Key Positions and Roles
Abstract
This chapter defines the key roles used in the RMF.
Keywords
definitions
RMF
risk executive (function)
RMF roles
authorizing official
SISO
ISSO
ISSM
ISSE
information steward
information owner
Table of Contents
Information in this Chapter:
• The key positions and roles defined by NIST and other members of the Joint Task Force Transformation Initiative
Chapter Overview and Key Learning Points
This chapter describes the thirteen key roles stated in NIST SP 800-37 that support fully implementing the RMF and ensure that information systems are developed and maintained in a secure manner in compliance with security and assurance requirements. Passages in this chapter are quoted from NIST SP 800-37 and explain in detail each of these essential roles as defined by NIST and the Joint Task Force.
Key Roles to Implement the RMF
The Joint Task Force spent an extraordinary amount of time defining each position and its importance to the organization; however, some confusion about these roles continues to exist. Following each description of a position is a paragraph or two further explaining the role from the perspective of the security engineer or information assurance professional working in the field.
Head of Agency (Chief Executive Officer)
The head of agency (or chief executive officer) is the highest-level senior official or executive within an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude of harm (i.e., impact) to organizational operations and assets, individuals, other organizations, and the Nation resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. Agency heads are also responsible for ensuring that: (i) information security management processes are integrated with strategic and operational planning processes; (ii) senior officials within the organization provide information security for the information and information systems that support the operations and assets under their control; and (iii) the organization has trained personnel sufficient to assist in complying with the information security requirements in related legislation, policies, directives, instructions, standards, and guidelines. Through the development and implementation of strong policies, the head of agency establishes the organizational commitment to information security and the actions required to effectively manage risk and protect the core missions and business functions being carried out by the organization. The head of agency establishes appropriate accountability for information security and provides active support and oversight of monitoring and improvement for the information security program. Senior leadership commitment to information security establishes a level of due diligence within the organization that promotes a climate for mission and business success.
In a nutshell, this person is the organization’s head, whether the title is director, secretary, or chief executive officer (CEO). For example, this position in the FBI would be the director of the FBI, in the Army it would be the secretary of the Army, and if used in a commercial organization, it would be the CEO or president of the company. This individual is ultimately responsible for all of the good and bad things that happen in the organization, and as such, is responsible for every facet of the RMF, regardless of how much of the day-to-day workings are delegated to any of the positions that follow.
Risk Executive (Function)
The risk executive (function) is an individual or group within an organization that helps to ensure that: (i) risk-related considerations for individual information systems, to include authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success. The risk executive (function) coordinates with the senior leadership of an organization to:
• Provide a comprehensive, organization-wide, holistic approach for addressing risk—an approach that provides a greater understanding of the integrated operations of the organization;
• Develop a risk management strategy for the organization providing a strategic view of information security-related risks with regard to the organization as a whole;
• Facilitate the sharing of risk-related information among authorizing officials and other senior leaders within the organization;
• Provide oversight for all risk management-related activities across the organization (e.g., security categorizations) to help ensure consistent and effective risk acceptance decisions;
• Ensure that authorization decisions consider all factors necessary for mission and business success;
• Provide an organization-wide forum to consider all sources of risk (including aggregated risk) to organizational operations and assets, individuals, other organizations, and the nation;
• Promote cooperation and collaboration among authorizing officials to include authorization actions requiring shared responsibility;
• Ensure that the shared responsibility for supporting organizational mission/business functions using external providers of information and services receives the needed visibility and is elevated to the appropriate decision-making authorities; and
• Identify the organizational risk posture based on the aggregated risk to information from the operation and use of the information systems for which the organization is responsible.
The risk executive (function) presumes neither a specific organizational structure nor formal responsibility assigned to any one individual or group within the organization. The head of the agency/organization may choose to retain the risk executive (function) or to delegate the function to another official or group (e.g., an executive leadership council). The risk executive (function) has inherent U.S. Government authority and is assigned to government personnel only.
The risk executive (function) is a person or group—depending on the size of the organization—commonly a board, which has oversight of risk management and the risk picture for the entire organization. Typically, this function is assumed by a group or board composed of individuals with security and risk assessment experience in many domains of security, including information security, personnel security, and physical security as it pertains to the organization’s mission and business objectives. In addition to security professionals, many risk executive (function) boards may include other key organizational stakeholders such as budget, privacy, and document professionals, as well as members of the organization’s legal team. If this function is assumed by a single individual, it is important that he or she have extensive organizational risk assessment and management experience in the areas previously mentioned.
The risk executive is responsible for reviewing security packets presented to the authorizing official that identify systems or components that may impact the overall organizational risk level. This is quite different from the past, when risk assessments were conducted at the system level where risk to the system alone would be analyzed. In the method dictated by the RMF, the system’s risk impact to the organization as a whole is evaluated and an updated risk assessment report (RAR) is presented to the authorizing official by the risk executive to assist in making an approval decision.
Chief Information Officer
The chief information officer is an organizational official responsible for: (i) designating a senior information security officer; (ii) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; (iii) overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained; (iv) assisting senior organizational officials concerning their security responsibilities; and (v) in coordination with other senior officials, reporting annually to the head of the federal agency on the overall effectiveness of the organization’s information security program, including progress of remedial actions. The chief information officer, with the support of the risk executive (function) and the senior information security officer, works closely with authorizing officials and their designated representatives to help ensure that:
• An organization-wide information security program is effectively implemented, resulting in adequate security for all organizational information systems and environments of operation for those systems;
• Information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles;
• Information systems are covered by approved security plans and are authorized to operate;
• Information security-related activities required across the organization are accomplished in an efficient, cost-effective, and timely manner; and
• There is centralized reporting of appropriate information security-related activities.
The chief information officer and authorizing officials also determine, based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions. For selected information systems, the chief information officer may be designated as an authorizing official or a co-authorizing official with other senior organizational officials. The role of chief information officer has inherent U.S. Government authority and is assigned to government personnel only.
The chief information officer (CIO) is a senior executive who normally reports to the agency head or CEO. The CIO has a scope of responsibility that usually covers not only information systems but also information stored in other types of media, including paper documentation. This individual is often designated as the authorizing official for systems that impact the entire organization or are critical in purpose or scope. As noted in the description provided by NIST, the CIO is responsible for maintaining information systems and security documentation, including policies and procedures, and appointing a senior information security officer; normally this person assumes the role of chief information security officer (CISO).
Information Owner/Steward
The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. In information-sharing environments, the information owner/steward is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with or provided to other organizations. The owner/steward of the information processed, stored, or transmitted by an information system may or may not be the same as the system owner. A single information system may contain information from multiple information owners/stewards. Information owners/stewards provide input to information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted.
The information owner or information steward is the person responsible for maintaining specific information and assuring the security of its storage and processing. Normally the information steward is assigned to the organizational unit that collects or processes each specific information type. For example, the human resources director may be the information steward for organizational personnel information such as pay and benefits information. Based on this responsibility, it is important to include the information steward early in systems development and security planning.
Senior Information Security Officer
The senior information security officer is an organizational official responsible for: (i) carrying out the chief information officer security responsibilities under FISMA; and (ii) serving as the primary liaison for the chief information officer to the organization’s authorizing officials, information system owners, common control providers, and information system security officers. The senior information security officer: (i) possesses professional qualifications, including training and experience, required to administer the information security program functions; (ii) maintains information security duties as a primary responsibility; and (iii) heads an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with the requirements in FISMA. The senior information security officer (or supporting staff members) may also serve as authorizing official designated representatives or security control assessors. The role of senior information security officer has inherent U.S. Government authority and is assigned to government personnel only.
The senior information security officer (SISO) is appointed by the CIO and is responsible for ensuring that the organization’s information security programs, including systems authorizations using the RMF, are conducted completely and with due diligence. The SISO may be titled chief information security officer (CISO) in some organizations; however, this does not change the basic duties this individual is responsible for. In many organizations, the SISO/CISO also serves as a delegated authorizing official, providing authorization decisions for systems that are not implemented organization-wide or deemed to be as critical as those that require approval by the organization’s AO.
Authorizing Official
The authorizing official is a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation. Authorizing officials typically have budgetary oversight for an information system or are responsible for the mission and/or business operations supported by the system. Through the security authorization process, authorizing officials are accountable for the security risks associated with information system operations. Accordingly, authorizing officials are in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. Authorizing officials also approve security plans, memorandums of agreement or understanding, and plans of action and milestones and determine whether significant changes in the information systems or environments of operation require reauthorization. Authorizing officials can deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist. Authorizing officials coordinate their activities with the risk executive (function), chief information officer, senior information security officer, common control providers, information system owners, information system security officers, security control assessors, and other interested parties during the security authorization process. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple authorizing officials. If so, agreements are established among the authorizing officials and documented in the security plan. Authorizing officials are responsible for ensuring that all activities and functions associated with security authorization that are delegated to authorizing official designated representatives are carried out. The role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.
The authorizing official can be any organizational executive with budgetary control and oversight of an information system or set of common controls. However, in practice, AO responsibility is normally designated to the CIO by the agency head or the CEO. As stated earlier, the CIO normally maintains the role of AO for organization-wide and critical systems and delegates the responsibility for other systems to other agency executives, most notably the CISO or the SISO.
Authorizing Official Designated Representative
The authorizing official designated representative is an organizational official that acts on behalf of an authorizing official to coordinate and conduct the required day-to-day activities associated with the security authorization process. Authorizing official designated representatives can be empowered by authorizing officials to make certain decisions with regard to the planning and resourcing of the security authorization process, approval of the security plan, approval and monitoring the implementation of plans of action and milestones, and the assessment and/or determination of risk. The designated representative may also be called upon to prepare the final authorization package, obtain the authorizing official’s signature on the authorization decision document, and transmit the authorization package to appropriate organizational officials. The only activity that cannot be delegated to the designated representative by the authorizing official is the authorization decision and signing of the associated authorization decision document (i.e., the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation).
The authorizing official designated representative works on behalf of the authorizing official in regard to the activities that relate to the development, planning, ongoing maintenance, and monitoring of the secure status of the information system or the security controls relating to the system. Regardless of title, these individuals’ duties are to ensure that the information systems or common controls, for which the AO they support is responsible, are operated and maintained in a secure manner and according to the AO’s direction.
Common Control Provider
The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). Common control providers are responsible for: (i) documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization); (ii) ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization; (iii) documenting assessment findings in a security assessment report; and (iv) producing a plan of action and milestones for all controls having weaknesses or deficiencies. Security plans, security assessment reports, and plans of action and milestones for common controls (or a summary of such information) is made available to information system owners inheriting those controls after the information is reviewed and approved by the senior official or executive with oversight responsibility for those controls.
Common control providers offer bundles of controls as a service to the organization and information system owners. These controls are certified, authorized, and maintained like any system; however, in many cases they come in control packages that are related and can be logically bundled. For example, the organization’s training department may manage the organization’s security awareness training program. In this instance, the organization can collect many of the security awareness training controls under an authorization package managed by the training organization and approved by the organization’s AO. These controls could then be offered to the organization’s system owners, relieving them from the task of implementing and maintaining these controls. As discussed later, correctly implementing common controls enables organizations to fully realize the cost savings of the RMF.
Information System Owner
The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The information system owner is responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with information security requirements. In coordination with the information system security officer, the information system owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security controls. In coordination with the information owner/steward, the information system owner is also responsible for deciding who has access to the system (and with what types of privileges or access rights) and ensures that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior). Based on guidance from the authorizing official, the information system owner informs appropriate organizational officials of the need to conduct the security authorization, ensures that the necessary resources are available for the effort, and provides the required information system access, information, and documentation to the security control assessor. The information system owner receives the security assessment results from the security control assessor. After taking appropriate steps to reduce or eliminate vulnerabilities, the information system owner assembles the authorization package and submits the package to the authorizing official or the authorizing official designated representative for adjudication.
The information system owner is the individual or group that is responsible for developing, using, and maintaining the system. The owner is developing or has developed the system to solve a business or organizational problem, make data and information more available, or streamline processes. The owner maintains the system, including maintaining the continuous monitoring program, once the system achieves its authorization to operate (ATO).
Information System Security Officer
The information system security officer is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner. The information system security officer also serves as a principal advisor on all matters, technical and otherwise, involving the security of an information system. The information system security officer has the detailed knowledge and expertise required to manage the security aspects of an information system and, in many organizations, is assigned responsibility for the day-to-day security operations of a system. This responsibility may also include, but is not limited to, physical and environmental protection, personnel security, incident handling, and security training and awareness. The information system security officer may be called upon to assist in the development of the security policies and procedures and to ensure compliance with those policies and procedures. In close coordination with the information system owner, the information system security officer often plays an active role in the monitoring of a system and its environment of operation to include developing and updating the security plan, managing and controlling changes to the system, and assessing the security impact of those changes.
The information systems security officer (ISSO), sometimes called the information assurance officer (IAO), is responsible for the ongoing security, certification, and maintenance of the security controls required for the system or common control set. The ISSO works with other security and system professionals to ensure that the system is operated in a secure and compliant manner. The ISSO and system owner are responsible for developing the system security plan (SSP) and many other security documents related to the system.
Information Security Architect
The information security architect is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. The information security architect serves as the liaison between the enterprise architect and the information system security engineer and also coordinates with information system owners, common control providers, and information system security officers on the allocation of security controls as system-specific, hybrid, or common controls. In addition, information security architects, in close coordination with information system security officers, advise authorizing officials, chief information officers, senior information security officers, and the risk executive (function), on a range of security-related issues including, for example, establishing information system boundaries, assessing the severity of weaknesses and deficiencies in the information system, plans of action and milestones, risk mitigation approaches, security alerts, and potential adverse effects of identified vulnerabilities.
The information security architect works with the enterprise architects and system architects to ensure that the required security controls are built into the system from its inception through planning and design and into production. The information security architect also works with security professionals like the ISSO, ISSM, the information steward, and the information system owner, serving as a liaison and translator between each group to ensure that the required security controls are developed and implemented and function correctly.
Information System Security Engineer
The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities. Information system security engineering is a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration. Information system security engineers are an integral part of the development team (e.g., integrated project team) designing and developing organizational information systems or upgrading legacy systems. Information system security engineers employ best practices when implementing security controls within an information system including software engineering methodologies, system/security engineering principles, secure design, secure architecture, and secure coding techniques. System security engineers coordinate their security-related activities with information security architects, senior information security officers, information system owners, common control providers, and information system security officers.
Like the information security architect, the information system security engineer (ISSE) works with system developers and security professionals to ensure that security controls are implemented early in the SDLC. Unlike the architect, the engineer works more closely with the system developers and less with the enterprise architects. In this context, the ISSE works at the system or micro level while the architect works at the organizational, enterprise, or macro level.
Security Control Assessor
The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities. In addition to the above responsibilities, security control assessors prepare the final security assessment report containing the results and findings from the assessment. Prior to initiating the security control assessment, an assessor conducts an assessment of the security plan to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements.
The required level of assessor independence is determined by the specific conditions of the security control assessment. For example, when the assessment is conducted in support of an authorization decision or ongoing authorization, the authorizing official makes an explicit determination of the degree of independence required in accordance with federal policies, directives, standards, and guidelines. Assessor independence is an important factor in: (i) preserving the impartial and unbiased nature of the assessment process; (ii) determining the credibility of the security assessment results; and (iii) ensuring that the authorizing official receives the most objective information possible in order to make an informed, risk-based, authorization decision. The information system owner and common control provider rely on the security expertise and the technical judgment of the assessor to: (i) assess the security controls employed within and inherited by the information system using assessment procedures specified in the security assessment plan; and (ii) provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities.
The security control assessor (SCA) works as an individual or on a team of assessors that evaluates the information system’s implementation of the required controls to ensure that they are implemented and functioning correctly. These team members are often referred to as assessors, penetration testers, blue teams, or red teams but have recently been titled as security control assessors. It is important to note that each of these titles refers to a security tester; however, the scope and roles of these different testers vary greatly. The primary role of an SCA is to ensure that the system’s required controls are in place, functioning correctly, and are protecting the system. The assessment individuals or teams certify and document the security state of the system’s required security controls at a specific point in time. This assessment is used to develop the security assessment report (SAR), which enables the system owner to develop the plan of action and milestones (POA&M). These two documents, along with the system security plan (SSP) and the risk assessment report (RAR), are used by the AO to make an authorization decision for the system or control set.
