Elamb Cybersecurity

Category: nist

  • diacap to diarmf: manage information security risk

    Risk Management Framework is implemented throughout an organization.

    NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

    Tier 1: Organization level
    Tier 2: Mission/Business Process level
    Tier 3: Information System level

    diarmf risk management of information security

    Tier 1: Organization Level risk management
    Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

    Tier 2: Mission/Business Process Level risk management

    Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

    Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

    Tier 3: Information System risk management

    From the information system perspective, tier 3 addresses the following tasks:
    1) Categorization of the information system
    2) Allocating the organizational security control
    3) Selection, implementation, assessment, authorization, and ongoing

    Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
    Risk Framing
    Risk Assessing
    Risk Response
    Risk Monitoring

     

    For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

     

  • diacap to diarmf: intro

    DIACAP to DIARMF: Intro

    diacap diarmf
    image of diacap to rmf

    DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

    DIACAP Knowledge Service

    On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

    DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

    The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

    diacap to diarmf
    road to diarmf

    Why DIACAP to DIARMF?

    Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

    Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

    note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

     Source documents for all U.S. Federal information security:

    OMB A-130 – Management of Federal Information Resources

    FISMA – Federal Information Security Management Act of 2002

    Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

    Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

    The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

    •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
    • The Paperwork Reduction Act of 1995
    • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

     

  • Who Created/Manages NIST 800?

    Who Creates and/or Manages the NIST 800?

    This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too.  It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005,  Information Security Management System (ISMS).

    who-created-manages-nist-800
    who-created-manages-nist-800

    NIST 800 is updated and revised by the following organizations:
    Joint Task Force Transformation Initiative Interagency  (JTFTI) Working Group National Institute of Standards and Technology (NIST)
    JTFTI is made up of from the Civil, Defense, and Intelligence Communities.  This working group reviews and updates the following documents

    •      NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
    •     NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
    •     NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
    •     NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

    These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001.  The JTFTI is made up of ODNI, DoD, CNSS.  This document is also publicly vetted.

    Office of the Director of National Intelligence (ODNI)
    The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004.  This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.

    Department of Defense (DoD)
    DoD is composed of (but not limited to) the USAF, US Army, DON and Marines.  It is the most powerful military organization in recorded history.

    Committee on National Security Systems (CNSS)
    This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
    the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.

    Sources: http://en.wikipedia.org/wiki/Committee_on_National_Security_Systems

    Public (review and vetting) – the draft is posted online on NIST.gov

    http://csrc.nist.gov/publications/PubsDrafts.html

     

    sources:

    FISMA JTFI

    http://www.fismapedia.org/index.php?title=Joint_Task_Force_Transformation_Initiative

    Scadahacker – mappings NIST to International

    http://scadahacker.com/library/Documents/Standards/mappings/Mapping%20NIST%20800-53.pdf

     

  • diacap to diarmf: C&A vs RMF

    DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

    diacap-to-diarmf-ca-vs-rmf
    diacap-to-diarmf-ca-vs-rmf

    NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

    1. Revised process emphasizes
    2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
    3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
    4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems

  • Approved System

    Information Assurance is based on obtaining a high level of confidence on information’s confidentiality, integrity, and availability.  Some organizations that deal with “critical information”.  Critical information included things like banking transactions, classified data, information that is evidence in an ongoing investigation.  Companies, unions and government that handle this kind of information usually have a lot of exposure because they are handling public data, share holder data, employee data and are doing a lot of translation across the un-trusted networks such as the Internet.  With critical information and high exposure these organizations MUST have “approved processes” for vetting, testing and validating “approved software” and “approved systems”.

    For example, in the Department of Defense there are many lists that have approved software.  These lists are per command within larger organizations.  One over arching process/list is the Common Criteria:

    Common Criteria is an international standard for validating technical security built in to security feature of information systems.  The international standard is known as ISO/IEC 15408.

    This standard is used by many large organizations all over the world that serve the public:

    www.commoncriteriaportal.org

    www.commoncriteria.com

    Each organization has there own specific security needs so most of the time they have many levels of application approval and process:

    NSA / DOD / US Gov - www.niap-ccevs.org - National Information Assurance Partnership (NIAP) uses Common Criteria Evaluation and Validation Scheme (CCEVS) to ensure that only approved Information Assurance (IA)  and IA-Enabled Information Technology (IT) products are used

    Canadian Trusted Computer Product Evaluation Criteria
    UK – www.cesg.gov.uk/servicecatalogue/ccitsec‎

    Commercial organizations that want their products used by organization processing and storing critical information must submit to common criteria as well:

    Apple – https://ssl.apple.com/support/security/commoncriteria/‎

    Microsoft – www.microsoft.com/en-us/sqlserver/common-criteria.aspx‎

    xeroxCommon Criteria

    Citrix – www.citrix.com/support/security-compliance/common-criteria.html‎

    CiscoCisco Common Criteria 
    Emc – EMC – Common Criteria

    Organizational units also have their own criteria for approved applications and systems:

    US ArmyArmy Chess

    US Air ForceAF E/APL – Certified Air Force Evaluated Approved Product List

     

     

  • ISC2 CAP Domain Changes

    Got this message today on CAP domain changes.. Not much changed:

    On September 1, 2013, (ISC)²® will implement certain domain-related changes for the Certified Authorization Professional (CAP®) credential exam.  These will be the new domains you will need to select when submitting CPE credits for your CAP certification.

    These domain changes are being implemented based on the outcome of the Job Task Analysis (JTA) completed in late 2012. The JTA provides the essential foundation for all of (ISC)²’s credential exams. Under general circumstances, changes due to a new JTA study are incremental, so addition or deletion of Domains does not occur normally.

    isc2-cap-domain-changes
    courtesy of gabfirethemes

    Current CAP Domains:

    1.      Understand the Security Authorization of Information Systems

    2.      Categorize Information Systems

    3.      Establish the Security Control Baseline

    4.      Apply Security Controls

    5.      Assess Security Controls

    6.      Authorize Information System

    7.      Monitor Security Controls

    Effective September 1, 2013 CAP Domains:

    1.      Risk Management Framework (RMF)

    2.      Categorization of Information Systems

    3.      Selection of Security Controls

    4.      Security Control Implementation

    5.      Security Control Assessment

    6.      Information System Authorization

    7.      Monitoring of Security Controls

  • Roles & Responsibilities

    2014 Update:  DIACAP has been replaced by RMF for DoD IT.  The RMF for DoD IT is almost completely derived from the NIST SP 800-37.

    NIST roles and responsibilities are addressed throughout the special publication 800 series. The definition of the roles & responsibilities are as follows:

    Head of Agency
    The Head of Agency is also known as the Chief Executive Officer. This role is the highest level executive senior officer within an organization. They have ultimate responsible for the providing information security protection. The level of protection must be at the same level as the importance of the information. The Department of Defense equivanent is a DoD Head of component (i.e. Secretary of the Army).

    image of secretary army john mchugh

    Risk Executive Function
    The Risk Executive Function’s main focus is the overall risk to the entire organization. They create a risk strategy for the organization that guides mission/business process and system-level risk assessments. The Risk Executive Function is and important role for Tier 1 activities of managing risk of information systems IAW NIST SP 800-39.

    CIO
    Chief Information Officer is an organizational official responsible for (1) designating a senior information security officer; (2) developing and maintaining information security policies; (3) ensure that those with responsibilities in system security have proper training.

    Information Owner/Steward
    “The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.” NIST SP 800-37 The Information Owner must coodinate with the Information System Owner (DoD PM equivalent) for decisions involving the overall system.

    Senior Information Security Officer
    The SISO is directly responsible to the CIO. They’re focus is the information security of the organization’s data. They act as a liaison between CIO and the Authorizing Official. The DoD equivalent (circa 2010) is known as the Senior Information Assurance Officer (SIAO).

    Authorizing Official
    AO formally accepts the risk of a system in the Implementation/Assessment phase of the System Development Lifecycle and Step 5, Authorization step of the Risk Management Framework.

    Common Control Provider

    “The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls.” NIST SP 800-37. A common control is a security controls that covers multiple information systems within and organization. Examples of common controls: Incident Response, Network boundary protection (firewalls, IDS/IPS).

    Information System Owner
    “The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.” NIST SP 800-37

    Information System Security Engineer
    “The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities.” NIST SP 800-37 The ISSE implements security into the design of systems. The ISSE is often a consultant or Subject Matter Expert who focus is applying information assurance frameworks and regulations in an information system.

    Information System Security Officer
    This role is initiated at the Initial phase of the System Development Lifecycle (SDLC). “The information system security officer
    is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner” NIST SP 800-37. This role has been called and Information Assurance Officer (IAO) within the Department of Defense. Within the DoD this role is appointed by the Information Assurance Manager (IAM). Also known as the Information System Security Manager (ISSM). The ISSM is often responsible to over site and being a supervisor of ISSO positions.

    Security Control Assessor
    “The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls” NIST SP 800-37.

    The NIST & DoD have very similar roles with different names:

     

    DoDI 8510.01 DIACAP NIST SP 800-37 Security Authorization
    Heads of the DoD Components Head of Agency (CEO)
    Designated Accrediting Authority (DAA)/ Authorizing Official
    Program Manager (PM)/ Systems Manager (SM) Information System Owner
    Information Assurance Manager (IAM) Information System Security Officer
    Information Assurance Officer (IAO) Information System Security Officer/ Information System
    Security Engineer
    Certifying Authority (CA) Security Control Assessor
    Validator

     

     

  • Risk Management in IT: SDLC

    Risk Management Guide for IT: SDLC

    NIST 800-30, risk management guide for IT discusses how risk management framework matches to the system development life cycle (SDLC) , risk assessment methodology, risk mitigation, and good practice of ongoing risk assessment.

    A system and its information must be protected from cradle to grave. That is why risk management applies to the entire system development life cycle. The level of risk to the system and its data depends on the criticality or importance of the system to the business and/or mission it supports.
    The system development life cycle consists of: Initiation, Development/Acquisition, Implementation, Maintenance/Operations, and Disposal.

    How Risk Management Framework matches to the System Development Life Cycle

    SDLC
    Phases

    Phase
    Characteristics

    Support
    from Risk Management Activities

    Phase
    1—Initiation

    The need
    for an IT system is

    expressed
    and the purpose and

    scope of
    the IT system is

    documented

    Identified
    risks are used to

    support
    the development of the

    system
    requirements, including

    security
    requirements, and a

    security
    concept of operations

    (strategy)

    Phase
    2—Development or

    Acquisition

    The IT
    system is designed,

    purchased,
    programmed,

    developed,
    or otherwise

    constructed

    The risks
    identified during this

    phase can
    be used to support

    the
    security analyses of the IT

    system
    that may lead to

    architecture
    and design tradeoffs

    during
    system

    development

    Phase
    3—Implementation

    The system
    security features

    should be
    configured, enabled,

    tested,
    and verified

    The risk
    management process

    supports
    the assessment of the

    system
    implementation against

    its
    requirements and within its

    modeled
    operational

    environment.
    Decisions

    regarding
    risks identified must

    be made
    prior to system

    operation

    Phase
    4—Operation or

    Maintenance

    The system
    performs its

    functions.
    Typically the system is

    being
    modified on an ongoing

    basis
    through the addition of

    hardware
    and software and by

    changes to
    organizational

    processes,
    policies, and

    procedures

    Risk
    management activities are

    performed
    for periodic system

    reauthorization
    (or

    reaccreditation)
    or whenever

    major
    changes are made to an

    IT system
    in its operational,

    production
    environment (e.g.,

    new system
    interfaces)

    Phase
    5—Disposal

    This phase
    may involve the

    disposition
    of information,

    hardware,
    and software.

    Activities
    may include moving,

    archiving,
    discarding, or

    destroying
    information and

    sanitizing
    the hardware and

    software

    Risk
    management activities

    are
    performed for system

    components
    that will be

    disposed
    of or replaced to

    ensure
    that the hardware and

    software
    are properly disposed

    of, that
    residual data is

    appropriately
    handled, and that

    system
    migration is conducted

    in a
    secure and systematic

    manner

  • Training and Certification: NIST SP 800-39 Manage Information Security Risk

    NIST SP 800-39, Manage Information Security Risk

    NIST 800-39 is a federal document that talks about risk management of information system and their security. It is cited as one of the sources for the ISC2 Certified Authorization Professional (CAP) certification. For study of the document go to Chapters 2 and 3 of 800-39. Chapter 2 talks about the fundamentals of risk management & chapter 3 breaks down the process of applying risk management across and organization.

    The Fundamentals of Risk Management (Chapter 2, 800-39)
    800-39 goes into the philosophy (or “the why”) and the how of managing information security at multiple levels (or multitier risk management approach). The three layers (or tiers) of risk management addressed in the 800-39 are:
    Tier 1: Organization level
    Tier 2: Mission/Business Process level
    Tier 3: Information System level

    Tier 1: Organization Level risk management
    Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

    Tier 2: Mission/Business Process Level risk management

    Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

    Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization’s resilience to such an attack that can be achieved with a given mission/business process

    Tier 3: Information System risk management

    From the information system perspective, tier 3 addresses the following tasks:
    1) Categorization of the information system
    2) Allocating the organizational security control
    3) Selection, implementation, assessment, authorization, and ongoing

    Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
    Risk Framing
    Risk Assessing
    Risk Response
    Risk Monitoring

    Risk Framing
    Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
    In order to “frame” risk (or get an organizational context of the risk) the organization must determine: Risk assumptions, risk constraints, risk tolerance and priorities/trade-offs

    Risk Assumptions
    Risk assumption has to do determining how to risk will be assessed for an organization. Assumptions are based on identification of threats, vulnerabilities, the impact to the organization if attacks are successful and likelihood of attacks.

    Risk Constraints
    Risk constraints have to do with accepted limits of risk assessments, risk monitoring & risk response. Those limitation might be financial, cultural, the need to rely on legacy systems, or regulations imposed on the organization.

    Risk Tolerance
    Risk tolerance is how much risk the organization is willing to take.
    Priorities/Tradeoffs
    Risk is experienced at different levels, in different forms, and in different time frames. At Tier
    1, organizations make trade-offs among and establish priorities for responding to such risks. Organizations tend to have multiple priorities that at times conflict, which generates potential risk. Approaches employed by organizations for managing portfolios of risks reflect organizational culture, risk tolerance, as well as risk-related assumptions and constraints. These approaches are typically embodied in the strategic plans, policies, and roadmaps of organizations which may indicate preferences for different forms of risk response. For example, organizations may be willing to accept short-term risk of slightly degraded operations to achieve long-term reduction in information security risk.
    However, this trade-off could be unacceptable for one particularly critical mission/business function (e.g., real-time requirements in many industrial/process control systems). For that high-priority area, a different approach to improving security may be required including the application of compensating security controls.

    Risk Assessment
    Risk assessment is threat & vulnerability identification and risk determination. Organizaitonal risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

    Risk Response
    Risk response identifies, evaluates, decides on, and implements appropriate courses of action to
    accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals,
    other organizations, and the Nation, resulting from the operation and use of information systems.
    Risk identification is key to risk response. Risk types include:
    Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

    Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

    Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
    Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
    companies).

    Risk Monitoring – Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

  • Training & Certification: CAP – Security Authorization of Federal Information Systems

    Understanding the Security Authorization of federal information systems

    The ISC2 CAP candidate needs to understand the multitier approach to evaluating strategic & tactical risk across an organization/enterprise. This is discussed thoroughly in NIST SP 800-39, Managing Information Security Risk. 800-39 explains risk management from the organization, mission, and system perspective.

    800-39 explains how and organization does risk framing by making risk assumptions, knowing risk constraints, risk tolerance, priorities & tradeoffs. Implementation of an organization’s risk management strategy is also based it’s governance structure.

    Security Authorization is a risk management process that based on identification of threats, vulnerabilities and countermeasures. 800-39 and 800-37 explains what must be included in a risk assessments that will evaluated residual risks and determine if they are acceptable or unacceptable to the organization as whole. Unacceptable risks can be reduced by implementing security controls.

    Understanding the Security Authorization of federal information systems covers the following key areas:

    Understand the Risk Management Approach to Security Authorization
    Understanding and distinguishing among the Risk Management Framework (RMF) steps
    Define and Understand Roles & Responsibilities
    Understand the Relationship between the RMF and SDLC
    Understand Legal, Regulatory, and Other Requirements for Security Authorization
    Understand Common Controls and Security Control Inheritance
    Understand Ongoing Monitoring Strategies
    Understand How the Security Authorization Process Relates to:

    1. Organization-wide risk management
    2. System Development Life Cycle (SDLC)
    3. Information system boundaries
    4. Authorization decisions