WHITE PAPER

Making the Most of the

Risk Management Framework NIST’s six-step process is now the risk management standard across the federal government. Here’s why agencies that want to safeguard their IT infrastructure and enhance their mission need to bring their cybersecurity workforce fully up to speed on this highly customizable, effective framework.

Introduction As information systems have increased in complexity and capacity and the number and type of threats have grown over the last decade, very few of the earliest frontline information security tools and methodologies have maintained their initial significance or applicability—much less become even more relevant.

Information Assurance Certification and Accreditation Process (DIACAP) in favor of the RMF, and a growing number of private sector organizations, including financial institutions and health care organizations, are now relying on the RMF on a voluntary basis. “The beauty of the RMF is that it’s a process that can be applied in many different ways based on the specific organization’s mission, the environments in which they operate and the technologies that they use,” says Dr. Ron Ross, a Fellow with NIST who is also the principal architect of the RMF. “I think it has stood the test of time and will continue to serve the organizations that rely on it because it doesn’t force you into a particular box. It allows you to drive the security solutions that are most appropriate for your organization, and that’s a very powerful characteristic of any framework.”

One high-profile exception to that reality, however, is the Risk Management Framework (RMF), a disciplined and structured six-step process that was first developed nearly 10 years ago by the National Institute of Standards and Technology (NIST) to help federal agencies better protect their information technology systems. Initially, the RMF was used to certify and accredit (C&A) the systems of federal civilian agencies as a mandated part of their compliance with the Federal Information Systems Management Act (FISMA). For the first several years, the use of RMF as part of this C&A effort was fairly static, with assessment and authorization taking place every three years or whenever there was a change to the system.

Step By Step The RMF, which is fully delineated in NIST Special Publication 800-37, is a holistic risk management process that involves six basic steps at the system level that are further broken down into specific tasks. These steps, according to

However, the RMF was also designed from the start to be flexible. As a result, organizations are now able to leverage the RMF to take a much more dynamic approach to identifying and mitigating vulnerabilities and threats and can achieve their mission objectives by continuously monitoring any security measures chosen and implemented to avoid, counteract or minimize those risks.

NIST, are shown in Figure 1 on Page 3.

New and Different

With the RMF, there’s no one-size-fits-all approach. Each individual system can be triaged according to its value to the enterprise, and security controls can be specifically selected and then monitored year by year, month by month, day by day or even hour by hour, depending on the criticality of a specific system, the organization’s risk tolerance and the threats posed.

The DoD’s decision to adopt the RMF and mandate its exclusive use in conducting security authorization activities means that, for the first time, all defense, intelligence and federal civilian agencies will be working from the same risk management framework. And that will have a farranging impact. Not only will DoD information security personnel have to learn and adapt to the RMF, but civilian agencies can now count on “reciprocity” between all federal systems, as can government contractors and anyone else who does business with the public sector.

This flexibility is the reason that more and more organizations are adopting the RMF over other risk management frameworks. The Department of Defense announced in March 2014 that it would abandon its long-used and specialized Defense

2

NIST’s Risk Management Framework Figure 1.

PROCESS OVERVIEW

Architecture Description

Starting Point

Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries

Organizational Inputs Laws, Directives, Policy Guidance, Strategic Goals and Objectives, Priorities and Resource Availability, Supply Chain Considerations

STEP 1

CATEGORIZE

Repeat as necessary

Information System STEP 2

STEP 6

SELECT

MONITOR

Security Controls

Security Controls

NIST’s RISK MANAGEMENT FRAMEWORK STEP 5

STEP 3

AUTHORIZE

IMPLEMENT

Information System

Security Controls STEP 4

ASSESS

Security Controls

3

be able to come to the decisions that you come to about whether the security program is adequate and whether the system is ready to operate,” Kelsall says. “So we’re looking at that across the board.”

“Everybody is going to be speaking the same language, so that when someone at the State Department says, ‘Here’s my risk level on this system and here are the security controls that I’m using to measure and mitigate that risk,’ it can be equated to connected systems on the DoD side or within the intelligence community or at the White House,” says Dan Waddell, CISSP, CAP, Director of U.S. Government Affairs at (ISC)2.

“

Other key differences between DIACAP and RMF lie in the way the security and privacy controls in NIST’s 800-53 catalog are organized and described, along with the role descriptions and responsibilities. “Our primary effort will be to ensure that we transition successfully and smoothly from the Information Assurance Manager (IAM) outlined in the DoD 8570.01M, and its associated qualification requirements, to the Information System Security Manager (ISSM) roles and responsibilities required by the RMF,” says Kelsall. “We will have to look closely at the qualification requirements for the ISSM based on responsibilities and determine how to structure a program that includes all the elements required and the best means of delivering training.”

Everybody is going to be speaking the same language,...

”

In addition, universal use of the RMF provides information security professionals with a simpler, more business-friendly language needed to effectively explain their efforts to senior executives, budgetary decision-makers, acquisition personnel, enterprise architects and other stakeholders so that security can be fully incorporated from the top down, rather than from the bottom up.

“

...don’t turn it into a compliance exercise but rather allow the flexibility that’s inherent in the framework to drive the solutions that you come up with.

“Security in many people’s view is a cost to the organization, a drag, an impediment,” says Ross. “When you go at it from the top-down, with the stakeholders sitting there talking about the mission they have to accomplish and what is fundamentally required to protect themselves and to make the mission successful, then security is viewed from a very different perspective: it’s viewed as a mission enabler, an investment in our mission success.”

”

Civilian agencies that have been using the RMF to comply with FISMA will find value in renewing and continuing their training efforts on the RMF process. The process has been revised to adapt to a new focus on continuous monitoring and ongoing authorization, as well as new threats and vulnerabilities. NIST’s security and privacy control catalog, for example, added another 200-plus security measures when it was revised in 2013.

For DoD personnel, the effort to move to the RMF is made easier by the fact that the RMF is more similar than different from DIACAP, though the DIACAP was encapsulated in five phases versus the RMF’s six steps. The biggest difference is the process and the role nomenclature, says Chris Kelsall, DON CIO Cyberspace Workforce Branch Head. “Our biggest concern is that although the same concepts in RMF were in DIACAP, there’s a whole new process for evaluation and a new way of going through the steps to

What’s more, even though RMF takes a step-by-step approach to risk management, information security professionals need

4

framework but also for those who have used it in the past in a more static fashion.

to guard against utilizing it in a checklist fashion, as is the cultural tendency, says Ross. “It’s important to let the RMF be the RMF,” Ross says. “In other words, don’t turn it into a compliance exercise but rather allow the flexibility that’s inherent in the framework to drive the solutions that you come up with.”

There are many training outlets on risk assessment and management, but the only one that is mapped specifically to the RMF steps and the NIST guidance outlined in Special Publications 800-37, 800-39 and 800-53 is (ISC)2’s Certified Authorization Professional (CAP®) credential and its Common Body of Knowledge (CBK®). CAP is ANSI accredited, and so DoD personnel who earn the CAP credential will also satisfy DoD 8570 compliance for IAM Levels I and II.

A broader context is required, Ross says, and civilian agencies need to rethink the RMF by making sure they are assessing their systems, choosing and implementing security controls and monitoring systems even as they assess and adapt to other factors, including the threat space, mission changes and technology evolutions.

The CAP CBK Training Seminar covers seven domains over a five-day period. The first domain provides a history and overview of the RMF and then delves deeply into the tasks and specifics of each of the six steps of the RMF process, including how to effectively select the right security controls and how to prepare a required document known as the continuous monitoring strategy that must be approved by the authorizing official.

“

You can’t base today’s tactics on yesterday’s battle plan because the conditions won’t remain the same.

”

In addition, the CAP coursework provides a deep understanding of the roles involved in the RMF process. Rae Hayward, (ISC)2’s Director of Education and Training, says that this is the topic that the DoD is most anxious to learn about “since at the different stages, accurate determination of who meets the requirements for each role will also identify who will be responsible for categorizing the systems and selecting the controls and then—once you get down to operating and monitoring the system—who will be responsible for taking action and signing off on that.”

“The RMF was really patterned after the way military commanders assess and adapt to changing circumstances on the battlefield: You can’t base today’s tactics on yesterday’s battle plan because the conditions won’t remain the same,” says Ross. “So you can no longer design a system security plan and expect it to survive for three years or even for three months. It’s going to have to be modified on an ongoing basis depending on what you’re experiencing or anticipating right now.”

To ensure that its role identification definitions are always

Mapping Knowledge to Value

up to date, (ISC)2 performs a job task analysis frequently, and it is currently in the process of cross-mapping the roles

The RMF’s new status as the risk management standard within the DoD and across the federal government notwithstanding, learning to apply the RMF can seem overwhelming. That’s why investing in training cybersecurity professionals on the specifics of the RMF process—rather than general principles of risk management—is critical, not just for those new to the

that existed within DIACAP to the roles as delineated within RMF in order to help DoD personnel more easily make the transition to RMF. Kelsall notes that there is value to any opportunity that can help train military personnel on the RMF process, including

5

internal training programs and CAP training. “If it makes more sense for me to go get something that I can use that’s already built and proven rather than trying to build something myself, then we’ll go that way, and that will probably be the better option for someone who’s worked as a Designated Approval Authority under DIACAP and just needs to get the RMF specifics,” he says.

“

If it makes more sense for me to go get something that I can use that’s already built and proven rather than trying to build something myself, then we’ll go that way,...

”

Personnel that complete CAP training can also go on to take the exam and earn the CAP credential. By taking this extra step, information security professionals not only validate their RMF knowledge and skills but they are also required to meet continuing education requirements, which provides their organization with ongoing access to the most up-to-date information on relevant risk assessment and management practices.

Ross notes that the RMF’s flexibility is enabling it to continue to evolve and grow in its relevancy and effectiveness at helping organizations protect systems throughout the information lifecycle. For example, NIST is currently drafting Special Publication 800-160, which will extend the RMF process and new security controls to the systems engineering and software development processes. With the adoption of RMF, the federal government is able to unify on a standard process and set of security controls while, at the same time, maintain unique and customized security strategies for different environments, Ross says. As information security professionals get up to speed on how to effectively leverage the dynamic nature of the RMF, it will result in the government’s overall ability to more effectively manage risk and protect the nation’s infrastructure. For more information on (ISC)2’s CAP Training, visit www.isc2.org/cap-training.

About (ISC)2® Formed in 1989, (ISC)2 is the largest not-for-profit membership body of certified information and software security professionals worldwide, with over 100,000 members in more than 160 countries. Globally recognized as the Gold Standard, (ISC)2 issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP®), the Certified Cyber Forensics Professional (CCFPSM), Certified Authorization Professional (CAP®), HealthCare Information Security and Privacy Practitioner (HCISPPSM) and Systems Security Certified Practitioner (SSCP®) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)2 also offers education programs and services based on its CBK®, a compendium of information and software security topics. More information is available at www.isc2.org. © 2014, (ISC)2 Inc., (ISC)², CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CAP, SSCP and CBK are registered marks, and CCFP and HCISPP are service marks of (ISC)2, Inc.