Elamb Cybersecurity

Category: DoD Risk Management Framework

  • Training and Certification: NIST SP 800-39 Manage Information Security Risk

    NIST SP 800-39, Manage Information Security Risk

    NIST 800-39 is a federal document that talks about risk management of information system and their security. It is cited as one of the sources for the ISC2 Certified Authorization Professional (CAP) certification. For study of the document go to Chapters 2 and 3 of 800-39. Chapter 2 talks about the fundamentals of risk management & chapter 3 breaks down the process of applying risk management across and organization.

    The Fundamentals of Risk Management (Chapter 2, 800-39)
    800-39 goes into the philosophy (or “the why”) and the how of managing information security at multiple levels (or multitier risk management approach). The three layers (or tiers) of risk management addressed in the 800-39 are:
    Tier 1: Organization level
    Tier 2: Mission/Business Process level
    Tier 3: Information System level

    Tier 1: Organization Level risk management
    Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

    Tier 2: Mission/Business Process Level risk management

    Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

    Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization’s resilience to such an attack that can be achieved with a given mission/business process

    Tier 3: Information System risk management

    From the information system perspective, tier 3 addresses the following tasks:
    1) Categorization of the information system
    2) Allocating the organizational security control
    3) Selection, implementation, assessment, authorization, and ongoing

    Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
    Risk Framing
    Risk Assessing
    Risk Response
    Risk Monitoring

    Risk Framing
    Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
    In order to “frame” risk (or get an organizational context of the risk) the organization must determine: Risk assumptions, risk constraints, risk tolerance and priorities/trade-offs

    Risk Assumptions
    Risk assumption has to do determining how to risk will be assessed for an organization. Assumptions are based on identification of threats, vulnerabilities, the impact to the organization if attacks are successful and likelihood of attacks.

    Risk Constraints
    Risk constraints have to do with accepted limits of risk assessments, risk monitoring & risk response. Those limitation might be financial, cultural, the need to rely on legacy systems, or regulations imposed on the organization.

    Risk Tolerance
    Risk tolerance is how much risk the organization is willing to take.
    Priorities/Tradeoffs
    Risk is experienced at different levels, in different forms, and in different time frames. At Tier
    1, organizations make trade-offs among and establish priorities for responding to such risks. Organizations tend to have multiple priorities that at times conflict, which generates potential risk. Approaches employed by organizations for managing portfolios of risks reflect organizational culture, risk tolerance, as well as risk-related assumptions and constraints. These approaches are typically embodied in the strategic plans, policies, and roadmaps of organizations which may indicate preferences for different forms of risk response. For example, organizations may be willing to accept short-term risk of slightly degraded operations to achieve long-term reduction in information security risk.
    However, this trade-off could be unacceptable for one particularly critical mission/business function (e.g., real-time requirements in many industrial/process control systems). For that high-priority area, a different approach to improving security may be required including the application of compensating security controls.

    Risk Assessment
    Risk assessment is threat & vulnerability identification and risk determination. Organizaitonal risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

    Risk Response
    Risk response identifies, evaluates, decides on, and implements appropriate courses of action to
    accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals,
    other organizations, and the Nation, resulting from the operation and use of information systems.
    Risk identification is key to risk response. Risk types include:
    Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

    Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

    Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
    Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
    companies).

    Risk Monitoring – Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

  • DoD Risk Management FrameWork (Part 1): Look Ahead


    The DoD is working on using the National Institute of Standards and Technology (NIST) Certification & Accreditation method of assessing & authorizing systems. The NIST system of C&A is actually known as Risk Management Framework (RMF). This would require the the Assistant Secretary of Defense Networks & Information Integration ASD(NII) office to move the DoDI 8500.2, Information Assurance (IA) controls to be mapped to the NIST SP 800-53, Recommended Security Controls. I am not certain yet whether they will eliminate the 8500.2 or just have all departments move to the NIST SP 800-53. They will also need to switch the DoD Information Assurance Certification & Accreditation Process (DIACAP) to the NIST SP 800-37 rev 1, Risk Management Framework or something similar.

    If the transition is anything like their move to from DoD Information Technology Security Certification & Accreditation Process (DITSCAP) to the DIACAP then they will give about 2 years for the DoD to transition. As of Mar. 2011, there is no policy on this. It is serious because its on the DIACAP KS and the Department of Navy CIO has been releasing information on it since 2009. The DON CIO & the ASD (NII) have been working on the project to transition from DIACAP to some sort of DoD Risk Management Framework. So far, they have mapped the DoDI 8500.2 IA controls to the NIST SP 800-53 Controls: Certification and Accreditation Transformation: Security Control Mapping. Here is a May 2010 update to the NIST to DIACAP mapping. 800-53 to DoD IA contols map also includes the Director of Central Intelligence Directive (DCID) 6/3 controls. This is very telling. The plan seems to be to have one standard for all Federal Information System.

    Since DoD 8510.01, DIACAP & NIST SP 800-37, Risk Management Framework (RMF) cover so much of the same ground, I think the only real benefit is that reciprocity between Federal agency will be easier if all departments have one standard of risk management and one security control set.

    The DON uses the certification and accreditation (C&A) process to assess and understand the residual risk associated with operating information systems (IS) and information technology (IT). The DON is participating with the DoD, the IC, and the rest of the Federal government in C&A transformation. One goal of transformation is to achieve common security controls enabling the DON, the DoD, the IC, and the rest of the Federal government to develop systems to the same protection standards.

    The recently released National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, revision 3 provides recommended consolidated security controls in an effort to achieve common security controls across the Federal government.

    The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.

    Security Control Mapping Document Aids Transition, DON CIO Site

  • EITDR – enterprise information technology data repository

    EITDR

    30 Aug 11 – Update *USAF Recently changed the functionality of EITDR

    To all System Security Engineers and Information Assurance Officers,

    Here is something you might need to know. The Air Force is conducting all MANY of its certification & accreditation through the EITDR database none of its C&A (soon Risk Management Framework) through EITDR. The USAF is moving to the eMASS. As of Aug 2011, the USAF is still using EITDR to do IT portfolio management (to remain compliant with FISMA). EITDR feeds into the DoD IT Portfolio Registry (DITPR) database. Each branch has its own methods IT registry: the Army’s has the Portfolio Management System (APMS), Navy/Marines have the DITPR-DON. All of these system are used to “record investment review and certification submission information, FISMA assessments, E-Authentication status, and Privacy Impact Assessment status” (office of the assistance sec of the navy).

    Each branch has an agency that controls these databases for example, the Air Force has the Air Force Communincations Agency (AFCA) AFNIC, the Army has the Installation Management Agency. These agencies moderate the certification & accreditation process. The IT Lean (aquisitions process) and the SISSU (security, interoperability, supportability, sustainability and usability) processes are integrated into the EITDR/DITPR-DON/APMS. Once you complete all the questions for you registered system, you will have accomplised complete SSAA, DIACAP, and even ISP packages.

    For more information search the public.afca.af.mil (USAF). Everything you need to know is there. Also call or email AFCA/EV to learn more.
    Army can go –>https://www.us.army.mil/suite/folder/4920492