended exercises for each chapter, templates and examples of the RMF documents, as well as updates to the book. Please visit, www.cyber-recon.com to register and dowload the files.

Chapter 1

Introduction

Table of Contents

Book Overview and Key Learning Points

Book Audience

The Risk Management Framework (RMF)

Why This Book Is Different

A Note about National Security Systems

Book Organization

Information in this Chapter:

• Book overview and key learning points

• Book audience

• Introduction to the risk management framework (RMF)

• How this book is organized

Book Overview and Key Learning Points

This book’s goal is to provide a basic understanding of the Risk Management Framework (RMF) as it pertains to the systems development life cycle (SDLC) of federal IT systems and to provide guidance on how to use this understanding during the development, assessment, and continuous monitoring of those systems. The book discusses the RMF process in terms of its six phases, which allows the reader to develop a full understanding of how each phase influences and leads to the next. This framework provides a structured process that allows organizations to comply with a number of laws, regulations, and policies, including the Federal Information Security Management Act (FISMA).

The information provided in this book is culled from many divergent government documents, including laws, standards, regulations, and other forms of guidance, that support the overall IT security governance structure supporting federal IT systems. The book is designed to be used as a resource for experienced security and assurance professionals as well as to provide awareness and training for those security professionals who are new to the federal information security environment.

The risk management framework represents an evolution in the process of developing secure systems, validating, and ultimately authorizing those systems to operate in a production environment. The RMF consolidates what used to be multiple security frameworks for multiple IT systems into a single security framework. Once fully implemented in an organization, the RMF will enable faster and less expensive information system accreditations through the use of a repeatable process that stresses early identification, engineering, inheritance and implementation of required security controls. By authorizing the RMF framework, senior officials of an organization accept the risks to the overall organization due to the operation of the organization’s IT system. This change from accepting risks as they impact a single system to accepting risks introduced to the overall organization is driven by FISMA and has been guided by the National Institute of Standards and Technology (NIST) as part of the Joint Task Force Transformation Initiative. The mission of this task force was to create a unified framework with which to conduct risk evaluations and authorizations of systems using a unified process, thus reducing the number of processes used to validate the security and compliance of systems and framing the risk of approving a system in the context of risk to the overall organization. The success of this group’s work is evident in the transition of the government away from using several different processes, standards, guidance documents, and frameworks to using the single RMF and its associated support documentation. By enhancing and tailoring the RMF only slightly, it has become possible for the entire federal government to use this single standard for all federal information systems, including those of the Department of Defense (DoD) the intelligence community (IC), groups that, in the past, had separate and distinct processes for validating the security and compliance of a system and for accepting the risks of operating that system.

Book Audience

Correctly implementing the RMF within the federal government requires input and deliverables from people in a number of different professions across a wide range of specialties. This book is designed to provide information to technical, administrative, and management professionals, providing a unique approach to the RMF as it pertains to each of these different types of readers.

Management professionals can use this information to track system development within the RMF, ensuring that systems are developed in compliance with regulatory requirements and security concerns. In every federal organization, members of senior management are now responsible for ensuring the security and compliance of information systems.

Administrative professionals, including mission and business professionals associated with tier 2 of the organizational risk management program, can use their understanding of the RMF to develop more structured and overarching policies and programs. These can then be applied to individual systems as common controls, removing the need for individual system developers to provide controls by providing them at a higher level in the organization. This is less costly than developing and managing multiple versions of these programs and policies.

Technical professionals are required to develop and manage information systems that meet both federal compliance and security requirements. Understanding the RMF will help these individuals build, manage, and dispose of information systems in line with this guidance. By understanding the framework and the controls required for specific systems, technology professionals can ensure that security is built into systems early on in the SDLC rather than added to them as an afterthought. This creates a more secure system and reduces the cost of securing the system and maintaining regulatory compliance.

The Risk Management Framework (RMF)

The risk management framework, or RMF, was developed by NIST and is defined in NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. This publication details the six-phase process that allows federal IT systems to be designed, developed, maintained, and decommissioned in a secure, compliant, and cost-effective manner. The framework provides cost savings by promoting reuse as well as reciprocity of information systems approvals and inheritance of organizationally authorized and approved common controls. The requirement for continuous monitoring is a significant improvement over the older four-phase certification and accreditation (C&A) process, which only looked at a system at a single point in time. The more structured and robust RMF process increases compliance and security by requiring near-real-time monitoring of the IT system over its entire lifetime. Figure 1-1 illustrates the phases of the old C&A process and the phases of the new RMF process.

Figure 1-1

Why This Book Is Different

Some books describe how the RMF is structured and provide general examples of documents, processes, and procedures required at each phase. This book not only covers these basics but also walks the reader through each phase of the RMF using the example of the development of an information system in a fictitious national organization. This gives exceptional insight into how the RMF can best be used to secure systems, ensure compliance, and increase efficiency. Following the development of an organizational system through the book provides the reader with a clear understanding of how each phase links to the next, the needed inputs and outputs, as well as required references. Key points from each phase are reinforced and highlighted. Diagrams, figures, and charts are simplified to provide a solid understanding of the material presented.

A Note about National Security Systems

While the RMF is used as a standard framework for approving an information system’s operational status, some phases are different for those systems that have been identified as national security systems (NSS). These systems are normally operated by members of the IC or DoD. The Guideline to Identifying an Information System as a National Security System, NIST SP 800-59, outlines the process used to determine an NSS and should be consulted to determine whether or not a system is classified as an NSS. Throughout the six phases of the RMF as explained in this book, it is assumed that the systems being processed through the RMF are not NSS. The differences in approving NSS will be covered in greater detail later in the book.

Book Organization

This book is divided into two parts, each of which focuses on different components that support the understanding and use of the Risk Management Framework. Part I covers the basics of compliance, including laws and regulations that mandate the use of security controls, procedures, and processes used by federal IT systems using the RMF, as well as the processes and procedures that led to the development of the RMF. Also covered are the history of certification and accreditation, its evolution to the RMF, and the integration of the RMF into the SDLC for federal IT systems. Readers familiar with these information security topics may want to begin with part 2 and use part 1 as reference.

Chapter 2, Laws, Regulations, and Guidance, provides a high-level overview of the laws and regulations that have been enacted to ensure that federal systems maintain the proper security profile and compliance status for protecting federal government-related information and information systems. It covers FISMA and FISMA2, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act, and the requirements set forth by the Office of Management and Budget (OMB). This chapter also introduces the association of NIST with these laws and requirements. The chapter closes out by presenting systems that must comply with these laws and regulations as well as those systems that may be exempt from fully complying with these requirements or may have different requirements to follow.

One of the major benefits of the RMF is ensuring that risk is addressed at the organizational level. Only by understanding high-level organizational risk can new systems be evaluated to ensure that they do not introduce unnecessary risk to the organization as a whole. The risk executive (agent), a position that is fully explained in Chapter 5, is highlighted in Chapter 3, Integrated Organization-Wide Risk Management, as is the basic process for evaluating information, physical, and personnel security risks introduced by new system implementation. Organizational risk assessments are key tools used by authorizing officials (AO) to determine the authorization decision made for new information systems.

The Joint Task Force Transformation Initiative (JTF TI) is introduced in Chapter 4. This task force is responsible for expanding the RMF into new areas of the federal government, which will reduce unneeded duplication of effort and define a single framework standard. This chapter explains how JTF TI expanded the RMF into the IC and is expanding into the DoD.

Understanding the systems development life cycle is crucial to understanding how the RMF is aligned with and supports the SDLC. Chapter 5, The Systems Development Life Cycle (SDLC), explains the five phases of the SDLC as defined by NIST (initiation, development/acquisition, implementation/assessment, operation and maintenance, and disposal) and how they are consistent with the RMF. The chapter concludes by explaining how this process is used by system developers to ensure that system development is conducted according to the project plan and is consistent with user requirements.

Chapter 6, Transition from the Four-Phase Certification and Accreditation Cycle, covers this outdated life cycle. The C&A process, replaced by the RMF, focused on evaluating the security and compliance of information systems at a single point in time.

Chapter 7, Key Positions and Roles, defines the key positions required to successfully implement the RMF. Each position is clearly defined and responsibilities are delineated and explained. The positions run the gamut from senior executive staff to hands-on technical experts and administrators who ensure that the systems are developed correctly and securely.

Part II delves deeper into the phases of RMF itself, with each of the six phases of the RMF being covered in detail in its own chapter. Part II also introduces the Department of Social Media (DSM), the fictional organization that is used for the exercises in this book. Part II concludes with a summary of the way ahead for the RMF, including proposed changes that expand the use of the RMF throughout the DoD and the IC.

Chapter 8, Lab Organization, introduces the fictitious Department of Social Media (DSM). This organization is used to demonstrate the effective implementation of each phase of the RMF. The chapter explains the mission of the DSM and the organizational chart that defines the leadership and program management teams. The organizational chart is intentionally limited to those positions that normally participate in or provide input for one or more phases of the RMF. This chapter also introduces the system that is being developed, its sponsor, its mission, and the information that will be processed.

Chapter 9, Phase 1: System Categorization, discusses the first phase of the RMF, with a focus on categorizing the information system by investigating the information types that the system is being developed to support. This includes