NIST Risk Management Framework – Michael C. Redman

Salepage link: At HERE. Archive: http://archive.is/wip/S0Wx1

NIST Risk Management Framework

A risk-based approach to cybersecurity

General Information/Narrative

RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and adopts the term cybersecurity in place of information assurance.

The RMF process is applicable to all IS and PIT systems, as well as DoD partnered systems where it has been agreed that DoD standards will be followed. IT below the system level (e.g., products, IT services) will not be subjected to the full RMF process. However, IT below the system level must be securely configured (in accordance with applicable DoD policies and security controls), documented in the authorization package and reviewed by the responsible Information System Security Manager (under the direction of the Authorizing Official) for acceptance or connection into an authorized computing environment.

The RMF process consists of six steps: Categorize System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize System, and Monitor Security Controls. This process parallels the system life cycle, with the RMF activities being initiated at program or system inception (e.g., documented during capabilities identification or at the implementation of a major system modification).

The DoD RMF governance structure implements a three-tiered approach to cybersecurity risk management. Tier 1 is the strategic level, and it addresses risk management at the DoD enterprise level. At this tier, the DoD Chief Information Officer (CIO) directs and oversees the cybersecurity risk management of DoD IT. The Risk Executive Function is performed by the DoD Information Security Risk Management Committee (ISRMC).Tier 2 is the Mission / Business Processes level. At this level, the Component CIO is responsible for administration of the RMF within the DoD Component cybersecurity program. Tier 3 is the IS andPIT Systems level. Here, the DoD Component Heads are responsible for the appointment of trained and qualified Authorization Officials for all DoD ISs and PIT systems within their Component.

Defense Acquisition Guidebook, Policies, Directives, Regulations, Laws

• DoDI 8500.01 “Cybersecurity”
• DoDI 8510.01 “Risk Management Framework for DoD Information Technology”
• NIST SP 800-37, Rev 1 “Guide for Applying the RMF to Federal Information Systems”
• NIST SP 800-39 “Managing Information Security Risk”
• NIST SP 800-53, Rev 4 “Security and Privacy Controls for Federal Information Systems and Organizations”
• NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories”
• CNSSI 1253 “Security Categorization and Control Selection for National Security Systems”
• CNSSI 4009 “Committee on National Security Systems Glossary”

Course Curriculum

Risk Management Framework (RMF) for DoD IT

• RMF Chapter 1 Introduction (8:42)
• RMF Chapter 2 Cybersecurity Policy Regulations and Framework (19:26)
• RMF Chapter 3 RMF Roles and Responsibilities (10:54)
• RMF Chapter 4 Risk Analysis Process (14:56)
• RMF Chapter 5 Step 1 Categorize (24:06)
• RMF Chapter 6 Step 2 Select (16:24)
• RMF Chapter 7 Step 3 Implement (17:05)
• RMF Chapter 8 Step 4 Assess (11:31)
• RMF Chapter 9 Step 5 Authorize (11:57)
• RMF Chapter 10 Step 6 Monitor (13:43)