NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Kelley Dempsey
NIST IT Laboratory
Computer Security Division
NIST SP 800-37 Revision 2 Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
(Final Public Draft)
Federal IT Security Conference, November 2018
RMF RISK MANAGEMENT FRAMEWORK
2.0
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
NIST/ITL/CSD Public Comment Process
All publications produced by CSD go through the public comment process
Your voice will be heard!!
Receive notifications of newly posted drafts (and more) by subscribing at http://csrc.nist.gov/publications/subscribe.html
There may be one or more drafts of a given publication
Drafts are published at http://csrc.nist.gov/publications/PubsDrafts.html
Lengths of public comment periods vary
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will
lose fewer toothbrushes and more
diamonds.” -McGeorge Bundy, National Security Advisor to U.S. Presidents Kennedy and Johnson
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Risk can never be eliminated and so it must be MANAGED!!
Managing risk doesn’t mean fixing everything,
nor does it mean not fixing anything…
Risk Management is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
SP 800-37 Rev 2 Timeline So Far Federal interagency working group review during spring 2017
Extensive discussion sessions with OMB OIRA throughout
winter/spring 2017/2018
JTF Review
Initial Public Draft 9 May 2018 – 6-week comment period
NIST adjudicated ~400 comments and developed FPD
OIRA review and approval
FPD released 2 October 2018
Public comment period ended 31 October 2018 – 480 comments
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
NIST and OIRA adjudicate FPD public comments
NIST develops final publication
Review by JTF
Review and approval by OIRA
Final publication planned for December 2018*
SP 800-37 Rev 2 Final Timeline
*Publication date dependent on OMB OIRA review and approval
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
RMF 2.0
CATEGORIZE
FIPS 199 SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR SP 800-137/137A
NISTIR 8011 NISTIR 8212 & Tool
PREPARE
SP 800-18 SP 800-30 SP 800-39
SP 800-160
IMPLEMENT
Many NIST Pubs
SELECT
FIPS 200 SP 800-53
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
RMF 2.0 Task Outcomes
Tasks
Outcomes
Task I-1 CONTROL IMPLEMENTATION
Controls specified in the security and privacy plans
are implemented. [Cybersecurity Framework: PR.IP-1]
Systems security and privacy engineering methodologies are used to implement the controls in the system security and privacy plans. [Cybersecurity Framework: PR.IP-2]
Task I-2 BASELINE CONFIGURATION
The configuration baseline is established.
[Cybersecurity Framework: PR.IP-1]
The security and privacy plans are updated based on information obtained during the implementation of the controls. [Cybersecurity Framework: Profile]
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat information; system-level risk assessment results; previous organization-level risk assessment results; security- and privacy-related information from continuous monitoring; information sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process Level); NIST SP 800-161; NIST IR 8062.
New
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Privacy is Fully Integrated into RMF
In accordance with OMB Circular A-130
Privacy in the RMF addressed in section 2.3
Privacy called out in task text as appropriate
(e.g., Task P-3 is to assess security and
privacy risk)
Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
Privacy-specific detail in task discussions
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
RMF and CSF Alignment
Inputs and Outputs reference CSF as
applicable, e.g., CSF profile as potential
output from Task P-4
Task Outcome tables reference CSF
sections, categories, or sub-categories as
applicable
References for tasks list applicable CSF
sections
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Security Engineering and RMF Alignment
Task references list related 800-160 process as
applicable
Section 2.4 discusses system elements/enabling
systems and tasks focus on stakeholder
requirements
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Supply Chain and RMF Alignment
Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
SCRM addressed in Task discussions as applicable
SCRM artifacts included in task Inputs and Outputs
as applicable
SCRM responsibilities noted in Appendix D
Supply chain risk addressed as part of security risk
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Prepare Step: Organization Level
Task P-1: ID and assign people to RM roles
Task P-2: Establish an org-wide RM strategy
Task P-3: Assess organization-wide risk
Task P-4: Org-wide tailored baselines (optional)
Task P-5: Common Control identification
Task P-6: Prioritize within impact level (optional)
Task P-7: Organization-wide ISCM strategy
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Prepare Step: System Level (1 of 2)
Task P-8: ID missions/business functions and
processes to be supported by the system
Task P-9: ID system stakeholders
Task P-10: ID assets that require protection
Task P-11: Determine authorization boundary
Task P-12: ID information types
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Prepare Step System Level (2 of 2)
Task P-13: ID information lifecycle
Task P-14: Assess system-level risk
Task P-15: Define security and privacy
requirements for system and environment
Task P-16: Determine placement within EA
Task P-17: System registration IAW org policy
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
New/Revised Tasks in Existing Steps (1 of 2)
Categorize, Task C-2: Review and approve
categorization results and decision
Select, Task S-1: Allocate requirements
(expanded from identify common controls)
Select, Task S-3: Tailor selected controls
Select, Task S-4: Document planned
implementation details in plans
Implement, Task I-2: Document implementation
details different from planned (config baseline)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
New/Revised Tasks in Existing Steps (2 of 2)
Assess, Task A-1: Select appropriate assessor
Assess, Task A-6: POA&M (moved from Authorize)
Authorize, Task R-2: Risk analysis added to risk
determination by AO
Authorize, Task R-3: Respond to risk
Authorize, Task R-5: Report the authorization
decision and significant risk as required
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Authorization Boundaries (Section 2.5/App G)
Defines the scope of protection for systems (i.e., what is included with the system to be authorized WRT information, components, people, etc.)
Includes system hardware, software, firmware, processes, and technologies needed to support organizational missions/business processes
May or may not include the environment of operation
Is established before system security categorization and the development of security plans
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
Authorization Options
Authorization to Operate
System Authorization (Traditional or Joint)
Type Authorization
Facility Authorization
Common Control Authorization
Authorization to Use
Denial of Authorization
Note: Ongoing authorization supplemental guidance
(June 2014) incorporated into Appendix F
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
SP 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations
As of November 7, 2018
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Call for pre-comments spring 2016
Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
Federal interagency working group baseline review
during late winter/early spring 2017
Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
IPD published 15 August 2017
Adjudicated ~2000 public comments as above
FPD currently under development
800-53 Rev 5 Timeline So Far
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Final Public Draft (FPD) next steps: Review by JTF (underway)
Review and approval by OMB OIRA
FPD publication planned for January 2019*
Final publication next steps: Adjudicate public comments on the FPD
NIST develops final publication
Reviews and approvals as above
Final publication planned for Spring 2019*
800-53 Rev 5 Timeline for FPD and Final
*Publication date dependent on OMB OIRA review and approval
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
Complete integration of privacy controls (removal
of Appendix J with App J mapping in FPD)
New Privacy Control families in IPD changed to
different new Privacy Control family in FPD
New Supply Chain control family in FPD
Incorporated Program Management family into
main control set
Complete control set in Chapter 3
800-53 Rev 5 Changes Summary (1 of 4)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Baselines and tailoring guidance will be placed
in new volume, SP 800-53B
Some changes to all baselines, mostly in
accordance with suggestions from working group
Revised/clarified/added control language and
supplemental guidance
Streamlined front matter to focus only on the
control set and how to use it
800-53 Rev 5 Changes Summary (2 of 4)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Removed lead-in entities to each control Focus on outcomes
Align with security engineering
Align with Cybersecurity Framework
Retained entity info in a column in App D table
Reduced the federal focus
More usable and welcoming for all sectors
More usable and applicable for all system types
More usable for security engineering in all sectors
800-53 Rev 5 Changes Summary (3 of 4)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Rearranged appendices
Removed priority codes
Keywords appendix added in IPD removed in
FPD and to be provided as supplemental material
Thorough scrub of:
Related Controls
References
Glossary
ISO 27001 Mapping
800-53 Rev 5 Changes Summary (4 of 4)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Security Control Structure – Revision 5 AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. This control enhancement is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either enhancement to obtain the dual benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Security Controls are Technology Neutral
Security controls are intentionally not focused
on any specific technologies
Security control implementations & assessment methods will likely vary based on the technology to which the control is being applied, e.g.: Cloud-based systems
Mobile systems
Applications
Sensors
“IoT”
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
800-53B Rev 5 Baselines CNTL
NO. CONTROL NAME
PR
IVA
CY-
RE
LA
TE
D
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
800-53 Rev 5 Appendix D Excerpt CONTROL NUMBER CONTROL NAME
CONTROL ENHANCEMENT NAME
AU
TH
OR
IZE
D
PR
OC
ES
SIN
G
IMP
LE
ME
NT
ED
BY
AS
SU
RA
NC
E
AT-1 Policy and Procedures √ O √
AT-2 Awareness Training √ O √
AT-2(1) PRACTICAL EXERCISES √ O √
AT-2(2) INSIDER THREAT O √
AT-2(3) SOCIAL ENGINEERING AND MINING O √
AT-2(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR O √
AT-2(5) BREACH √ O √
AT-2(6) ADVANCED PERSISTENT THREAT O √
AT-3 Role-Based Training √ O √
AT-3(1) ENVIRONMENTAL CONTROLS O √
AT-3(2) PHYSICAL SECURITY CONTROLS O √
AT-3(3) PRACTICAL EXERCISES √ O √
AT-3(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR W: Incorporated into AT-2(4).
AT-3(5) ACCESSING PERSONALLY IDENTIFIABLE INFORMATION √ O √
AT-4 Training Records √ O √
AT-5 Contacts with Security Groups and Associations W: Incorporated into PM-15.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
Privacy fully integrated throughout Rev 5
Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set Privacy controls added in existing families
Most in Program Management family
Some in other families (SA, SI)
“Sharing” existing controls
New privacy family: Processing Permissions (PP)
Privacy Appendix to include: Mappings to OMB requirements and controls from App J
Summary tables
800-53 Rev 5 Privacy Integration
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33
800-53 Rev 5 FPD Control Families ID FAMILY ID FAMILY
AC Access Control PE
Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA
System and Services
Acquisition
IR
Incident Response
SC
System & Communications
Protection
MA Maintenance SR Supply Chain Risk Mgmt.*
MP
Media Protection
SI System and Information
Integrity
*New families in Rev 5 FPD
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34
Purpose: Increase agility and reduce effort and angst due
to significant change every 3-5 years
Web application operational immediately after R5 final
Provides workflows for: Customers to propose changes to all aspects of controls
NIST staff to review proposals and push to SMEs if necessary
Public comments on proposed changes
Saving approved changes in a sandbox until next version
JTF review, OIRA review/approval, Editorial Review Board
Versions: Minor (to include errata) – planned for quarterly
Major – planned for annually
800-53 Update Automation Application
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
Status of Other FISMA Publications SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
SP 800-47 Rev 1, Managing System Information Exchanges (working title):
In progress, IPD early CY 2019 (Current version title is Security Guide for
Interconnecting Information Technology Systems)
SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA to
incorporate CUI - Temporarily on hold
SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
NIST SP 800-160*, Systems Security Engineering: Volume 1 published 11-
16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36
Contact Information
Project Leader and NIST Fellow Administrative Support
Dr. Ron Ross Jeff Brewer
(301) 975-5390 (301) 975-2489
[email protected] [email protected]
Senior Information Security Specialist Team Lead and Senior
Information Security Specialist
Kelley Dempsey Victoria Pillitteri
(301) 975-2827 (301) 975-8542
[email protected] [email protected]
Information Security Specialists
Ned Goren Jody Jacobs
(301) 975-5233 (301) 975-4728
[email protected] [email protected]
Comments: [email protected] (goes to all of the above)
Web: csrc.nist.gov/sec-cert