diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring


For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/


DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.


Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

– NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.



Snowden-Manning Heros?

DISCLAIMER: I have no first hand knowledge of the NSA PRISM program.  This is just my personal opinion of Edward Swowden’s release of classified information and the impacts.

What is PRISM:

PRISM is the code name for the data collection program which was born out of the Protect America Act.

Recently Mr. Edward Snowden released classified information to the international media and fled the U.S.  He was working on the PRISM program and felt that the right thing to do was to tell U.S. citizens about their loss of privacy.



SHH!! Don’t tell anybody this.. but privacy has BEEN gone if you are on Facebook, Google or any other social network.  These organization are storing our private data.  But what do these organizations do with that data?

  • Do they try to protect your data?
  • Do they sometime release it to third parties?
  • Can certain data you store on their system be used against you in a court of law?
  • All of the Above 🙂

Encrypt your data.  That is the only real way to have privacy to a trusted party.   Don’t use FB or Google for stuff you want hidden.

The Need for Some Sort of PRISM:

Spies get a very very bad rap lately.  Analysts are unsung heros.   It that world nothing is what it seems.  The media presents one side of everything.  You have to dig and cross reference to get facts.  Intelligence provides a proactive answer to security.  I am speaking from the perspective of someone who has done security defensively.  There is a need for gathering data within the U.S. infrastructure.  Once data is gathered, it can be correlated to detect patterns of potential threats.

So I think we MUST have something like PRISM (especially in the US) due to the exposure of our assets and the subsequent likelihood of attack. We have a high risk.  And the greatest risk is from INSIDERS (ironically enough PRISM cannot protect itself).

There are three main issues with the programs current setup:

1.  Lack of Oversight & Transparency: There seems to be very little transparency and  oversight that represents US citizens regarding privacy and controlling how far the government can go.  US Senators are led away from what is really going on.

2.  Total Information Awareness:  This system may be too DAMN powerful as far as what it is capable of.  In fact, it seems to be like using GOD Mode 24/7 to gather information.  Snowden mentioned that it can track ANY email.. is this on a whim?  does there need to be some sort of probable cause or “reason to believe” or is this left to the discretion of the guy with his finger on the button.. this leads to the next issue..

3. The Patriot Act II + Protect America Act =  Its too DAMN politically powerful.  This program has the legal backing to do anything with NO checks and balances.


Would I call Snowden/Manning heros/martyrs?  I would not group Snowden with Manning.  The information that Snowden released (so far) is showing a the capability of NSA spying (something that was done by whistle blower William Binney in 2002).  PVT First Class Bradley Manning leaked a lot of war material that risked a lot of people’s lives:

videos of the July 12, 2007 Baghdad airstrike and the 2009 Granai airstrike in Afghanistan; 250,000 United States diplomatic cables; and 500,000 army reports that came to be known as the Iraq War logs and Afghan War logs. It was the largest set of restricted documents ever leaked to the public. — http://en.wikipedia.org/wiki/Bradley_Manning

The problem with this is that it actually endangered the lives of informants, and some people that were on the ground in Afghan/Iraq.  Manning fucked up big time.  Snowden is a hacktivist who will have to spend sometime in prison or in Iceland evading the US government unless the American public rallies to sway the politicians.

Whistleblower Protection:

My hope is that there is due care taken on this issue.  Because there is a real concern regarding the Constitution, Privacy and uncheck powers of the government.  If not, perhaps the next administration will take up the call of the people.  SarbanesOxley Act of 2002 has a Whistleblower Protection Act that would be helpful if such a law could apply to Snowden.  I am not so sure about that.

Transparency & Accountability

I know their needs to be transparency and accountability. But I think its naive to think that we should release all information on all classified data to the world as the Wikileaks crowd believes.  


Organizations & States have an obligation to maintain Confidentiality of critical data.

That means databases with witness protection programs must be kept Confidential, bank transactions must be protected..

Nations have some serious enemies (ESPECIALLY the US).  The US governments duty is to protect its people from those enemies (foreign or domestic).

Consider this:  Certain information on the physical/logical locations of weapons systems, pattens on lethal biochemicals, information on the capabilities of a nation are very effective tools in the hands of really bad people.

Its naive to think that opening up all classified data is going to set the world free.  I wish humanity was in a kinder, gentler situation.. but the reality is some crazy people want to kill as many people as possible.

Yes!  I agree that governments with unrestricted power can be MUCH more dangerous.  Some transparency with check and balances are necessary.



The post modern war conflict is a fight over ideology. Its less about my nation versus your nation and more and more about belief systems.  

RIGHT NOW there is someone with the intent to kill as many people as possible.  With the capability and opportunity they would strike.  There IS an enemy and they are anywhere and everywhere.  You can no longer point at a map and say “All these people are my enemy.”

Now there is an enemy willing to kill you over what you believe, what you represent and what they think you are.  And more than likely, THEY are living in your city.   Who are “THEY”?

Figuring out who THEY are.. is where data mining and correlation comes in.

The threat-source can be from ANY country, race, creed, or religious faction. They are more and more likely to have a citizenship in your country for the sake of having free reign to make the most damage on the most people that represent what they seek to destroy.

Its sounds crazy until a bomb goes off in the middle of a Boston Marathon with the attackers on their way to Time Square.  Luckily, there was surveillance to help deter further killings.

How do we fight against these threats?
Threats can be detected via patterns within information.

Solution:  The government should allow the program manager of the system to explain why its necessary, provide proof of its usefulness.  Limit the use and extent of PRISMs power.

I hope the president will listen to the Internet community on this.  I hope that some political party will hear the cries of thousands of potential constituents then take an intelligent look at the public’s concerns.  Realistically, the American public voted on the reps that backed the laws that created this system.  They accepted it by proxy.  But the shock is from the alleged reach of this program.  Its too bad it took Snowden is risking years away from home and possibly prison for the US to wake up and start talking about something that was leaked years ago.

DIACAP Essentials + IA Control Validation Training (part 3): DIACAP/AFCAP Day2

UPDAT: 2014 – Risk Management Framework for DOD IT released.

Day 1 & 2 have been all about the very basics of DIACAP. Were introduced to the terminologies, key players of the C&A process and basically given the big picture. Like I said, GREAT for beginners, but just lots of theory and refresher if you’ve been doing C&A since DITSCAP.

Day 1 &2:

Getting the Big Picture

DIACAP/AFCAP Policy & Terminology

Roles and Responsibilities for the C&A process

Accreditation & Approval to Connect

Homework: review terminology

In between longer breaks, during lunch and just before class we sneak in episode of the The IT Crowd. Its the first time I’ve watched it so its a real treat for me. Hilarious show.

DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

This is the second installment of the DIACAP Essentials journal.

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP :).

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

The rise of “intelligent” CCTV

I think its great that we have better technology in security. What is disconcerting are laws like the Patriot Act and FISA bill which take right from citizens for the sake of more security. With this increased technological power in security, there needs to be more balance, but it seems the rights of citizens (particularly privacy and civil liberties) are taking a back seat to all manor of political will. All this powered by the fear of terrorism after 9/11.

I’m not saying we should not be more cautious or more aware. I’m not saying that more security is not necessary. What I am saying is that Taking away liberties is not necessary. And even if you feel it is necessary to spy on all citizens indefinitely to “catch terrorist” shouldn’t there be checks and balances on the watchers. Who will watch the watchers? How will we ensure that their powers are not abused.

New Technologies:
Smart CCTV – There are now smart security cameras with pattern recognition that allow them to alarm when some one does something suspicious such as climb a fence, or put down a bag and walk away. That technology has been developed by companies like ObjectVideo Inc. Defense Advanced Research Products Agency (DARPA) hopes to take it a step further by creating systems that can learn everyday patterns and send alarm when things are outside of their known pattern, also known as anomaly detection.


read more | digg story

untraceable movie

untraceable movie

I just saw a movie called Untraceable. It is cyberterrorism meets Seven. Although it is very violent, it falls short of the pure “torture porn” genre (i.e. Hostel, Saw). They didn’t sensationalize the FBI computer crime team. They made the characters real people with real problems.

The best part of the movie is that it addresses hard societal questions that we are still struggling with. The killer’s greatest weapon was the Internet itself. He used the anonymity and distributed non-centralized power of the net to broadcast killings on the Internet. Once he captured a victim, he would put them in a contraption that would torture them to death based on how many people came to the site. The FBI is at a loss, because their equipment (while it can easily bait & hunt small time phishers, criminal hackers and adults soliciting sex from kids online) it is useless against this serial killers level of software, Internet, and electronics sophistication. They eventually call upon the NSA, who tell them that they are not allowed to use their resources for domestic issues. With the Patriot Act and NUMEROUS presidential NSA acts, I don’t believe this is entirely true. But the movie seems to suggest that it is.

Although, I disagree with the message of giving more power to the FBI & NSA to catch bad guys (as it would require the loss of more civil liberties of law abiding citizens), I definitely recommend this movie.

Movie fact:

The site used by the killer (www.killwithme.com) actually exists. It’s owned by the movie studio and it’s used to promote the movie. In it, users are taken to a replica of the FBI computer used by the character Jennifer Marsh. Her desktop gets hacked by the killer who provides the visitor with four test he/she must complete to deactivate his site.

Standard Desktop Configuration (SDC) News

The Department of Defense has implemented the Standard Desktop Configuration (SDC) environment which allow all systems to have a uniform level of security. 

ALL SDC all the time: https://afecmo.gunter.af.mil/default.aspx

Now the rest of the federal goverment is jumping on the Information Assurance Bandwagon with something called the Federal Desktop Core Configuration (FDCC).

SDC version 2 (Vista) is already in the works as well as Standard Server Configuration (SCC).