Introduction

Table of Contents

Book Overview and Key Learning Points

This book’s goal is to provide a basic understanding of the Risk Management Framework (RMF) as it pertains to the systems development life cycle (SDLC) of federal IT systems and to provide guidance on how to use this understanding during the development, assessment, and continuous monitoring of those systems. The book discusses the RMF process in terms of its six phases, which allows the reader to develop a full understanding of how each phase influences and leads to the next. This framework provides a structured process that allows organizations to comply with a number of laws, regulations, and policies, including the Federal Information Security Management Act (FISMA).

The information provided in this book is culled from many divergent government documents, including laws, standards, regulations, and other forms of guidance, that support the overall IT security governance structure supporting federal IT systems. The book is designed to be used as a resource for experienced security and assurance professionals as well as to provide awareness and training for those security professionals who are new to the federal information security environment.

The risk management framework represents an evolution in the process of developing secure systems, validating, and ultimately authorizing those systems to operate in a production environment. The RMF consolidates what used to be multiple security frameworks for multiple IT systems into a single security framework. Once fully implemented in an organization, the RMF will enable faster and less expensive information system accreditations through the use of a repeatable process that stresses early identification, engineering, inheritance and implementation of required security controls. By authorizing the RMF framework, senior officials of an organization accept the risks to the overall organization due to the operation of the organization’s IT system. This change from accepting risks as they impact a single system to accepting risks introduced to the overall organization is driven by FISMA and has been guided by the National Institute of Standards and Technology (NIST) as part of the Joint Task Force Transformation Initiative. The mission of this task force was to create a unified framework with which to conduct risk evaluations and authorizations of systems using a unified process, thus reducing the number of processes used to validate the security and compliance of systems and framing the risk of approving a system in the context of risk to the overall organization. The success of this group’s work is evident in the transition of the government away from using several different processes, standards, guidance documents, and frameworks to using the single RMF and its associated support documentation. By enhancing and tailoring the RMF only slightly, it has become possible for the entire federal government to use this single standard for all federal information systems, including those of the Department of Defense (DoD) the intelligence community (IC), groups that, in the past, had separate and distinct processes for validating the security and compliance of a system and for accepting the risks of operating that system.

Book Audience

Correctly implementing the RMF within the federal government requires input and deliverables from people in a number of different professions across a wide range of specialties. This book is designed to provide information to technical, administrative, and management professionals, providing a unique approach to the RMF as it pertains to each of these different types of readers.

Management professionals can use this information to track system development within the RMF, ensuring that systems are developed in compliance with regulatory requirements and security concerns. In every federal organization, members of senior management are now responsible for ensuring the security and compliance of information systems.

Administrative professionals, including mission and business professionals associated with tier 2 of the organizational risk management program, can use their understanding of the RMF to develop more structured and overarching policies and programs. These can then be applied to individual systems as common controls, removing the need for individual system developers to provide controls by providing them at a higher level in the organization. This is less costly than developing and managing multiple versions of these programs and policies.

Technical professionals are required to develop and manage information systems that meet both federal compliance and security requirements. Understanding the RMF will help these individuals build, manage, and dispose of information systems in line with this guidance. By understanding the framework and the controls required for specific systems, technology professionals can ensure that security is built into systems early on in the SDLC rather than added to them as an afterthought. This creates a more secure system and reduces the cost of securing the system and maintaining regulatory compliance.

The Risk Management Framework (RMF)

The risk management framework, or RMF, was developed by NIST and is defined in NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. This publication details the six-phase process that allows federal IT systems to be designed, developed, maintained, and decommissioned in a secure, compliant, and cost-effective manner. The framework provides cost savings by promoting reuse as well as reciprocity of information systems approvals and inheritance of organizationally authorized and approved common controls. The requirement for continuous monitoring is a significant improvement over the older four-phase certification and accreditation (C&A) process, which only looked at a system at a single point in time. The more structured and robust RMF process increases compliance and security by requiring near-real-time monitoring of the IT system over its entire lifetime. Figure 1-1 illustrates the phases of the old C&A process and the phases of the new RMF process.

Why This Book Is Different

Some books describe how the RMF is structured and provide general examples of documents, processes, and procedures required at each phase. This book not only covers these basics but also walks the reader through each phase of the RMF using the example of the development of an information system in a fictitious national organization. This gives exceptional insight into how the RMF can best be used to secure systems, ensure compliance, and increase efficiency. Following the development of an organizational system through the book provides the reader with a clear understanding of how each phase links to the next, the needed inputs and outputs, as well as required references. Key points from each phase are reinforced and highlighted. Diagrams, figures, and charts are simplified to provide a solid understanding of the material presented.

A Note about National Security Systems

While the RMF is used as a standard framework for approving an information system’s operational status, some phases are different for those systems that have been identified as national security systems (NSS). These systems are normally operated by members of the IC or DoD. The Guideline to Identifying an Information System as a National Security System, NIST SP 800-59, outlines the process used to determine an NSS and should be consulted to determine whether or not a system is classified as an NSS. Throughout the six phases of the RMF as explained in this book, it is assumed that the systems being processed through the RMF are not NSS. The differences in approving NSS will be covered in greater detail later in the book.

Book Organization

This book is divided into two parts, each of which focuses on different components that support the understanding and use of the Risk Management Framework. Part I covers the basics of compliance, including laws and regulations that mandate the use of security controls, procedures, and processes used by federal IT systems using the RMF, as well as the processes and procedures that led to the development of the RMF. Also covered are the history of certification and accreditation, its evolution to the RMF, and the integration of the RMF into the SDLC for federal IT systems. Readers familiar with these information security topics may want to begin with part 2 and use part 1 as reference.

Chapter 2, Laws, Regulations, and Guidance, provides a high-level overview of the laws and regulations that have been enacted to ensure that federal systems maintain the proper security profile and compliance status for protecting federal government-related information and information systems. It covers FISMA and FISMA2, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act, and the requirements set forth by the Office of Management and Budget (OMB). This chapter also introduces the association of NIST with these laws and requirements. The chapter closes out by presenting systems that must comply with these laws and regulations as well as those systems that may be exempt from fully complying with these requirements or may have different requirements to follow.

One of the major benefits of the RMF is ensuring that risk is addressed at the organizational level. Only by understanding high-level organizational risk can new systems be evaluated to ensure that they do not introduce unnecessary risk to the organization as a whole. The risk executive (agent), a position that is fully explained in Chapter 5, is highlighted in Chapter 3, Integrated Organization-Wide Risk Management, as is the basic process for evaluating information, physical, and personnel security risks introduced by new system implementation. Organizational risk assessments are key tools used by authorizing officials (AO) to determine the authorization decision made for new information systems.

The Joint Task Force Transformation Initiative (JTF TI) is introduced in Chapter 4. This task force is responsible for expanding the RMF into new areas of the federal government, which will reduce unneeded duplication of effort and define a single framework standard. This chapter explains how JTF TI expanded the RMF into the IC and is expanding into the DoD.

Understanding the systems development life cycle is crucial to understanding how the RMF is aligned with and supports the SDLC. Chapter 5, The Systems Development Life Cycle (SDLC), explains the five phases of the SDLC as defined by NIST (initiation, development/acquisition, implementation/assessment, operation and maintenance, and disposal) and how they are consistent with the RMF. The chapter concludes by explaining how this process is used by system developers to ensure that system development is conducted according to the project plan and is consistent with user requirements.

Chapter 6, Transition from the Four-Phase Certification and Accreditation Cycle, covers this outdated life cycle. The C&A process, replaced by the RMF, focused on evaluating the security and compliance of information systems at a single point in time.

Chapter 7, Key Positions and Roles, defines the key positions required to successfully implement the RMF. Each position is clearly defined and responsibilities are delineated and explained. The positions run the gamut from senior executive staff to hands-on technical experts and administrators who ensure that the systems are developed correctly and securely.

Part II delves deeper into the phases of RMF itself, with each of the six phases of the RMF being covered in detail in its own chapter. Part II also introduces the Department of Social Media (DSM), the fictional organization that is used for the exercises in this book. Part II concludes with a summary of the way ahead for the RMF, including proposed changes that expand the use of the RMF throughout the DoD and the IC.

Chapter 8, Lab Organization, introduces the fictitious Department of Social Media (DSM). This organization is used to demonstrate the effective implementation of each phase of the RMF. The chapter explains the mission of the DSM and the organizational chart that defines the leadership and program management teams. The organizational chart is intentionally limited to those positions that normally participate in or provide input for one or more phases of the RMF. This chapter also introduces the system that is being developed, its sponsor, its mission, and the information that will be processed.

Chapter 9, Phase 1: System Categorization, discusses the first phase of the RMF, with a focus on categorizing the information system by investigating the information types that the system is being developed to support. This includes identifying the information that will be processed, stored, and transmitted by the information system in support of the organization’s business/mission objectives. An impact analysis of the organizational mission and the information system proposed is a critical component in determining the system’s categorization. Categorization is a critical phase of the RMF process. An organization must have a good understanding of its mission as stated in executive orders, laws, statutes, and governance in order to properly categorize a system.

Chapter 10, Phase 2: Control Selection, addresses the second phase of the RMF, which determines the initial set of baseline controls that will be used to secure the system. During this phase, the control set is tailored to remove unnecessary controls and add needed controls not included in the system control baseline. The initial set of controls is derived from the categorization of the system and the types of information processed, stored, transmitted, or displayed on the system. The initial plan for continuous monitoring of the system is developed during this phase. Evaluation of the required continuous monitoring plan could determine that the organization is not capable of supporting the requirements of the continuous monitoring plan and will have to accept additional risks from reducing the monitoring plan or will decide to not develop the system.

Chapter 11, Phase 3: Control Implementation, focuses on security control implementation and how the required controls are implemented by the information system and the organization. This includes how the security engineers plan on building the required security controls into the system. In this phase, the system developers determine the methods of meeting the controls requirements and document these methods in the system’s security documentation, including the system security plan (SSP).

We see in Chapter 12, Phase 4: Control Assessment, that independent security control assessors evaluate and assess system security controls to determine whether or not they are implemented correctly and are providing the necessary protection for the system. The chapter covers development and publication of the security test plan and the security assessment report. Finally, the chapter covers how the system owner can provide input to the security control assessor’s report and develop mitigation plans.

Chapter 13, Phase 5: System Authorization, discusses how the authorizing official makes an authorization determination based on risks that may be introduced to the organization once the system is placed into the organization’s operating environment. This is done by evaluating several documents, including the SSP, the Security Assessment Report (SAR), and the plan of action and milestones (POA&M), that will be developed by the system owner during this phase. The decision is based on risks to the organizational operations and assets, individuals, other organizations, and the nation. If these risks are acceptable, the system is granted an approval to operate. The AO may also deny the operation of the system or grant an approval with specific requirements and restrictions.

Chapter 14, Phase 6: Continuous Monitoring, discusses the final phase of the RMF, which focuses on assessing the effectiveness of the required system security controls over the life of the system as well as monitoring the system for changes. Monitoring includes updating required documentation, assessing new risks introduced because of system or environment changes, and reporting the ongoing state of the system to the authorizing officials. The authorizing official is responsible for using this information to determine whether or not the system is operating in a manner that provides sufficient security and protection for the organization.

Chapter 15, Future Planned Changes and Use with Other Compliance Requirements, focuses on how the RMF has proven itself to be an effective tool to correctly implement, assess, and monitor the security and compliance controls required by FISMA to maintain a system’s security. The RMF has been adopted by other organizations as they have observed the framework’s effectiveness. Increased use of the RMF has prompted NIST to incorporate planned changes into future versions of the RMF and its supporting documents. These changes ensure that the framework will be useful for years to come.

While the RMF is designed to meet FISMA compliance requirements, it is by no means limited to this compliance standard. Chapter 15 explains how easily the RMF can be used to ensure that systems remain in compliance with other requirements, including those of the Sarbanes-Oxley Act (SOX), the Payment Card Industry (PCI), standards that expand on the FISMA compliance standard including Healthcare Insurance Portability and Accountability Act (HIPAA), and standards for cloud computing under Federal Risk and Authorization Management Program (FedRAMP) standards.

The book’s appendixes provide details and expand upon the topics covered in the book. There are suggested answers to the lab exercises following each phase of the RMF, definitions, acronym listings, tables of information, and template examples.

Appendix A provides answers to the exercises at the end of each chapter that outlines the phases of the RMF (Chapters 9 through 14). Appendix B details the control classes and families. Each of the control families fall into one of three classes—operational, management, and technical—according to the general focus of the controls in that family. Appendix C provides tables that detail different control requirements, attributes, and associations, including information for controls supporting federal information systems, IC information systems, HIPAA, and the PCI. Appendix D assists the security control assessor with defining the depth and coverage required for the assessment of each security control.

A list of common acronyms used in the book is included. There is also a glossary defining many of the common terms used in the Risk Management framework.