Source of Changes:
President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Office of Management and Budget Memorandum M-17-25 – next-generation Risk Management Framework (RMF) for systems and organizations
NIST SP 800-53 Revision 5 Coordination
Securing and managing agency mobile apps.
WEBINAR, THU 11/10, Complimentary, CPEs
This important video webinar will explore how mobile apps
rapidly expand in agency networks and how agency experts
limit security risks while they manage mobile Web devices
to drive agency productivity and mission achievement.
Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level
Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.
Tier 2: Mission/Business Process Level risk management
Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.
Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process
Tier 3: Information System risk management
From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing
Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms. “C&A” will be replaced with assessment and authorization. Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.
Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome. An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision
Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.
“The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”
DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.
The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.
road to diarmf
Why DIACAP to DIARMF?
Federal government has gotten more serious about security. They realize that enterprise level security and process is a continuous and expensive business. The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.
Risk based/cost effective security means creating security systems and policies that focus on “adequate security”. The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.
note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking. Google is probably the closest to understanding what is actually happening. The best any of us can do is observe.
Source documents for all U.S. Federal information security:
OMB A-130 – Management of Federal Information Resources
FISMA – Federal Information Security Management Act of 2002
Required for all government agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.
The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):
Federal Information Security Management Act of 2002 (amended as of 2013 April)
The Paperwork Reduction Act of 1995
The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources
This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too. It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005, Information Security Management System (ISMS).
NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities. This working group reviews and updates the following documents
NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004. This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.
Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines. It is the most powerful military organization in recorded history.
Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.
DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework. Most of the new Risk Manager Framework is in the NIST Special Publication 800-37. The old NIST SP 800-37 was also based on Certification and Accreditation. After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The changes included:
Revised process emphasizes
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Got this message today on CAP domain changes.. Not much changed:
On September 1, 2013, (ISC)²® will implement certain domain-related changes for the Certified Authorization Professional (CAP®) credential exam. These will be the new domains you will need to select when submitting CPE credits for your CAP certification.
These domain changes are being implemented based on the outcome of the Job Task Analysis (JTA) completed in late 2012. The JTA provides the essential foundation for all of (ISC)²’s credential exams. Under general circumstances, changes due to a new JTA study are incremental, so addition or deletion of Domains does not occur normally.
courtesy of gabfirethemes
Current CAP Domains:
1. Understand the Security Authorization of Information Systems
I had studied all night after freaking out about the test. I was sick and had to drive to another city to take that damn test. I was exhausted and tired.. lame excuse for being ugly lol. Its all good.. I still get laid.. but enough about ME.. lets talk about the test 😀
How to get a certification
– ISC2 Certified Authorization Professional (ISC2 CAP)
– Risk Management Certification
– Passing Score 700 out of 1000 points (125 questions on the test *25 test questions not counted toward the results)
– Application Fee: $419
– Verify 2 years experience in this field
– Endorsement Form
– Answer questions to criminal history and background
– Other Info: its a CBT, 3 hours to test, based on NIST 800 series
How Hard is the CAP Exam
I just took the ISC2 Certified Authorization Professional test (CAP Exam). I just want to give others who are about to take this test some idea of what they are up against. I noticed there is not a lot of Security Professionals talking about it. I keep hearing that there are only *1000 CAP certified people on Earth (circa 2011). I don’t think its because of the difficulty level (lol.. i mean i would not call it an EASY test, but its no CISSP or CCIE.. btw CCIE has about 25,000 certified as of about 2010 individuals on early despite being around for since 1993… according to Cisco, “fewer than 3% of Cisco certified individuals attain CCIE certification”). I think there are so few CAP certified people because its not a well know certification and its in a specialized field. Perhaps the numbers of CAP certified individuals will always be low.
My overall impression is that it is much harder than Security+ but much easier than CISSP. If you have recent experience with DoD Information Assurance Certification & Accreditation Process (DIACAP) you should have an easy time grasping the National Institute of Standards & Technology (NIST) Special Publication 800 series concepts allowing you to pass the CAP exam. I would say the same about all the C&A frameworks, NIACAP, NISPOM, DCID 6/3, DITSCAP etc. If you know the certification & accreditation process well than you will pick up risk management framework fast. If you have been doing the NIST C&A and/or Risk Management Framework, the test should be a mere refresher course for you and a couple of weeks of reviewing NIST 800 regulations and OMBs you already know might be enough for you to pass the CAP Exam and get this certifications. You should know, however, that quite a bit has changed since 2009 in the certification & accreditation process of getting authorization.
The test is in the style of the CISSP in that you must choose what is MOST right in many cases. All questions are 4-multiple choice type questions.
Study Material for the Certified Authorization Professional
One of my biggest issues about the CAP material is that is has almost NO decent study material. There is “The CISSP and CAP prep guide” by Russell Dean & Ronald L. Krutz, this is the ONLY book I have found aside from one or two lame ebooks (as of 2011).
What I used to get a CAP Certification
The very first thing you should do is become a member of Isc2.org and download the ISC2 CAP Candidate Information Bulletin. The CAP Exam CIB breaks down all the objectives that you need to be knowledgeable in.
Read and/or be very familiar with the following NIST & OMB documents:
– NIST 800-37
– NIST 800-53
– NIST 800-53A
– NIST 800-64
– NIST 800-30
– NIST 800-100
– NIST 800-83
– NIST 800-53
OMB circular A-130
Privacy Act of 1974
FISMA Act of 2002
**The full list of documents & regs to be familiar with are located in CAP CIB
Another great resource is practice tests. Ucertify.com has GREAT content for the CAP, some of the best you will find for the Certified Authorization Professional.
Areas to Spend a LOT of time on:
I would definitely know and fully understand the Risk Management Framework (800-37). You need to know the tasks on each of the six steps of the Risk Management Framework (800-37). System Development Lifecycle is also HUGE on this test(800-64). I would know how Risk Management Framework lines up with SDLC and Risk Assessment process (800-37, 64, 30). Risk Assessment process, Risk Management Framework and SDLC are all interconnected. You should know how they work together. Tasks that are done at each stage and step in all those process and what role does each task is a need to know. Roles and Responsibilities should be fully understood and memorized. Although everyone of the steps in the Risk Management framework are covered pretty good, I feel like the following two steps were beaten to death: Continuous Monitoring & assessments (security control assessor)
The test is computer based and randomized so you might get a completely different set of subject areas. Your best bet is to study what is in the CAP-CIB and use a bunch of practice tests.
What I DID NOT see on the Exam:
I was surprised not to see anything on the NIACAP, DIACAP, FITSAP, DCID 6/3 and DITSCAP. I was fully expecting it and prepared for it. Many of the practice test go on and on about Project/Program Management subject areas. But the only question I recall on that had to do with knowing the role of a Program Manager… thats about it.
Pro & CON on the ISC2 CAP Cert
CONS: I feel like the CAP is currently (2011) not in great demand. If you do a search on any job database (monster, indeed, simplyhired) you see that there are not many employees listing it as a requirement. For example, a 2011 search on isc2 CAP anywhere in the US gives 49 results — http://jobsearch.monster.com/search/?q=isc2-cap
I also think that the certification is WAY over priced. Its $419 which I think is even more than the ISC2 CISSP concentrations.
There is almost no study material for it.
PROS: Covers very important risk management framework material. Its computer based, so the results are instant. Its good lead up and practice for the ISSEP. The ISSEP covers a lot of what is in the CAP. NIST will get increasingly more important as DoD, NSA and other national security system agencies take on the NIST.
2014 Update:DIACAP has been replaced by RMF for DoD IT. The RMF for DoD IT is almost completely derived from the NIST SP 800-37.
NIST roles and responsibilities are addressed throughout the special publication 800 series. The definition of the roles & responsibilities are as follows:
Head of Agency
The Head of Agency is also known as the Chief Executive Officer. This role is the highest level executive senior officer within an organization. They have ultimate responsible for the providing information security protection. The level of protection must be at the same level as the importance of the information. The Department of Defense equivanent is a DoD Head of component (i.e. Secretary of the Army).
image of secretary army john mchugh
Risk Executive Function
The Risk Executive Function’s main focus is the overall risk to the entire organization. They create a risk strategy for the organization that guides mission/business process and system-level risk assessments. The Risk Executive Function is and important role for Tier 1 activities of managing risk of information systems IAW NIST SP 800-39.
Chief Information Officer is an organizational official responsible for (1) designating a senior information security officer; (2) developing and maintaining information security policies; (3) ensure that those with responsibilities in system security have proper training.
“The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.” NIST SP 800-37 The Information Owner must coodinate with the Information System Owner (DoD PM equivalent) for decisions involving the overall system.
Senior Information Security Officer
The SISO is directly responsible to the CIO. They’re focus is the information security of the organization’s data. They act as a liaison between CIO and the Authorizing Official. The DoD equivalent (circa 2010) is known as the Senior Information Assurance Officer (SIAO).
AO formally accepts the risk of a system in the Implementation/Assessment phase of the System Development Lifecycle and Step 5, Authorization step of the Risk Management Framework.
Common Control Provider
“The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls.” NIST SP 800-37. A common control is a security controls that covers multiple information systems within and organization. Examples of common controls: Incident Response, Network boundary protection (firewalls, IDS/IPS).
Information System Owner
“The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.” NIST SP 800-37
Information System Security Engineer
“The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities.” NIST SP 800-37 The ISSE implements security into the design of systems. The ISSE is often a consultant or Subject Matter Expert who focus is applying information assurance frameworks and regulations in an information system.
Information System Security Officer
This role is initiated at the Initial phase of the System Development Lifecycle (SDLC). “The information system security officer
is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner” NIST SP 800-37. This role has been called and Information Assurance Officer (IAO) within the Department of Defense. Within the DoD this role is appointed by the Information Assurance Manager (IAM). Also known as the Information System Security Manager (ISSM). The ISSM is often responsible to over site and being a supervisor of ISSO positions.
Security Control Assessor
“The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls” NIST SP 800-37.
The NIST & DoD have very similar roles with different names:
DoDI 8510.01 DIACAP
NIST SP 800-37 Security Authorization
Heads of the DoD Components
Head of Agency (CEO)
Designated Accrediting Authority (DAA)/
Program Manager (PM)/ Systems Manager (SM)
Information System Owner
Information Assurance Manager (IAM)
Information System Security Officer
Information Assurance Officer (IAO)
Information System Security Officer/ Information System