Applying the Risk Management Framework to Federal Information Systems

From FISMApedia

Jump to: navigation, search

Contents

NIST Course - Applying the Risk Management Framework to Federal Information Systems

Welcome to the course "Applying the Risk Management Framework to Federal Information Systems".

The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational riskā€”the Risk Management Framework (RMF).

The RMF was developed by the National Institute for Standards and Technology (NIST) to help organizations manage risks to and from Information Technology (IT) systems more easily, efficiently and effectively.

This course describes at a high-level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the RMF, and the NIST publications related to each step.


Title

Applying the Risk Management Framework to Federal Information Systems


Slide 1:

Applying the Risk Management Framework to Federal Information Systems.

Welcome to Applying the Risk Management Framework to Federal Information Systems course.

Information technology is widely recognized as one of the engines that drives the U.S. economy. It gives industry a competitive advantage in global markets. It enables organizations, such as federal agencies, to provide better services to its citizens and facilitates greater productivity as a nation.

Information technology and systems are subject to threats that can have adverse effects on organizational operations, organizational assets, individuals, other organizations, and the Nation. These threats can compromise the confidentiality, integrity, or availability of information processed, stored, or transmitted by those systems.


Slide 2:

Applying the Risk Management Framework to Federal Information Systems (continued).

Risk related to the operation and use of information systems is a component of organizational risk that senior leaders must address as a routine part of their ongoing risk management responsibilities.

Successful organization-wide risk management programs build information security into the culture and infrastructure of the organization. This requires the implementation of a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by the organization.

The Risk Management Framework, supported by the National Institute of Standards and Technology's (NIST) 800-series publications, provides a structured, yet flexible approach for managing risk resulting from the incorporation of information systems into the mission and business processes of an organization.


Slide 3:

Introduction.

The role of information security in managing risk from the operation and use of information systems is critical to the success of an organization in achieving its strategic goals and objectives. The risk management concepts discussed in this course establish a relationship between aggregated risks from information systems and the mission/business success.

Taking an organizational view of risks that aggregates mission/business risk together with specific information system security risks:

  • facilitates prioritization of security requirements and allocation of information security resource,
  • facilitates decisions on risk mitigation activities,
  • promotes development and dissemination of common security policies and procedures,
  • promotes development of organization-wide solutions to information security problems,
  • facilitates consolidation and streamlining of security solutions across the organization, and
  • increases the information security knowledge base.

Select the link to view the diagram. [Graphic: Managing Risk from Information Systems A Holistic Approach]


Slide 4:

Course Purpose and Target Audience.

The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational information and information system security risk-the Risk Management Framework.

The Risk Management Framework was developed by NIST to help organizations manage the risks of operating information systems more easily, efficiently, and effectively.

This course describes at a high-level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the Risk Management Framework, key roles, and the NIST publications related to each step.

Additional materials related to the Risk Management Framework and the related publications are available from the NIST website: http://csrc.nist.gov.

Select the link to view the Risk Management Framework. [Graphic: RMF Wheel]


Slide 5:

Course Goal.

The goal of this course is for participants to gain familiarity with the Risk Management Framework methodology and the publications supporting the processes, as well as understand how to integrate information security into an organization's mission and business processes.

Course Authority.

The information in this course should be applied in accordance with legislation, standards, guidelines, directives, and your organization.


Slide 6:

Course Objectives.

After completing this course, you will be able to:

  • explain the importance of establishing an organization-wide risk management program,
  • identify the information security legislation related to organizational risk management,
  • describe the purpose of the Risk Management Framework in organization-wide risk management,
  • describe the considerations related to each step in the Risk Management Framework including applicable publications and FISMA documentation, and
  • describe how use of the Risk Management Framework facilitates an atmosphere of trust among organizations.



Module 1: Organization-wide Risk Management

Introduction.

This module compares organizational risk management with security risk management, and briefly looks at the Risk. Management Framework, the roles and responsibilities associated with risk management, and the legislation that impacts risk management.


Module 1, Lesson 1: Organizational Risk Management

Slide 1:

Introduction.

The complex, many-to-many relationships among mission/business processes and the information systems supporting those processes require a holistic, organization-wide view for managing risk.


Slide 2:

Holistic Approach to Risk Management

[Graphic: Managing Risk from Information Systems A Holistic Approach]


Slide 3:

Holistic Approach to Risk Management (continued).

A holistic approach requires the management of risk at both the enterprise-level and system-level. This approach takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes and the supporting information systems.

The security controls and safeguards selected by the organization must take into account:

  • potential mission or business impacts;
  • risk to organizational operations and assets, individuals, other organizations, and the Nation should the organization's systems be compromised;
  • senior leadership/authorizing official involvement;
  • allocation/prioritization of security resources; and
  • consideration of other types of risk.


Slide 4:

Organizational Risks.

To achieve success with information system-dependent processes, senior leaders must understand the risks and other factors that could adversely affect their missions. Information security requirements must be considered at the same level of importance and criticality as other types of functional requirements established by the enterprise. The organization's Senior Leaders must be committed to making information security a fundamental mission/business requirement.


Slide 5:

Organizational Risks (continued).

Risk related to the operation and use of information systems is one of many risks that organizations must address. Along with organizational risks such as investment risk, budgetary risk, program management risk, legal liability risk, safety risk, and inventory risk that are managed on a day-to-day basis, organizations must also manage information risks that exist from operating its information systems at both the enterprise level and the system level, since information and computer systems are critical assets that support the mission/business functions of an organization.

The critical assets of the organization that support the mission/business functions must be protected. Fundamental commitment to information security translates into ensuring that sufficient resources (both dollars and people) are available to provide an appropriate level of security for the organization's information systems. When managing organizational risk, it is important to balance risk from all sources including risks from aII uses of information systems.


Slide 6:

Benefits of Organizational Risk Management.

  • An organization-wide approach to managing risk may yield the following benefits:
  • facilitates prioritization of information security requirements and allocation of information security resources based on risks to the organization's mission/business processes,
  • supports development of more consistent and cost-effective organization-wide solutions to information security problems,
  • facilitates consolidation and streamlining of security solutions across the organization to simplify management and improve interoperability and communication between dispersed information systems, and
  • ensures information security considerations are integrated into the enterprise architecture, the acquisition process, and system development life cycles to save the organization time and money.


Slide 7:

Managing Risk.

Key to success for an organization-wide risk management program is obtaining a broad-based, organization-wide perspective and support because of the critical nature of operations and assets that rely on its success.

Therefore, the goal of a risk management program is to foster an organizational climate where the risk from operating information systems will automatically be considered within the context of enterprise architecture and during all phases of the System Development Life Cycle (SDLC).

The ultimate objective of an organization-wide risk management program is to enable the organization to conduct its day-to-day operations and accomplish its missions within a secure environment commensurate with risk.


Module 1, Lesson 2: Security Risk Management

Slide 1:

Managing risk from the operation and use of information systems is critical to your organization's goals and mission and should be considered within the enterprise architecture. It requires an organization-wide perspective to ensure that day-to-day operations are conducted within a secure environment commensurate with risk.


Slide 2:

What is Security Risk Management?

Security risk management is the process of managing risk to organizational operations resulting from the operation or use of information systems.

Why is security risk management important? Attacks on information systems today are often well-organized, disciplined, aggressive, well-funded, and extremely sophisticated. Successful attacks on public and private sector information systems can result in harm to U.S. national and economic security interests.

Given the significant danger of these attacks, all individuals within the organization must understand their responsibilities in managing the risk from operating information systems that support the mission/business functions of the organization, and take responsibility for risk consequences and mitigation.


Slide 3:

Risk Management for the Organization.

At the enterprise-level, the goal of risk management is to achieve an optimal security state given the organization's mission and goals, commensurate with risk.

For a risk management program to be successful at the enterprise-level, organizations need to:

  • establish organization-wide information security policies and procedures;
  • implement management and oversight practices tailored to the organization's missions, operations, and needs;
  • establish clear reporting processes that provide information required for incident reporting, resource allocation, and Congressional budget development; and
  • facilitate prioritization of information security requirements and allocation of information security resources based on risks to the organization's mission and business processes.


Slide 4:

Risk Management for Information Systems.

At the system-level, the goal of risk management is to defend information systems against cyber attacks that are increasingly aggressive, disciplined, well-organized, and well-funded.

For a risk management program to be successful at the system-level, organizations need to perform the following:

  • integrate information security requirements into the enterprise architecture and system development life cycle,
  • implement continuous monitoring to support ongoing security authorization decisions, and
  • implement appropriate risk mitigation strategies.

Note: Security documentation is a by-product of the organization's ongoing security activities.


Slide 5:

Risk Management Process.

Essentially, risk management is the process that allows managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the information systems and data that support their organizations' missions.


Module 1, Lesson 3: The Risk Management Framework: A New Approach

Slide 1:

Introduction.

Integrating information security into organizational infrastructure requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed and risk to the organization from information systems is managed efficiently and cost-effectively.

In response to the need for organizations to develop an organization-wide approach for managing risk, NIST developed SP 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems."

SP 800-37 describes a new methodology that incorporates FISMA security standards and guidance to provide a holistic solution for managing risk to an organization's information and information systems called the Risk Management Framework.


Slide 2:

Risk Management Framework, Security Life Cycle.

[Graphic: RMF Wheel]


Slide 3:

What is the Risk Management Framework? (continued).

The Risk Management Framework describes a structured, yet flexible approach that can be used to determine the appropriate level of risk mitigation needed to protect the information systems, information, and infrastructure supporting organizational mission/business processes from serious threats.

The Risk Management Framework is designed to guide your organization in developing good practices for securing its information and information systems by helping organizational leadership understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level.

The Risk Management Framework provides a methodology that can be applied in an iterative manner to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture.


Slide 4:

What is the Risk Management Framework? (continued).

For each of the six steps of the framework, NIST has developed standards and guidance to enable organizations to effectively apply the framework to the information systems supporting the organization's mission/business processes. These steps include:

  • Step 1: Categorize - Categorize the information and information system.
  • Step 2: Select - Select an initial baseline of security controls, and tailor and supplement as needed based on risk and local conditions.
  • Step 3: Implement - Implement the security controls in the information system.
  • Step 4: Assess - Assess the security controls in the information system.
  • Step 5: Authorize - Authorize the information system.
  • Step 6: Monitor - Monitor and assess the security controls in the information system.


Slide 5:

Federal Enterprise Architecture.

The Federal Enterprise Architecture (FEA) is a business-based framework for government-wide improvement developed by the Office of Management and Budget (OMB) that is intended to facilitate efforts to ensure that federal government mission/business processes are citizen-centered, results-oriented, and market-based.

The FEA provides agencies with a disciplined, structured, systems engineering-based approach for achieving consolidation, simplification, and optimization of the federal information technology infrastructure, and the information systems that operate within that infrastructure, as a means for reducing risk.

The Risk Management Framework supports the FEA in the integration of management processes, shared services, common solutions, and information sharing to provide a greater degree of security, privacy, reliability, and cost effectiveness for core missions and business functions being carried out by organizations.


Slide 6:

Segment Architecture and the Risk Management Framework.

Segments, defined by the enterprise architecture, are individual elements of the enterprise describing core mission areas, and common or shared business services and enterprise services. Segment architecture defines the organization's information technology assets such as applications or information system components used to automate and improve individual organizational mission/business processes.

As the primary stakeholders for segment architectures, mission/business owners and managers, in consultation with the senior information security officer, should incorporate information security requirements from FISMA legislation and associated NIST security standards and guidelines into the segment architecture to provide appropriate levels of protection for the organization's mission and business processes defined as part of the overall enterprise architecture.

The Risk Management Framework provides an optimal means for ensuring that security requirements defined in an organization's segment architecture are allocated in the form of specific security controls for individual information systems and components comprising those systems.


Slide 7:

System Development Life Cycle (SDLC).

Managing the risks from information systems includes addressing the causes of vulnerabilities that arise during the design, development, implementation, operation, and disposition of those systems. In addition to using enterprise architectures to guide information security decisions, information security-related activities should also be fully integrated into the SDLC for organizational information systems.

Integrating information security requirements into the SDLC is the most efficient and cost-effective method of ensuring the organization's protection strategy is reflected in the information systems and component information technology products needed to support the mission/business processes of the organization.

Information security considerations should be addressed by organizations as early as possible in the SDLC to ensure the most cost-effective implementation of the security controls needed to adequately mitigate risk from the operation and use of information systems.


Slide 8:

Incorporating the Risk Management Framework into the SDLC.

The steps in the Risk Management Framework are addressed within the security activities described for the SDLC. NIST SP 800-37 provides a link for each step in the Risk Management Framework to the appropriate phase of the SDLC to ensure that information security considerations are addressed as early as possible to ensure the most cost-effective implementation of security controls needed to adequately mitigate risk from the operation and use of information systems.

Both the Risk Management Framework and the SDLC offer sufficient flexibility to respond to changing conditions that can potentially affect the security of information systems, as well as manage the risks to organizational operations and assets, individuals, other organizations, and the Nation.


Slide 9:

Summary of Benefits of the Risk Management Framework.

The Risk Management Framework provides organizations with several key benefits:

  • provides a structured, yet flexible process for managing risk related to the operation of information systems,
  • provides guidelines for determining the appropriate risk mitigation needed to protect the information systems and infrastructure supporting organizational mission/business processes,
  • balances key mission/business goals and organizational priorities with security requirements and policy guidance, and
  • facilitates the development of cost-effective information security solutions commensurate with strategic goals, mission/business process, and overall tolerance for risk.


Slide 10:

Summary of Benefits of the Risk Management Framework (continued):

Key benefits (continued):

  • provides processes for continuous monitoring resulting in continuous improvement of the organization's security posture,
  • applicable to both new development and legacy information systems,
  • operates iteratively within the phases of the SDLC,
  • consistent with the Federal Enterprise Architecture, and
  • generates the information needed for FISMA and OMB reporting.


Module 1, Lesson 4: Risk Management Responsibility

Slide 1:

Introduction.

Regardless of job function, everyone has a role in security. When everyone in the organization functions as a part of the "security team," risk management is more effective and the overall quantity and quality of risk-related operational information is improved and better decisions can be made at the executive level.


Slide 2:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Risk Executive (Function). The risk executive (function) helps to ensure that risk related considerations from individual information systems are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions. The risk executive function ensures that risks from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risk in order to ensure mission/business success.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 3:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Chief Information Officer (CIO).

The CIO is responsible for the agency's information technology planning, budgeting, and performance including its information security components.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 4:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Senior Information Security Officer (SISO).

The SISO is the head of the organization's information security program office and serves as the CIO's liaison to the authorizing officials, information system owners, and ISSOs. In many organizations, the SISO is known as the Chief Information Security Officer (CISO).

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 5:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Authorizing Official.

The authorizing official is responsible for making the final decision on whether or not to authorize a system to operate. The authorizing official issues an authorization to operate (ATO) if the risk is deemed acceptable. If the risk is deemed unacceptable, no ATO is issued and operations are halted on operational systems.

The authorizing official balances the security status of the information system, as defined in the authorization package, with the organizational risk information received from the risk executive (function) to make an authorization decision.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 6:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Information Owners and Information System Owners (SO).

Information owners have stationary, management, or operational authority for specified information and the responsibility for establishing the policies, and procedures governing its generation, collection, processing, dissemination, and disposal. Information owners provide input to the information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted.

Information system owners are responsible for the overall procurement, development, integration, modification, operation, maintenance, and disposal of an information system or information.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 7:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Information System Security Officers (ISSO).

These individuals help to ensure the appropriate operational security posture is maintained for an information system and serves as a principal advisor to their organization on all matters, technical and otherwise, involving the security of an information system. Note that this role may have a different title, depending on the structure of the organization.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 8:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Common Control Providers.

Common control providers are responsible for the planning, development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems).

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Slide 9:

Risk Management Roles and Responsibilities.

The roles within an organizational risk management program and responsibilities by role may include:

Information System Security Engineers.

Information technology security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts; security consultants) are responsible for proper implementation of security requirements in their information systems. As changes occur in the existing system environment (e.g., expansion in network connectivity, changes to the existing infrastructure and organizational policies, introduction of new technologies), these security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their systems.

[Graphic: Risk Executive (Function), Chief Information Officer (CIO), Senior Information Security Officer (SISO), Authorizing Official, Information Owners and Information System Owners (SO), Information System Security Officers (ISSO), Common Control Providers, Information System Security Engineers]


Module 1, Lesson 5: Information Security Legislation

Slide 1:

Introduction.

The United States Congress and OMB institutes laws, regulations, and directives that govern creation and implementation of federal information security practices. These laws and regulations place responsibility and accountability for information security at all levels within federal agencies, from the agency head to system users. Furthermore, these laws and regulations provide an infrastructure for overseeing implementation of required practices.


Slide 2:

IT Security Legislation.

Federally mandated security practices:

  • are instituted by Congress and the Office of Management and Budget (OMB),
  • govern creation and implementation of federal information security practices,
  • place responsibility and accountability for information security at all levels within federal agencies, and
  • are subject to reporting and oversight.


Slide 3:

The E-Government Act of 2002

recognized the importance of information security to the economic and national security interests of the United States.

FISMA: Title III of the E-Government Act

  • is the Federal Information Security Management Act, which
  • requires federal agencies to provide security for the information and information systems that support the organization.


Slide 4:

FISMA and Your Organization

FISMA requires federal organizations to:

  • provide information security protections commensurate with the assessed risk;
  • ensure senior leaders provide information security for assets under their control;
  • ensure the organization has trained personnel to assist in complying with FISMA and related policies;
  • ensure the CIO reports annually on the effectiveness of the organization's information security program;
  • develop, document, and implement an information security program; and
  • develop and maintain an inventory of information systems under the control of the organization.


Slide 5:

FISMA and OMB Requirements.

Title III of the E-Government Act, entitled the "Federal Information Security Management Act" (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Resources" require each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

The Risk Management Framework incorporates FISMA- and OMB-related security standards and guidance to provide a holistic solution for managing risk to an organization's information and information systems. During each phase of the Risk Management Framework, documentation needed to meet these federal requirements is produced as a byproduct of the process, including the System Security Plan, Security Assessment Report, and Plan of Action and Milestones.


Module 1, Lesson 6: NIST Publications

Slide 1:

Introduction.

NIST authors several information technology security publications to provide guidance and resources to aid organizations in implementing security programs.


Slide 2:

Lesson 6: NIST Publications. Introduction.

The following types of NIST information technology security publications are available from the NIST website: http://csrc.nist.gov/publications/

  • Federal Information Processing Standards (FIPS),
  • Special Publications (SPs),
  • NIST Interagency Reports (NISTIRs), and
  • Information Technology Laboratory (ITL) Bulletins.


Slide 3:

Federal Information Processing Standards (FIPS)

FIPS are issued by NIST after approval by the Secretary of Commerce. FIPS are mandatory standards to be used by all federal agencies.

Special Publications (SPs)

The SP 800 series was established in 1990 to provide a separate identity for information technology security publications and include documents of general interest to the computer security community. The SP 800 series reports on the Information Technology Laboratory's research, guidelines, outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.


Slide 4:

Tailored Guidance.

While agencies are required to follow NIST guidance in accordance with OMB policy, the 800-series guidance documents published by NIST generally allow agencies to tailor NIST's guidance to meet the organization's needs. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems.

When assessing agency compliance with NIST guidance, auditors, evaluators, and/or assessors consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.


Slide 5:

Discussion:

What factors do organizations need to take into account when implementing a holistic approach to organizational risk management?

Answers:

  • Strategic goals and objectives.
  • Relationships between mission/business processes and the supporting information systems.
  • Organizational culture and infrastructure.


Slide 6:

Discussion: How can the Risk Management Framework help successfully implement an organization-wide risk management program?

Answers:

  • The Risk Management Framework provides a structured, yet flexible process for managing risk related to the operation and use of information systems, along with guidelines for determining the appropriate risk mitigation needed to protect the information systems and infrastructure supporting organizational mission/business processes.
  • The Risk Management Framework provides key inputs for determining mission/business goals, security requirements, policy guidance, resource availability, and priorities as an integral part of the process, which facilitates the development of cost-effective information security solutions commensurate with strategic goals, mission/business process, and overall tolerance for risk.
  • The Risk Management Framework provides processes for continuous improvement of the organization's security posture and generates the information needed for FISMA and OMB reporting.



Module 1: Summary

Slide 1:

Managing risk is not an exact science. It brings together the best collective judgments of the individuals responsible for the strategic planning and day-to-day operations of organizations to provide adequate security and risk mitigation for the information systems supporting the missions and business functions of those organizations.

There is great benefit to be obtained in reducing risk from information systems by building an information technology infrastructure that promotes the use of shared services, common solutions, and information sharing.

Effective organizational risk management requires a holistic approach for managing risk at both the organizational and system-levels, taking into account the organization as a whole including strategic goals and objectives and relationships between mission/business processes and the supporting information systems.


Slide 2:

Module 1: Summary (continued).

Successful organization-wide risk management programs build information security into the culture and infrastructure of the organization. This requires the implementation of a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by the organization.

Risk management is critical in ensuring your organization is able to achieve its mission and goals. Because of the severity of the security threats faced by organizations today, information security legislation has been enacted to provide regulations and guidance for implementing information security safeguards for federal information technology systems.

To that end, NIST develop the Risk Management Framework that delineates a multistep process for categorizing systems and for selecting, implementing, and assessing security controls; authorizing systems for operation; and monitoring security controls throughout the life cycle of an information system.

The Risk Management Framework also enables organizations to efficiently and effectively meet OMB security implementation and reporting requirements.



Module 2: The Risk Management Framework.

Introduction.

As discussed in the previous module, the Risk Management Framework consists of a six-step process designed to guide organizations in managing the risks to and from their information systems.

This lesson describes the six-steps in the Risk Management Framework in more detail.


Slide 1:

Module 2: The Risk Management Framework, Security Life Cycle.

[Graphic: RMF Wheel]


Slide 2:

Module 2: The Risk Management Framework.

Introduction (continued).

The steps in the Risk Management Framework include:

  • Step 1: Categorize - Categorize the information and information system based on impact.
  • Step 2: Select - Select an initial set of security controls for the information system, applying tailoring guidance as appropriate, and supplement the tailored baseline security controls based on assessment of risk and organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances.
  • Step 3: Implement - Implement the security controls in the information system to protect the organization's mission/business processes in accordance with enterprise architecture, the SDLC, and system security plans.


Slide 3:

Module 2: The Risk Management Framework.

Introduction (continued).

  • Step 4: Assess - Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Step 5: Authorize - Authorize information system operation based on a determination of risk to organizational operations, assets, individuals, other organizations, or the nation resulting from the operation of the information system.
  • Step 6: Monitor - Monitor and assess security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis.


Module 2, Lesson 1: Risk Management Framework - Categorize

Slide 1:

Lesson 1: Risk Management Framework Step 1 - Categorize. Introduction.

Security Categorization is the key first step in the Risk Management Framework because of its effect on all other steps in the framework, from selection of security controls to level of effort in assessing security control effectiveness.

Security categorization entails a thorough analysis of the organization's mission/business processes to identify the types of information that will be processed, stored or transmitted by the information systems supporting the mission/business processes. Security categorization provides a means for selecting an initial baseline of security controls for protecting the information system and the organization.


Slide 2:

NIST Publications - Categorize Step.

Two NIST publications are applicable to this step.

Standard - FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," establishes the definition for categorization of information types and information systems.

Guidance - SP 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories," describes the process and steps for categorizing information types and information systems.


Slide 3:

Security Objectives.

There are three security objectives for both information and information systems:

  • Confidentiality - Releasing information only to those authorized to have it.
  • Integrity - Ensuring information is not changed or destroyed.
  • Availability - Being able to access information when it is needed.


Slide 4:

System Boundaries.

System boundaries may influence the information types that are identified on an information system.

An information system contains a set of resources that are generally under the same direct management control and generally have the same function or mission objective, the same operating characteristics, and reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments).

System boundaries that are unnecessarily expansive make the security assessment process extremely unwieldy and complex. On the other hand, boundaries, that are unnecessarily limited, increase the number of security assessments that must be conducted and drive-up the total security costs for the agency.


Slide 5:

Information Types.

An information system may contain more than one type of information, each of which is subject to security categorization. An information type is a specific category of information defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation. Establishing an appropriate security category of an information type requires determining the potential impact for each security objective associated with the particular information type.

System information must be protected at a level commensurate with the most critical or sensitive user information being processed, stored, or transmitted by the information system to ensure confidentiality, integrity, and availability. This is sometimes referred to as the "high-water mark."

Examples of information types include budget formulation, customer service, workforce planning, contingency planning, population health management and consumer safety, criminal apprehension, intelligence collection, and intellectual property protection.


Slide 6:

Impact Levels.

An impact level (Low, Moderate, High) is established for each information system based on the worst case scenario if a breach occurs.

LOW - The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.

MODERATE - The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.

HIGH - The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.


Slide 7:

Categorize Process Review.

The categorize process includes the following tasks:

  • prepare for system security categorization,
  • identify the system's information types,
  • select the provisional impact value for each information type,
  • adjust the information type's provisional impact value,
  • adjust the system's provisional security category,
  • determine the information system's security impact level,
  • obtain approval for the system security category and impact level, and
  • maintain system security category and impact level.

Inputs include:

  • system description, including system boundary;
  • enterprise architecture; and
  • information types from 800-60, Vol. II or organizationally defined information types.

Outputs include:

  • security category for each information type,
  • information system's security category and impact level, and
  • rationale for any adjustments.


Slide 8:

Role of the Information Security Program

When Conducting Security Categorization:

  • helps ensure that the categorization decisions accurately reflect the criticality, sensitivity, and priority of information and information systems that support organizational mission/business processes and are consistent with the organization's enterprise architecture and
  • enables the security categorization process to draw on the organization's enterprise architecture to provide traceability from the Federal Enterprise Architecture (FEA) reference models through the segment and solution architectures to the individual information systems within the organization.


Slide 9:

Discussion.

Why is security categorization a critical step in the Risk Management Framework?

Answer:

Security categorization helps the organization identify the types of information that will be processed, stored, or transmitted by the information systems supporting the mission/business processes to select an initial baseline of security controls for protecting the information system and the organization. This information forms the basis for the steps that follow categorization in the Risk Management Framework, which entail selecting, implementing and assessing the security controls for the system for the purpose of obtaining or maintaining authorization for the system to operate.


Slide 10:

Summary.

Security categorization entails a thorough analysis of the organization's mission/business processes to identify the types of information that will be processed, stored, or transmitted by the information systems supporting those processes and provides the information needed for subsequent steps in the Risk Management Framework.


Module 2, Lesson 2: Risk Management Framework - Select

Slide 1:

Lesson 2: Risk Management Framework Step 2 - Select.

Introduction.

After the security categorization process is completed, appropriate security controls need to be selected for each information system to implement the organization's risk management strategy. This activity is conducted during the Select step in the Risk Management Framework.


Slide 2:

NIST Publications - Select Step.

Two NIST publications provide the standards and guidance for selecting appropriate security controls.

Standard - FIPS 200, "Minimum Security Requirements for Federal Information and Information Systems," specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.

Guidance - SP 800-53, Rev. 3, "Recommended Security Controls for Federal Information Systems and Organizations," provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government.

Note that Revision 3 of SP 800-53 is a unified catalog of security controls that is used by all government communities: federal civilian agencies, the intelligence community, and the Department of Defense. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.


Slide 3:

Security Controls.

Security controls are management, operational and technical controls (i.e. safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Security controls help reduce system vulnerability and minimize risk.

This step entails selecting an initial set of security controls from the SP 800-53 Security Control Catalog for the information system based on the security category and the impact level and applying tailoring guidance based on risk, as appropriate, to obtain a starting point for determining the required controls that will be implemented to reduce threats and manage risks from operating information systems.


Slide 4:

Security Control Families.

The minimum security requirements cover designated security control areas or families, with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. Families are assigned to their respective classes based on the dominant characteristics of the controls in the families.

These families represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.

Some examples of security control families are: Access Control (AC), Contingency Planning (CP), and Risk Assessment (RA).

[Graphic: Table of 18 Families]


Slide 5:

Identification of Common Security Controls.

Common security controls are controls that can be applied to one or more organizational information systems and have the following properties:

  • the development, implementation, assessment, authorization, and monitoring of the control can be assigned to a responsible official or organizational element (other than the information system owner) and
  • the results from the assessment of the control can be used to support the security authorization processes of an information system where that control has been applied.


Slide 6:

Benefit of Applying Common Security Controls.

Partitioning security controls into common controls and system-specific controls can result in significant savings to the organization in development and implementation costs especially when the common controls serve multiple information systems and entities.

It can also result in a more consistent application of the security controls across the organization. Moreover, equally significant savings can be realized in the security authorization process. Rather than assessing common security controls in every information system, the authorization process draws upon any applicable results from the most current assessment of the common security controls performed at the organization level.

Application of common security controls can also facilitate accountability for security across the organization.


Slide 7:

Selection of Baseline Security Controls.

Baseline controls are the minimum security controls recommended for an information system based on the system's security categorization in accordance with FIPS 199. Appendix D of SP 800-53 provides a listing of baseline security controls.

Three sets of baseline controls have been identified corresponding to the low-impact, moderate-impact, and high-impact levels defined in the security categorization process. Each baseline provides an initial set of security controls for a particular impact level associated with a security category.

The organization must employ the appropriately tailored security controls from the specific-level baseline of security controls defined in NIST SP 800-53 and must ensure the appropriate minimum assurance requirements associated with the baseline are satisfied.

Reference: SP 800-53, Rev. 3, Appendix D

Example Baseline Security Controls links to [Graphic: IR-2 Incident Response Training security control text from SP 800-53r3]


Slide 8:

Applying Security Control Tailoring Guidance.

Because the baselines are intended to be broadly applicable starting points, adjustments to the initial baselines may be necessary in order to achieve adequate risk mitigation. NIST SP 800-53 provides tailoring guidance to enable organizations to adjust the baseline of security controls to fit their mission requirements and operational environments. Tailoring involves scoping the assessment procedures to match the characteristics of the information system under assessment.

Under the tailoring guidance, organizations can determine that certain controls do not apply, incorporate compensating controls when needed, and specify organization-defined parameters. This approach gives organizations flexibility to respond to known threats and to take action on organization-identified risks.

Once the controls baseline is identified, it is tailored to address such things as organizational requirements and operational factions.

Tailoring activities include:

  • applying scoping guidance,
  • determining compensating controls, if needed, and
  • selecting organizationally-defined parameters.


Slide 9:

Supplementing Tailored Baseline Security Controls.

The tailored security control baseline should be viewed as the foundation or starting point in the selection of adequate security controls for an information system and represents the needed level of security due diligence to be demonstrated by an organization toward protection of its operations and assets.

The final determination of the appropriate set of security controls is a function of the organization's assessment of risk and what is required to sufficiently mitigate those risks. In many cases, additional security controls or enhancements will be needed to address specific threats and vulnerabilities or to satisfy federal requirements.


Slide 10:

Minimum assurance requirements:

  • identify the grounds for confidence that the security controls implemented within an information system are effective in their application;
  • provide a foundation for trust between organizations that depend on the information processed, stored, or transmitted by those systems;
  • are directed at the activities and actions of security control developers and implementers; and
  • are applied on a control-by-control basis.


Slide 11:

Assurance Expectations.

Security control developers and implementers carry out required activities based on the assurance requirements that have been identified by the organization. Part of developing or implementing the control is producing the necessary control documentation, conducting essential analyses, and defining actions that must be performed during control operation.

The minimum assurance requirements in SP 800-53 help to establish an appropriate set of assurance expectations for assessors in conducting security control assessments. The assessment expectations, described with respect to low-impact, moderate-impact, and high-impact information systems for a range of assessment objects including specifications, activities and mechanisms, are provided in SP 800-53A, Appendix E.

Select the link to view the Assessment Expectation Table. [Graphic: Assessment Expectation matrix from SP 800-53r3]


Slide 12:

Documentation - System Security Plan.

At the end of the security control selection and specification process, the agreed-upon set of security controls must be sufficient to provide adequate security for the information system and mitigate risks to its operations, assets, and individuals. This set of security controls is documented in a system security plan.

NIST SP 800-18, "Guide for Developing Security Plans for Information Technology Systems" provides guidance for federal agencies when developing security plans to document the management, technical, and operational controls for federal information systems.


Slide 13:

Documentation - System Security Plan (continued).

Purpose of System Security Plan:

  • provides an overview of the security requirements of the system;
  • describes the controls in place or planned for meeting those requirements;
  • documents the structured process of planning adequate, cost-effective protection for a system;
  • delineates responsibilities and expected behavior of all individuals who access the system;
  • meets federal reporting requirements related to status of security implementations; and
  • provides the basis for system security authorization.


Slide 14:

Select Process Review.

The select process includes the following tasks:

  • prepare for selecting security controls,
  • select the initial security control baseline and minimum assurance requirements,
  • apply scoping guidance,
  • determine need for compensating controls,
  • determine appropriate organization-defined values for the identified parameters,
  • supplement the tailored security control baseline,
  • determine if additional minimum assurance requirements are needed for moderate- and high-impact systems,
  • document the selection decisions and update the security plan, and
  • obtain approval of and agreement with the security controls.

Inputs include:

  • system description,
  • system security category,
  • system's impact level,
  • NIST SP 800-53, and
  • organization's catalog of common controls.

Outputs include:

  • Final, agreed-upon set of security controls.


Slide 15:

Role of the Information Security Program When Selecting Security Controls:

  • coordinates the selection of common controls for the organization with the enterprise architect and assigns responsibility for the common control's development, implementation, assessment, and monitoring as identified in the risk management plan and
  • ensures that the appropriate security controls are selected for the information system and supplemented with additional controls or enhancements to address unique organizational needs.


Slide 16:

Discussion.

What are the key activities involved in the security control selection process?

Answer:

  • Identify common controls and determine their suitability for the system.
  • Select the baseline controls for the system and tailor and supplement them as necessary based on risk.
  • Document the selected controls in the security plan to form the basis for system authorization.


Slide 17:

Summary.

The purpose of the Select Step is to specify appropriate security controls to meet the minimum security requirements defined in FIPS 200 and to ensure the integrity, confidentiality, and availability of the information and information system in accordance with the organization's protection strategy.

The security control selection process includes activities designed to determine the required controls that will be implemented to reduce threats and manage risks from operating the organization's information systems.


Module 2, Lesson 3: Risk Management Framework - Implement

Slide 1:

Lesson 3: Risk Management Framework Step 3 - Implement.

Introduction.

Implementation is used in the Risk Management Framework in a broad sense to encompass all of the activities necessary to translate the security controls identified in the system security plan into an effective implementation.

Once the appropriate baseline and common security controls have been identified, and tailoring and supplement guidance have been applied, the security controls are implemented. Effective implementation of security controls in the system components is a critically important activity that can affect the security state and risk posture of the entire organization.


Slide 2:

NIST Publications.

NIST provides various information security publications designed to facilitate the implementation of security controls, available at http://csrc.nist.gov/publications/index.html. Documents can be located by Topic Clusters, Family and Legal Requirements.

Documents applicable to the Implement Step include NIST SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations;" SP 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems;" and SP 800-70, "Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers."


Slide 3:

NIST Publications - Implement Step.

Guidance - SP 800-70, "Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers," provides guidance for the implementation and configuration of certain technical security controls to facilitate the development and dissemination of security configuration checklists so that organizations and individual users can better secure their information technology products.

Although SP 800-70 is useful for implementation of a moderate percentage of technical controls, there are many publications that provide guidance for control implementations in addition to SP 800-70. These include but aren't limited to SP 800-34 for the CP family, SP 800-61 for the IR family, SP 800-63 for the IA family, and SP 800-16/800-50 for the AT family. There are also publications that address one or more specific controls or parts of controls such as SP 800-40 for patch management (flaw remediation, SI-2) or SP 800-41 for firewall management (AC-4 & SC-7), and the many publications for cryptography/key management, etc.


Slide 4:

NIST Publications - Implement Step (continued).

Guidance - SP 800-53, Rev. 3, "Recommended Security Controls for Federal Information Systems and Organizations," provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government.

Guidance - SP 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems," provides common assessment procedures that organizations can use to evaluate the effectiveness of security controls in federal information systems, specifically those controls listed in NIST SP 800-53.


Slide 5:

Security Control Implementation and the System Security Plan.

The system security plan provides a summary of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

The system security plan acts as the blueprint for the allocation and implementation of security controls for an information system.


Slide 6:

Allocating Security Controls.

Security controls must be allocated to appropriate components within the information system or to the supporting infrastructure. Components of the information system include personnel, processes, hardware, software, firmware, facilities, or environmental components within the information system boundary.

Technical controls are typically allocated to hardware, software, or firmware components or to specific facilities. Management and operational controls are usually allocated to personnel or processes.

Security control allocation decisions should be consistent with the enterprise architecture to ensure that needed protection measures are provided, mandatory configuration settings for all information technology products are defined, and any configuration setting-related legislation, directives, and policy requirements are met.

The allocation of security controls to appropriate system components and any additional derived security control specifications should be documented in the system security plan, along with any mandatory security configuration settings for the organization.


Slide 7:

Implementing Security Controls.

To implement the security controls in an information system, each security control must be analyzed to determine:

  • the activities that should be performed by individuals or organizations (e.g., to conduct contingency plan testing or provide security awareness training);
  • the specifications (such as plans or procedures) that should be written (e.g., to write the system security plan, prepare an access control list, or write the security awareness training); and
  • the security functions to be built or integrated into one or more system components (e.g., building the mechanism to lock an account for 20 minutes when three unsuccessful login attempts occur, build the mechanism to provide a real-time alert when the organizationally defined audit failure events occur, or integrate an approved encryption product into the network).


Slide 8:

Security Configuration.

Automated tools support an organization's ability to identify and apply security configuration settings to a wide variety of products.

The federal desktop core configuration (FDCC) is a federally required configuration that applies to desktops and laptops that use Windows XP or Vista and are deployed on or connected to an organization's networks.


Slide 9:

Security Configuration Checklists.

Threats to information systems range from remotely launched network service exploits to malicious code spread through e-mails, malicious web sites, and file downloads. Vulnerabilities in IT products are discovered on an almost daily basis. Because information technology products are often intended for a wide variety of audiences, restrictive security configuration settings are usually not enabled by default, making many information technology products immediately vulnerable to specific types of attacks.

Configuration settings are parameters that can be changed in a hardware or software component of the information system that affect the component's functionality, performance, and security posture.

Identifying and implementing an adequate set of security configuration settings for many information technology products can be a complicated, arduous, and time-consuming task. An effective tool for implementing effective security solutions for federal information systems is the security configuration checklist.


Slide 10:

Security Configuration Checklists (continued).

Security configuration checklists can include:

  • configuration files that automatically set security settings;
  • documentation for manually configuring an IT product;
  • recommended methods for securely installing and configuring a device;, and
  • policy documents and guidelines for auditing, authentication, etc.

Note that the checklists only address a subset of the tailored baseline control requirements.


Slide 11:

Developer Configuration Management.

Information system developers/integrators are required to implement and document a configuration management process that:

  • manages and controls changes to the system during design, development, implementation, and operation;
  • tracks security flaws; and
  • includes organizational approach to changes.


Slide 12:

Implement Process Review.

The implement process includes the following tasks:

  • prepare for implementing security controls,
  • identify the requirements of each security control selected for the system,
  • allocate security controls to system components,
  • identify implementation actions for each security control,
  • prepare an implementation strategy,
  • obtain reviews/approvals for the implementation strategy,
  • implement security controls, and
  • maintain security control implementation documentation.

Inputs include:

  • System Security Plan, with the final selection security controls,
  • implementation guidance., and
  • configuration guidance.

Outputs include:

  • security controls implemented within the information system and
  • all supporting documents and activities required in the selected security controls.


Slide 13:

Role of the Information Security Program When Conducting the Implementation Step as an Organization-wide Activity:

  • ensures the security control implementation is tightly coupled to the enterprise architecture and integrated into the SDLC to protect the organization's mission/business processes and
  • facilitates close coordination and collaboration among organizational personnel to ensure that the needed security functions are allocated to the appropriate information systems and supporting infrastructure to promote the security state and risk posture of the organization.


Slide 14:

Discussion:

What factors must be taken into account during the security control implementation step of the Risk Management Framework?

Answer:

  • Details are documented in the system security plan.
  • Configuration settings required by legislation, directives, and policy.


Slide 15:

Summary.

Security controls are implemented based on an assessment of risk and local conditions including organization specific security requirements, specific threat information, cost-benefit analyses, or special circumstances determined during the Select step.


Module 2, Lesson 4: Risk Management Framework - Assess

Slide 1:

Lesson 4: Risk Management Framework Step 4 - Assess.

Step 4 in the Risk Management Framework is Assess. Once security controls are implemented, they should be assessed for effectiveness.

Security control assessment is a process employed by an organization to review the management, operational, and technical security controls in an information system. The assessment determines the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.


Slide 2:

NIST Publications - Assessment Step.

Guidance - SP 800-53A.

NIST SP 800-53A provides common assessment procedures that organizations can use to evaluate the effectiveness of security controls in federal information systems, specifically those controls listed in SP 800-53, Rev. 3, "Recommended Security Controls for Federal Information Systems and Organizations."

The guidance describes a repeatable security assessment methodology organizations can use to determine if security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the organization.

SP 800-53A also provides guidance for building effective security assessment plans and how to manage assessment results.


Slide 3:

NIST Publications - Assessment Step (continued).

Guidance - SP 800-115.

NIST SP 800-115, "Technical Guide to Information Security Testing and Assessment" is a guide to the basic technical aspects of conducting information security assessments. SP 800-115 presents review, technical testing, and examination techniques that an organization can use to conduct assessments.


Slide 4:

Assessment Case Development Project.

In October 2007, NIST initiated the Assessment Case Development Project in cooperation with the Departments of Justice, Energy, Transportation, and the Intelligence Community. The team developed a full suite of assessment cases to provide assessors with additional tools and techniques for implementing the assessment procedures in SP 800-53A.

The purpose of the project is to:

  • actively engage experienced assessors from multiple organizations in developing assessment cases that describe specific assessor actions to implement the assessment procedures in SP 800-53A and
  • provide a vehicle for ongoing community-wide review of and comment on the assessment cases to promote continuous improvement in the security control assessment process for more consistent, effective, and cost-effective security assessments of federal information systems.


Slide 5:

Organizational Assessment Procedures.

A major objective of SP 800-53A is to provide an assessment framework and initial starting point for assessment procedures that promotes more consistent, comparable, and repeatable security assessments of federal information systems.

The assessment procedures described in SP 800-53A provide the starting point for the organization to develop more specific assessment procedures, which may be needed because of platform dependencies, organization specific, or other implementation-related considerations.

Your organization should supplement the assessment procedures outlined in SP 800-53A, as needed, based on an organizational assessment of risk, as well as create additional assessment procedures for any implemented security controls that are not contained in SP 800-53.

Supplemental assessment procedures can help your organization maximize its flexibility in developing security assessment plans and apply the results of risk assessments effectively. However, while flexibility continues to be an important factor in developing security assessment plans, consistency of assessments remains an important consideration.


Slide 6:

Security Assessment Plans.

Procedures for developing security assessment plans include:

  • determine which security controls are to be assessed,
  • select the appropriate procedures to assess the security controls,
  • tailor the assessment procedures for specific operating environments,
  • develop assessment procedures for organization-specific security controls,
  • develop assessment procedures for additional assurance requirements,
  • develop strategy for incorporating the extended assessment procedure,
  • optimize the selected assessment procedures to ensure maximum efficiency, and
  • finalize the security assessment plan and obtain approval to execute the plan.


Slide 7:

Assessment Methods.

Dozens of technical security testing and examination methods exist that can be used to assess the security posture of systems and networks. The assessment methods define the nature of the assessor actions. Since no one method can provide a complete picture of the security of a system or network, organizations should combine appropriate techniques to ensure robust security assessments.

The assessment methods are grouped together as examine, interview, and test.


Slide 8:

Examine Method. Assessment Objects.

The examine method includes checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.

Typical assessor examination actions may include:

  • reviewing information security policies, plans, and procedures;
  • analyzing system design documentation and interface specifications; and
  • observing system backup operations, reviewing the results of contingency plan exercises.


Slide 9:

Examine Method (continued).

Typical assessor examination actions also include:

  • observing incident response activities;
  • studying technical manuals and user/administrator guides;
  • checking, studying, or observing the operation of an information technology mechanism in the information system hardware/software; and
  • checking, studying, or observing physical security measures related to the operation of an information system.


Slide 10:

Interview Method.

The interview method includes conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.

Typical assessor interview actions may include:

  • conducting individual interviews and
  • conducting group interviews.


Slide 11:

Test Method.

The test method includes exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security control existence, functionality, correctness, completeness, and potential for improvement over time.

Some examples of typical assessor actions may include:

  • testing access control, identification and authentication, and audit mechanisms;
  • testing security configuration settings;
  • testing physical access control devices;
  • conducting penetration testing of key information system components;
  • testing information system backup operations;
  • testing incident response capability; and exercising contingency planning capability.


Slide 12:

Documentation - Security Assessment Reports.

Security control assessment results should be documented at the level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational policy, NIST guidelines, and OMB policy.

The reporting format should also be appropriate for the type of security control assessment conducted, such as self-assessments, independent verification and validation, independent assessments by assessors or assessment teams, or independent audits of security controls by auditors or inspectors general.

Since results of the security control assessment ultimately influence the content of the system security plan and the plan of action and milestones, the findings of the assessor, with the concurrence of designated organizational officials, determine the appropriate steps required to correct weaknesses and deficiencies identified during the assessment.


Slide 13:

Documentation - Security Assessment Reports (continued).

By using the tags of satisfied and other than satisfied, the reporting format for the assessment findings provides visibility for organizational officials into specific weaknesses and deficiencies in the information system and facilitates a disciplined and structured approach to mitigating risks in accordance with organizational priorities.


Slide 14:

Preparing the POAM Based on Assessment Results.

The plan of action and milestones document, one of the three key documents in the security authorization package, describes actions planned by the information system owner to correct deficiencies in the security controls and to address remaining vulnerabilities in the information system (i.e., reduce, eliminate, or accept the vulnerabilities).

The plan of action and milestones document identifies: (i) the tasks needing to be accomplished; (ii) the resources required to accomplish the elements of the plan; (iii) any milestones in meeting the tasks; and (iv) scheduled completion dates for the milestones.


Slide 15:

Security Authorization Package.

The security authorization package documents the results of the security control assessment and provides the authorizing official with essential information needed to make a credible, risk-based decision on whether to authorize operation of an information system.

These documents provide the best indication of the overall security state of the information system and the ability of the system to protect, to the degree necessary, the organization's operations and assets, individuals, other organizations, and the Nation, and should be updated on a continuous basis.


Slide 16:

Security Assessments and System Authorization.

In addition to determining the overall effectiveness of the security controls in an information system, the findings produced by security control assessment are used by the authorizing official as one of the critical inputs in helping to decide whether the information system should be authorized for operation or allowed to continue in an authorized status.

A well-executed assessment of controls contributes to the authorization process by helping to determine the validity of the security controls contained in the organization's security plan and in facilitating a cost-effective approach to correcting any deficiencies in systems.

Security controls assessment also support continuous monitoring since the process and procedures are similar.


Slide 17:

Assess Process Review.

  • The assess process includes the following tasks: develop, review and approve a plan to assess the security controls;
  • assess the security controls in accordance with the assessment procedures defined in the security assessment plan; and
  • prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.

Inputs include:

  • implemented information system and
  • system documentation and activities as required in the security controls.

Outputs include:

  • Security Assessment Plan and
  • Authorization Package consisting of System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POAM).


Slide 18:

Role of the Information Security Program When Conducting the Security Control Assessments:

  • ensures the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information systems supporting the organization's mission/business processes;
  • collects the evidence needed to establish the required assurances that intended security functionality in the security controls are present with the requisite level of trustworthiness; and
  • promotes a better understanding of risks from information systems and creates more complete, reliable, and trustworthy information to support information-sharing activities, authorization decisions, and compliance with federal legislation, directives, regulation, and policies.


Slide 19:

Discussion: What are the key purposes of a security control assessment?

Answer:

A security control assessment is performed to determine if the security controls for the information system are implemented correctly and operating as intended. The Security Assessment Report is produced during the assessment and is used to make an authorization decision.


Slide 20:

Summary.

During the Assess Step, the management, operational, and technical security controls in an information system are assessed to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

SP 800-53A provides a variety of resources to aid organizations in planning and conducting assessments.


Module 2, Lesson 5: Risk Management Framework - Authorize

Slide 1:

Lesson 5: Risk Management Framework Step 5 - Authorize.

Security authorization is the official management decision of a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

The Security Assessment Report completed in Risk Management Framework Step 4 provides authorizing officials with the information needed for understanding the current security state of the organization's information systems and supporting infrastructure and the current risk posture of the organization.

Security authorization requires managers at all levels to implement the appropriate security controls for the information system, given mission and business requirements, technical constraints, operational constraints, cost/schedule constraints, and risk-related considerations.

When performing security authorization activities, the level of effort, resources expended, and actions taken should be commensurate with the security category of the information system.


Slide 2:

NIST Publications - Authorize Step.

Guidance - SP 800-37

NIST SP 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach" provides a life cycle approach to system authorization, integrated with the system development life cycle, resulting in more consistent and cost-effective information security and trusted information sharing across the federal government.

SP 800-37 provides guidelines that describe the steps leading to system authorization within the Risk Management Framework:

  • ensure authorizing officials are appropriately engaged throughout the risk management process,
  • promote a better understanding of organizational risks resulting from the operation and use of information systems, and
  • support consistent, informed security authorization decisions.


Slide 3:

Documentation - Authorization Package.

Authorization package includes:

System Security Plan - Overview of security requirements, description of agreed-upon security controls, and other supporting security-related documents. Security Assessment Report - Security control assessment results and recommended corrective actions for control weaknesses or deficiencies. Plan of Action and Milestones (POAM) - Measures planned to correct weaknesses or deficiencies and to address known vulnerabilities.

[Graphic: Above documents and descriptions with an arrow pointing at "Authorizing Official or Designated Representative"]


Slide 4:

Documentation - Authorization Package (continued).

Since most information systems have more vulnerabilities than available resources can address, organizations should define a strategy for developing POAMs that facilitates a prioritized approach to risk mitigation that is consistent across the organization.


Slide 5:

Authorization Decisions.

Security authorization decisions are based on the content of the authorization package, which includes the system security plan, security assessment report, and POAM, and the organizational risk strategy and risk tolerance provided by the risk executive function.

The risk executive function inputs include previously established risk guidance and relevant organization-wide information and the organization's risk tolerance.

Authorizing officials must balance the current information in the system authorization package with the organizational risk information provided by the risk executive function to make a decision on the current risk posture and the acceptability of such risk.

When authorizing a system, officials must weigh the near-term operational capability gained against the mission and business process dependence on information and information systems, considering the potential loss of operational capability due to the susceptibility to the threats that result from this dependence.


Slide 6:

Authorization Decision (continued).

By authorizing an information system for operation, an organizational official accepts risk for the security of the system and is accountable for any adverse impacts that may occur if the system is breached compromising the confidentiality, integrity, or availability of the information being processed, stored, or transmitted.


Slide 7:

Authorization to Operate

If the authorizing official, after reviewing the information provided in the authorization package and balancing it with the information gained from the risk executive function, deems that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable, an authorization to operate for a specified period of time is issued for the information system.

Denial of Authorization to Operate.

The authorizing official can also determine that the risk to organizational operations and assets, individuals, other organizations, and the Nation is unacceptable and that immediate steps cannot be taken to reduce the risk to an acceptable level. In those situations, the authorizing official denies the authorization to operate for the information system. The information system should not be placed into operation. If the information system is currently in operation, all activity should be halted.


Slide 8:

Prioritized Approach to Risk Mitigation.

Organizations should prioritize weaknesses or deficiencies within the categorized information systems to ensure that POAMs address the highest priority weaknesses or deficiencies within those systems.

An organization may decide to allocate the vast majority of risk mitigation resources initially to the highest impact information systems because a failure to correct the weaknesses or deficiencies in those systems could potentially have the most significant adverse effects on the organization's missions or business operations.


Slide 9:

Prioritized Approach to Risk Mitigation (continued).

A prioritized approach to risk mitigation takes into account:

  • the security category of the information system;
  • the specific weaknesses or deficiencies in the information system security controls;
  • the importance of the identified security control weaknesses or deficiencies related to the effect they may have on the overall security state of the information system and the resulting risk exposure of the organization;
  • the organization's established risk mitigation approach for addressing the identified weaknesses or deficiencies in the security controls, including prioritization of risk mitigation activities and allocation of resources; and
  • the organization's rationale for accepting certain weaknesses or deficiencies in the security controls.


Slide 10:

Authorize Process Review.

  • The authorize process includes the following tasks:
  • conduct initial remediation actions based on the findings and recommendations of the security assessment report;
  • prepare the POAM based on the findings and recommendations of the security assessment report excluding any remediation actions taken;
  • assemble the authorization package and submit to authorizing official for adjudication;
  • determine the risks to organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations, or the Nation; and
  • determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.

Inputs include:

  • Security Authorization Package consisting of the Security Assessment Report, POAM, and System Security Plan;
  • input from the Risk Executive (Function); and
  • other required essential information artifacts as stipulated in the security plan.

Outputs include:

  • the Authorization Decision Document.


Slide 11:

Role of the Information Security Program

When Conducting System Security Authorization:

ensures a comprehensive strategy is in place to bring together the individual authorization decisions for organizational information systems and supporting infrastructure to address the overall risk posture of the organization; facilitates a risk-based approach to organizational security that considers the organization's strategic goals and objectives, priorities, and stakeholder interests; promotes a comprehensive, organization-wide view of risk, balancing risks from information systems with other types of risks that organizations must address in order to successfully carry out mission/business processes; and provides a more accurate picture of the organization's overall security state and the ultimate risk to organizational operations and assets, individuals, other organizations, and the Nation based on the collective operation and use of its information systems.


Slide 12:

Summary.

In authorizing systems to operate, assessors need to determine that the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation, resulting from the operation of the information system, is acceptable.

Since most information systems have more vulnerabilities than available resources can address, organizations should define a risk mitigation strategy that facilitates a prioritized approach to risk mitigation that is consistent across the organization.


Module 2, Lesson 6: Risk Management Framework - Monitor

Slide 1:

Lesson 6: Risk Management Framework

Step 6 - Monitor.

Introduction.

A critical aspect of the security authorization process is the post-authorization period involving the continuous monitoring of an information system's security controls, which includes analyzing and documenting any proposed or actual changes to the information system or its environment of operation.

Conducting a thorough point-in-time assessment of the security controls in an organizational information system is necessary, but not sufficient to demonstrate security due diligence. Information system monitoring activities are most effective when integrated into the broader life cycle management processes carried out by the organization and not executed as stand-alone, security-centric activities.

The ultimate objective of the continuous monitoring program is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes to hardware, software, and firmware that occur in the system, as well as changes in the environment in which the system operates.


Slide 2:

NIST Publications - Monitor Step.

Guidance - SP 800-37,

In accordance with NIST SP 800-37,"Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach," an effective continuous monitoring program includes:

  • configuration management and control processes for information systems,
  • security impact analyses on actual or proposed changes to information systems and environments of operation, and
  • assessment of selected security controls based on a continuous monitoring strategy to determine if they are operating as intended.


Slide 3:

NIST Publications - Monitor Step (continued).

An effective continuous monitoring program also includes:

  • security status reporting to appropriate organizational officials and
  • active involvement by authorizing officials in the ongoing management of information system-related security risks.

Tasks associated with continuous monitoring requirements, the individuals responsible for those tasks, and guidance for performing the tasks are also described in SP 800-37.


Slide 4:

Configuration Management.

Information systems are in a constant state of change with upgrades to hardware, software, or firmware and modifications to the surrounding environments where the systems reside and operate.

An orderly disciplined approach to managing, controlling, and documenting proposed or actual changes to information systems or their environments of operation is an essential element of an effective security control monitoring program. Therefore, configuration management and control processes should be established by organizations to support monitoring activities.

Security impact analysis conducted by the organization determines the extent to which changes to the information system or its environment of operation have affected the security state of the system. Changes to the information system or its operating environment may affect the security controls currently in place, produce new vulnerabilities in the system, or generate requirements for new security controls that were not previously needed.


Slide 5:

Ongoing Security Control Assessments.

Organizations assess all security controls in an information system during the initial security authorization. In accordance with OMB policy, the organization is required to assess a subset of the security controls annually during continuous monitoring. The selection of an appropriate subset of security controls to monitor and the frequency of monitoring is based on the monitoring strategy developed by the organization.

Remediation of outstanding items listed in the plan of action and milestones should be performed on an on-going basis. Security controls modified, enhanced, or added during this process should be reassessed by the assessor to ensure that appropriate corrective actions have been taken to eliminate weaknesses or deficiencies or mitigate the identified risk.


Slide 6:

Critical Document Updates.

To facilitate the near real-time management of risk associated with the operation and use of information systems, organizations should update system security plans, security assessment reports and POAM on a regular basis.

Documenting information system and environment changes as part of routine processes and assessing the potential impact those changes may have on the security state of the system is an essential aspect of continuous monitoring, achieving situational awareness, and maintaining the authorization. The security status reports provide senior leaders with this information.


Slide 7:

Ongoing Risk Determination and Acceptance.

Determining how the changing conditions affect the mission/business risk associated with information systems within the organization is essential for maintaining adequate security. By carrying out ongoing risk determination and risk acceptance, authorizing officials can manage risk and maintain the security authorization over time.


Slide 8:

System Removal and Decommissioning.

When a federal information system is removed from operation, a number of actions are required. Organizations should ensure that all security controls addressing information system decommissioning, such as media sanitization and configuration management, are implemented.


Slide 9:

Using Automated Tools for Continuous Monitoring.

Near real-time risk management of information systems can be facilitated by employing automated support tools to execute various steps in the Risk Management Framework. Continuous monitoring of security controls using automated support tools represents a significant paradigm shift in the way security authorization activities have been employed in the past.

The use of automated support tools to capture, organize, and maintain security status information promotes the concept of near real-time risk management through ongoing situational awareness regarding the overall risk posture of the organization.

In addition to vulnerability scanning tools, system and network monitoring tools, and other automated support tools that can help to determine the security state of an information system, organizations can employ automated security management and reporting tools to update critical documents in the authorization package including the system security plan, security assessment report, and POAM.


Slide 10:

Monitor Process Review.

The monitor process includes the following tasks:

  • develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information system and environment of operation;
  • determine the security impact of proposed/actual changes to the information system and its environment of operation;
  • assess a selected subset of the technical, management, and operational security controls from the information system and the environment of operation in accordance with the organization-defined monitoring strategy;
  • conduct selected remediation actions based on the results of ongoing monitoring activities and the outstanding items in the POAM;
  • update the security plan, security assessment report, and POAM based on the results of the continuous monitoring process;
  • report the security status of the information system and its environment of operation to the appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy;
  • review the reported security status of the information system and its environment of operation on an ongoing basis in accordance with the organization-defined monitoring strategy to determine whether the risks to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable; and
  • implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.

Inputs include:

  • system removal and decommissioning and
  • Authorization Decision document.

Outputs include:

  • Updated Security Assessment Report and
  • Security Status reports.


Slide 11:

Role of the Information Security Program When Performing Continuous Monitoring.

  • provides on-going, up-to-date information about the organization's security state and risk posture and initiates appropriate responses as needed when changes occur;
  • enables the organization to make credible, risk-based decisions regarding the continued operation of the organization's information systems and the continued use of common controls in the supporting infrastructure, and the explicit acceptance of risk that results from those decisions; and
  • provides organizations with an effective process for producing ongoing updates to the system security plan, security assessment report, and POAM documents.


Slide 12:

Discussion.

What are the benefits to an organization of implementing a continuous monitoring process for its information systems?

Answers:

  • Provides on-going, up-to-date information about the organization's security state and risk posture.
  • Enables the organization to make credible, risk-based decisions regarding the continued operation of the organization's information systems.
  • Provides organizations with an effective tool for producing ongoing updates to system security documentation.


Slide 13:

Discussion.

What are the issues that must be addressed when implementing a continuous monitoring process?

Answers:

  • The potential impact changes to a system or its operating environment may have on the security state of the system and maintaining the authorization.
  • Changing conditions can have significant impact on the mission/business risk associated with information systems


Slide 14:

Summary.

Organizations must make informed judgments regarding the application of limited assessment resources when conducting continuous monitoring activities to ensure that the expenditures are consistent with the organization's mission requirements, security categorization in accordance with FIPS 199, and requirements in federal legislation, policy, directives, and regulations.


Module 2, Lesson 7: Organizational Risk Management and the Risk Management Framework

Slide 1:

Lesson 7: Organizational Risk Management and the Risk Management Framework

Introduction.

Organizational risk management provides signficiant benefits to the organization including the ability to prioritize resources, increase interoperability, and reduce costs for obtaining and maintaining system authorization. It helps to prevent unauthorized access to personally identifiable information, which could harm the organization, individuals or the Nation. It also safeguards against security breaches, which prevent the organization from accomplishing its mission and business goals.


Slide 2:

Lesson 7: Organizational Risk Management and the Risk Management Framework (continued).

By implementing a comprehensive, integrated risk management program, organizations are able to:

  • Generate the information needed to facilitate prioritization of information security requirements and allocation of information security resources based on risks to the organization's mission/business processes.
  • Ensure information security considerations are integrated into the enterprise architecture, the programming, planning, and budgeting cycles for managing information system assets, and the acquisition/system development life cycles.
  • Consolidate and streamline security solutions across the organization to simplify management, eliminate redundancy of protection, and improve interoperability and communication between dispersed information systems to ensure cost-effective solutions for managing risks.


Slide 3:

Integrating Risk Management in the SDLC.

All federal information systems, including operational systems, systems under development, and systems undergoing some form of modification or upgrade, are in some phase of the SDLC. Security requirements, including those requirements related to security authorization, are a subset of the overall requirements for federal information systems and therefore, should be incorporated into system development at the earliest phases of the SDLC.

Integrating security requirements into the SDLC is the most efficient and cost-effective method for an organization to ensure that its protection strategy is achieved and authorization activities are coupled with the management processes employed by the organization to develop, implement, operate, and maintain information systems supporting ongoing missions or business functions.

Risk management tasks are linked to specific phases in the SDLC and should begin during the system initiation (requirements definition) phase when the security capabilities of the system are determined.

If risk management tasks have not been adequately performed during the initiation, development, and acquisition phases of the SDLC, the implementation, assessment, and authorization tasks undertaken later in the life cycle are more costly and often less effective.


Slide 4:

Integrating Risk Management in the SDLC (continued).

The Risk Management Framework aids organizations in dynamically managing organizational security risk throughout the SDLC and helps to ensure that appropriate security controls for the information system are developed, implemented, assessed for effectiveness, and maintained.

Many of the activities conducted during the SDLC can support or are complementary to the information security activities that are required to be carried out routinely by organizations. However, organizations should maximize the use of security-relevant information (e.g., testing results, system documentation, and other artifacts) generated during the SDLC to satisfy requirements for similar information needed for information security-related purposes.

Reuse of information helps to reduce or eliminate unnecessary documentation, duplication of effort, and cost that may result when security activities are conducted independently of SDLC processes. Reuse also promotes greater consistency of information used in the design, development, implementation, operation, maintenance, and disposition of an information system including any security-related considerations.


Slide 5:

Trust Relationships.

The need for trust relationships among organizations arises both from partnerships established to share information and conduct business and from an organization's use of external providers of information and information system services. In many cases, while external providers bring greater productivity and cost efficiencies to the organization, they may also bring greater risk. This risk must be appropriately managed given the mission and business goals and objectives of the organization.


Slide 6:

Establishing Trust.

Trust relationships depend on the specific actions taken by the participating/cooperating partners to provide appropriate security controls for the information systems supporting the partnerships and the evidence needed to demonstrate that the controls have been implemented as intended.

Since the mission and business goals and objectives, security plans, risk mitigation strategies, and risk tolerance of participating/cooperating partners can vary widely based on the inherent flexibility in applying the Risk Management Framework, establishing trust relationships provides the visibility and understanding necessary to have confidence in the information sharing activities or the external services/information provided.


Slide 7:

Evidence.

Security evidence can include, for example, system security plans (including risk assessments), security assessment reports, POAM, or any other information that the organization can produce to demonstrate the trustworthiness of its information systems.

Other types of evidence that can help bolster trust are: audit results, self assessment results, and documented organizational processes, such as configuration management.


Slide 8:

Module Summary.

This module provided you with an overview of the Risk Management Framework, developed by NIST to help you manage risk from the operation of information systems more easily, efficiently, and effectively.

Implementing the Risk Management Framework can help your organization facilitate the development of cost-effective information security solutions commensurate with strategic goals, mission/business process, and overall tolerance for risk and facilitate trust relationships among organizations sharing information.


Course Summary

Slide 1:

Course Summary.

Having completed this course, you are now able to:

  • Explain the importance of establishing an organization-wide risk management program.
  • Identify the information security legislation related to organizational risk management.
  • Describe the purpose of the Risk Management Framework as an organization-wide risk management methodology.
  • Describe the considerations related to each step in the Risk Management Framework including NIST publications and FISMA documentation.
  • Describe how use of the Risk Management Framework facilitates an atmosphere of trust among organizations.


Slide 2:

Course Wrap-up.

Thank you for participating in the Applying the Risk Management Framework to Federal Information Systems course.

Understanding what constitutes risk and how risk can be addressed and managed using the Risk Management Framework will enable you to do your part to ensure the integrity and trustworthiness of your organization's information systems, particularly if you are directly involved in the execution and implementation phases of security programs for your organization.

For more information about this course, contact Pat Toth at @nist.gov.


Slide 3:

[Graphic: Certificate of Completion - This is to certify the Completion of the Online Course Applying the Risk Management Framework to Federal Information Systems]


Source

Personal tools