RMF 2 - Federal Business Council, Inc. 11-7-18.pdfNIST IT Laboratory Computer Security Division NIST...

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Kelley Dempsey

NIST IT Laboratory

Computer Security Division

NIST SP 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations

A System Life Cycle Approach for Security and Privacy

(Final Public Draft)

Federal IT Security Conference, November 2018

RMF RISK MANAGEMENT FRAMEWORK

2.0


NIST/ITL/CSD Public Comment Process

All publications produced by CSD go through the public comment process

Your voice will be heard!!

Receive notifications of newly posted drafts (and more) by subscribing at http://csrc.nist.gov/publications/subscribe.html

There may be one or more drafts of a given publication

Drafts are published at http://csrc.nist.gov/publications/PubsDrafts.html

Lengths of public comment periods vary

http://csrc.nist.gov/publications/subscribe.html

http://csrc.nist.gov/publications/PubsDrafts.html


Risk Management

“If we guard our toothbrushes

and diamonds with equal zeal, we will

lose fewer toothbrushes and more

diamonds.” -McGeorge Bundy, National Security Advisor to U.S. Presidents Kennedy and Johnson


Risk can never be eliminated and so it must be MANAGED!!

Managing risk doesn’t mean fixing everything,

nor does it mean not fixing anything…

Risk Management is about

knowledge and understanding!

Graphic copied from:

http://www.featurepics.com/online/Risk-

1109124.aspx

http://www.featurepics.com/online/Risk-1109124.aspx





SP 800-37 Rev 2 Timeline So Far Federal interagency working group review during spring 2017

Extensive discussion sessions with OMB OIRA throughout

winter/spring 2017/2018

JTF Review

Initial Public Draft 9 May 2018 – 6-week comment period

NIST adjudicated ~400 comments and developed FPD

OIRA review and approval

FPD released 2 October 2018

Public comment period ended 31 October 2018 – 480 comments


NIST and OIRA adjudicate FPD public comments

NIST develops final publication

Review by JTF

Review and approval by OIRA

Final publication planned for December 2018*

SP 800-37 Rev 2 Final Timeline

*Publication date dependent on OMB OIRA review and approval


RMF 2.0

CATEGORIZE

FIPS 199 SP 800-60

CUI Registry

ASSESS

SP 800-53A

AUTHORIZE

SP 800-37

MONITOR SP 800-137/137A

NISTIR 8011 NISTIR 8212 & Tool

PREPARE

SP 800-18 SP 800-30 SP 800-39

SP 800-160

IMPLEMENT

Many NIST Pubs

SELECT

FIPS 200 SP 800-53


RMF 2.0 Task Outcomes

Tasks

Outcomes

Task I-1 CONTROL IMPLEMENTATION

Controls specified in the security and privacy plans

are implemented. [Cybersecurity Framework: PR.IP-1]

Systems security and privacy engineering methodologies are used to implement the controls in the system security and privacy plans. [Cybersecurity Framework: PR.IP-2]

Task I-2 BASELINE CONFIGURATION

The configuration baseline is established.

[Cybersecurity Framework: PR.IP-1]

The security and privacy plans are updated based on information obtained during the implementation of the controls. [Cybersecurity Framework: Profile]


RMF 2.0 Task Structure

RISK ASSESSMENT—ORGANIZATION

Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing basis.

Potential Inputs: Risk management strategy; mission or business objectives; current threat information; system-level risk assessment results; previous organization-level risk assessment results; security- and privacy-related information from continuous monitoring; information sharing agreements or memoranda of understanding.

Potential Outputs: Organization-level risk assessment results.

Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.

Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or Authorizing Official Designated Representative.

Discussion: Risk assessment at the organizational level is focused on risk to mission or business objectives and leverages aggregated information from system-level risk…..

References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process Level); NIST SP 800-161; NIST IR 8062.

New


Privacy is Fully Integrated into RMF

In accordance with OMB Circular A-130

Privacy in the RMF addressed in section 2.3

Privacy called out in task text as appropriate

(e.g., Task P-3 is to assess security and

privacy risk)

Privacy-specific Inputs, Outputs, Roles, and

References specified as appropriate in tasks

Privacy-specific detail in task discussions


RMF and CSF Alignment

Inputs and Outputs reference CSF as

applicable, e.g., CSF profile as potential

output from Task P-4

Task Outcome tables reference CSF

sections, categories, or sub-categories as

applicable

References for tasks list applicable CSF

sections


Security Engineering and RMF Alignment

Task references list related 800-160 process as

applicable

Section 2.4 discusses system elements/enabling

systems and tasks focus on stakeholder

requirements


Supply Chain and RMF Alignment

Discussion of Supply Chain Risk Management

(SCRM) within the RMF added in section 2.8

SCRM addressed in Task discussions as applicable

SCRM artifacts included in task Inputs and Outputs

as applicable

SCRM responsibilities noted in Appendix D

Supply chain risk addressed as part of security risk


Prepare Step: Organization Level

Task P-1: ID and assign people to RM roles

Task P-2: Establish an org-wide RM strategy

Task P-3: Assess organization-wide risk

Task P-4: Org-wide tailored baselines (optional)

Task P-5: Common Control identification

Task P-6: Prioritize within impact level (optional)

Task P-7: Organization-wide ISCM strategy


Prepare Step: System Level (1 of 2)

Task P-8: ID missions/business functions and

processes to be supported by the system

Task P-9: ID system stakeholders

Task P-10: ID assets that require protection

Task P-11: Determine authorization boundary

Task P-12: ID information types


Prepare Step System Level (2 of 2)

Task P-13: ID information lifecycle

Task P-14: Assess system-level risk

Task P-15: Define security and privacy

requirements for system and environment

Task P-16: Determine placement within EA

Task P-17: System registration IAW org policy


New/Revised Tasks in Existing Steps (1 of 2)

Categorize, Task C-2: Review and approve

categorization results and decision

Select, Task S-1: Allocate requirements

(expanded from identify common controls)

Select, Task S-3: Tailor selected controls

Select, Task S-4: Document planned

implementation details in plans

Implement, Task I-2: Document implementation

details different from planned (config baseline)


New/Revised Tasks in Existing Steps (2 of 2)

Assess, Task A-1: Select appropriate assessor

Assess, Task A-6: POA&M (moved from Authorize)

Authorize, Task R-2: Risk analysis added to risk

determination by AO

Authorize, Task R-3: Respond to risk

Authorize, Task R-5: Report the authorization

decision and significant risk as required


Authorization Boundaries (Section 2.5/App G)

Defines the scope of protection for systems (i.e., what is included with the system to be authorized WRT information, components, people, etc.)

Includes system hardware, software, firmware, processes, and technologies needed to support organizational missions/business processes

May or may not include the environment of operation

Is established before system security categorization and the development of security plans


Authorization Options

Authorization to Operate

System Authorization (Traditional or Joint)

Type Authorization

Facility Authorization

Common Control Authorization

Authorization to Use

Denial of Authorization

Note: Ongoing authorization supplemental guidance

(June 2014) incorporated into Appendix F


SP 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations

As of November 7, 2018


Call for pre-comments spring 2016

Adjudicated ~3000 comments and coordinated with

SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)

Federal interagency working group baseline review

during late winter/early spring 2017

Extensive discussion sessions with OMB OIRA

throughout spring/summer 2017

IPD published 15 August 2017

Adjudicated ~2000 public comments as above

FPD currently under development

800-53 Rev 5 Timeline So Far


Final Public Draft (FPD) next steps: Review by JTF (underway)

Review and approval by OMB OIRA

FPD publication planned for January 2019*

Final publication next steps: Adjudicate public comments on the FPD

NIST develops final publication

Reviews and approvals as above

Final publication planned for Spring 2019*

800-53 Rev 5 Timeline for FPD and Final

*Publication date dependent on OMB OIRA review and approval


Complete integration of privacy controls (removal

of Appendix J with App J mapping in FPD)

New Privacy Control families in IPD changed to

different new Privacy Control family in FPD

New Supply Chain control family in FPD

Incorporated Program Management family into

main control set

Complete control set in Chapter 3

800-53 Rev 5 Changes Summary (1 of 4)


Baselines and tailoring guidance will be placed

in new volume, SP 800-53B

Some changes to all baselines, mostly in

accordance with suggestions from working group

Revised/clarified/added control language and

supplemental guidance

Streamlined front matter to focus only on the

control set and how to use it



Removed lead-in entities to each control Focus on outcomes

Align with security engineering

Align with Cybersecurity Framework

Retained entity info in a column in App D table

Reduced the federal focus

More usable and welcoming for all sectors

More usable and applicable for all system types

More usable for security engineering in all sectors



Rearranged appendices

Removed priority codes

Keywords appendix added in IPD removed in

FPD and to be provided as supplemental material

Thorough scrub of:

Related Controls

References

Glossary

ISO 27001 Mapping



Security Control Structure – Revision 5 AU-4 AUDIT LOG STORAGE CAPACITY

Control: Allocate audit log storage capacity to accommodate [Assignment: organization-

defined audit log retention requirements].

Discussion: Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.

Control Enhancements:

(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE

Transfer audit logs [Assignment: organization-defined frequency] to a different system, system

component, or media other than the system or system component conducting the logging.

Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. This control enhancement is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either enhancement to obtain the dual benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.

Related controls: None

References: None.


Security Controls are Technology Neutral

Security controls are intentionally not focused

on any specific technologies

Security control implementations & assessment methods will likely vary based on the technology to which the control is being applied, e.g.: Cloud-based systems

Mobile systems

Applications

Sensors

“IoT”


800-53B Rev 5 Baselines CNTL

NO. CONTROL NAME

PR

IVA

CY-

RE

LA

TE

D

CONTROL BASELINES

LOW MODERATE HIGH

Access Control – AC

AC-1 Access Control Policy and

Procedures

AC-1 AC-1 AC-1

AC-2 Account Management AC-2 AC-2 (1) (2)

(3) (4) (10)

(13)

AC-2 (1) (2)

(3) (4) (5) (10)

(11) (12) (13)

AC-3 Access Enforcement AC-3 AC-3 AC-3

AC-4 Information Flow Enforcement — AC-4 AC-4 (4)

AC-5 Separation of Duties — AC-5 AC-5

AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)

(5) (7) (9) (10)

AC-6 (1) (2)

(3) (5) (7) (9)

(10)

AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7

AC-8 System Use Notification AC-8 AC-8 AC-8

AC-9 Previous Logon (Access) Notification — — —

AC-10 Concurrent Session Control — — AC-10

AC-11 Device Lock — AC-11 (1) AC-11 (1)

AC-12 Session Termination — AC-12 AC-12

AC-13 Withdrawn

AC-14 Permitted Actions without

Identification or Authentication

AC-14 AC-14 AC-14


800-53 Rev 5 Appendix D Excerpt CONTROL NUMBER CONTROL NAME

CONTROL ENHANCEMENT NAME

AU

TH

OR

IZE

D

PR

OC

ES

SIN

G

IMP

LE

ME

NT

ED

BY

AS

SU

RA

NC

E

AT-1 Policy and Procedures √ O √

AT-2 Awareness Training √ O √

AT-2(1) PRACTICAL EXERCISES √ O √

AT-2(2) INSIDER THREAT O √

AT-2(3) SOCIAL ENGINEERING AND MINING O √

AT-2(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR O √

AT-2(5) BREACH √ O √

AT-2(6) ADVANCED PERSISTENT THREAT O √

AT-3 Role-Based Training √ O √

AT-3(1) ENVIRONMENTAL CONTROLS O √

AT-3(2) PHYSICAL SECURITY CONTROLS O √

AT-3(3) PRACTICAL EXERCISES √ O √

AT-3(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR W: Incorporated into AT-2(4).

AT-3(5) ACCESSING PERSONALLY IDENTIFIABLE INFORMATION √ O √

AT-4 Training Records √ O √

AT-5 Contacts with Security Groups and Associations W: Incorporated into PM-15.


Privacy fully integrated throughout Rev 5

Privacy controls from App J and OMB A-130 privacy

requirements incorporated into main control set Privacy controls added in existing families

Most in Program Management family

Some in other families (SA, SI)

“Sharing” existing controls

New privacy family: Processing Permissions (PP)

Privacy Appendix to include: Mappings to OMB requirements and controls from App J

Summary tables

800-53 Rev 5 Privacy Integration


800-53 Rev 5 FPD Control Families ID FAMILY ID FAMILY

AC Access Control PE

Physical and

Environmental Protection

AT Awareness and Training PL Planning

AU Audit and Accountability PM Program Management

CA Security Assessment and

Authorization

PP Processing Permissions*

CM Configuration Management PS Personnel Security

CP Contingency Planning RA Risk Assessment

IA Identification and

Authentication

SA

System and Services

Acquisition

IR

Incident Response

SC

System & Communications

Protection

MA Maintenance SR Supply Chain Risk Mgmt.*

MP

Media Protection

SI System and Information

Integrity

*New families in Rev 5 FPD


Purpose: Increase agility and reduce effort and angst due

to significant change every 3-5 years

Web application operational immediately after R5 final

Provides workflows for: Customers to propose changes to all aspects of controls

NIST staff to review proposals and push to SMEs if necessary

Public comments on proposed changes

Saving approved changes in a sandbox until next version

JTF review, OIRA review/approval, Editorial Review Board

Versions: Minor (to include errata) – planned for quarterly

Major – planned for annually

800-53 Update Automation Application


Status of Other FISMA Publications SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.

SP 800-47 Rev 1, Managing System Information Exchanges (working title):

In progress, IPD early CY 2019 (Current version title is Security Guide for

Interconnecting Information Technology Systems)

SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA to

incorporate CUI - Temporarily on hold

SP 800-137A, Assessment Procedures for the ISCM Program: In progress,

IPD before end of CY 2018

NIST SP 800-160*, Systems Security Engineering: Volume 1 published 11-

16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18

NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and

2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks

NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019

* Multiple volumes planned


Contact Information

Project Leader and NIST Fellow Administrative Support

Dr. Ron Ross Jeff Brewer

(301) 975-5390 (301) 975-2489

[email protected] [email protected]

Senior Information Security Specialist Team Lead and Senior

Information Security Specialist

Kelley Dempsey Victoria Pillitteri

(301) 975-2827 (301) 975-8542


Information Security Specialists

Ned Goren Jody Jacobs

(301) 975-5233 (301) 975-4728


Comments: [email protected] (goes to all of the above)

Web: csrc.nist.gov/sec-cert

mailto:[email protected]









Date post:	24-Apr-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

RMF 2 - Federal Business Council, Inc. 11-7-18.pdfNIST IT Laboratory Computer Security Division NIST...

Documents