SlideShare uma empresa Scribd logo

DSS RMF Training.pptx

Transferir como PPTX, PDF
Muhammad Mazhar
Muhammad Mazhar

PCI - DSS

Tecnologia
1 de 39
1 Risk Management Framework (RMF) NIST SP 800 30 Defense Security Service May 2017
- 2 - • Review terminology/resources for RMF • Set expectations for completing documentation • Provide examples for discussion • Address Authorization requests via OBMS • Discuss Security Controls Assessor (SCA) Visit to the facility Goals of the Presentation
- 3 -  What is Risk Management Framework (RMF)? o A unified information security framework for the entire federal government that replaces legacy Certification and Accreditation (C&A) processes applied to information systems (ISs). o A key component of an organization’s information security program used in the overall management of organizational risk.  When will RMF replace C&A (Phased Implementation)? o RMF has already replaced C&A for Stand-Alone systems as of October 3, 2016. Multi-User Standalones (MUSA) and Single-User Standalones (SUSA) were required to execute the RMF process for any expiring C&A accreditations and new submittals. o The Transition date for Local Area Networks (LAN) and Wide Area Networks (WAN) is tentatively set for January 1, 2018. (You can submit RMF plans prior to the start date) RMF Basics
- 4 - Here is the way some people see things NIST SP-800-53r4 NIST SP-800-30 NIST SP-800-37 CNSSI-1253 Risk Assessment Report (RAR) System Assessment Report (SAR) SCAP Compliance Checker DISA STIGs DAAPM Terminology/Resources CDSE Training on RMF DOD 5220.22-M (NISPOM) SSP SSP Appendices ISSM Certification Statement DSS In Transition NIST SP 800-61 www.dss.mil/rmf Continuous Monitoring NIST SP 800-60 NIST SP 800-53A NIST SP-800-137
- 5 - Local Area Network, Wide Area Network or Interconnected System between August 1, 2016 – 28 February 2017 RMF Policy References
- 6 - Planning Guidance/Resources NIST SP-800-53 (rev 4)- Security and Privacy Controls for Federal Information Systems and Organizations, Dated April 2013 (with Jan 2015 updates) NIST SP-800-30 (rev 1)- Guide for Conducting Risk Assessments, dated September 2012 NIST SP-800-37 (rev 1) - Guide for Applying the Risk Management Framework to Federal Information Systems, dated February 2010 (with June 2014 updates) CNSSI-1253 Security Categorization and Control Selection for National Security Systems, Dated March 27, 2014 DAAPM- DSS Assessment and Authorization Process Manual, Dated August 24, 2016 Basic guidance for requesting the authorization of an information system for classified Government work. CDSE RMF Training- There are 7 courses that ISSMs are required to complete to get an Overall understanding of RMF (see “ISSM Required Online Training” in the DAAPM). NISPOM- DOD 5220.22-M, Dated February 2006 (with change 2 dated May 18, 2016) Basic starting point for cleared contractors to implement RMF (NISPOM 8-100.d) NIST SP 800-61 (rev 2)- Computer Security Incident Handling Guide, Dated August 2012 www.dss.mil/rmf- One stop website for many tools and templates needed for RMF NIST SP 800-60 (vol 1-2)- Guide for mapping information to categories, Dated August 2008
- 7 - Security Controls and Continuous Monitoring The RMF process will manage risk more effectively through the introduction of security controls and continuous monitoring of those controls. Resources to assist in the RMF Process Many additional resources can be found on the NIST website (www.nist.gov) National Industrial Security Program Operating Manual (NISPOM) NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Committee on National Security Systems Instruction (CNSSI) 1253: Security Categorization and Control Selection for National Security Systems Purpose of Security Controls and Continuous Monitoring Benefits of Security Controls and Continuous Monitoring Assess security control effectiveness for an IS Document changes to the IS or its environment of operation Conduct security impact analyses of associated changes Report the security status of an IS Facilitate more efficient enterprise management of cybersecurity Increase security in the system development and acquisition processes Ensure compliance with national standards and reporting requirements
- 8 - RMF Process Stakeholders – New Terminology Old Term in the C&A Process New Term in the RMF Process Designated Approving Authority (DAA) Authorizing Official (AO) Regional Designated Approving Authority (RDAA) Regional Authorizing Official (RAO) Office of the Designated Approving Authority (ODAA) NISP Authorization Office (NAO) Information Systems Security Professional (ISSP) ISSP/Security Control Assessor (SCA) Customer, Government Contracting Activity (GCA) Information Owner (IO) Contractor Information System Owner (ISO) *Information Systems Security Manager (ISSM) ISSM *Information Systems Security Officer (ISSO) ISSO Many RMF stakeholder titles have been revised in the transition from C&A. The following table outlines former terms in the C&A process as well as the corresponding new terms in the RMF process. Both sets of terms will continue to be used during the transition to RMF. *Titles will remain the same in RMF.
- 9 - Connecting the Dots – What is Changing? What is staying the same? Process C&A RMF ODAA Business Management System (OBMS) Same Same System Security Plan (SSP) Template C&A Template RMF Template Categorization Basic, Med, High PLs Low, Mod, High Accessibility Certification Statement Same Same Risk Acknowledgement/Tailoring-out Risk Acknowledged Tailored-Out/Risk Acknowledgement MOU MOU MOU/ISA Standing-Up Like System Self- Certification Type Authorization Controls NISPOM Refs NIST Controls Approval to Process Accreditation Authorization
- 10 - Connecting the Dots – What is Changing? What is staying the same? Process C&A RMF OBMS File Designation Submit Artifacts within OBMS  SSP  Certification Statement  Profile  SSP  Certification Statement  Risk Assessment Report  POA&M  SSP Supporting Artifacts (appendices) SSP Security Package Submission and Certification Statement IS Profile Other Other Issues Related to Authorization Comments Form Accreditation Letter Comments form used to concur with categorization/controls Terms & Conditions in Authorization Letter
- 11 - RMF Process Walk Through: Introduction NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence.
- 12 -  RMF Courses Introduction to RMF (CS124.16) Continuous Monitoring (CS200.16) Categorization of the System (CS102.16) Selecting Security Controls (CS103.16) Implementing Security Controls (CS104.16) Assessing Security Controls (CS105.16) Authorizing Systems (CS106.16) Monitoring Security Controls (CS107.16) CDSE Training Courses
- 13 - RMF Process Walk Through - STEP 1: Categorize the IS ISSM Actions:  Categorize the Information System (IS) based on the impact due to a loss of Confidentiality, Integrity, and Availability of the information that will be processed. (Note: The DSS SSP template is based on a Moderate Confidentiality, Low Integrity, and Low Availability Impact. Make sure you haven’t been contractually required to address different Impact Levels)  Perform a Risk/Threat Assessment and ensure a Risk Assessment Report (RAR) is completed. (Note: Seek information from all available sources (e.g., Government Customer/Information Owner, Program Managers, Local service risk/threat developed documents)  Document the system description, including the system/authorization boundary, in the System Security Plan.  Assign qualified personnel to RMF roles and document team member assignments in the SSP. Output(s): Risk Assessment Report, Initial System Security Plan Reference(s): NIST SP 800-30 rev 1, NIST SP 800-60, CNSSI 1253, DAAPM
- 14 -  What guide is used when conducting a Risk Assessment? o NIST 800-30 Rev 1, Guide for Conducting Risk Assessments  What is the purpose of the RAR? o Inform decision makers and support risk responses by identifying:  Relevant threats  Vulnerabilities both internal and external to the organization  Impact to the organization that may occur given the potential for threats exploiting vulnerabilities  Likelihood that harm will occur o The end result is a determination of risk. o The RAR will be used to “fine tune” security controls for the life of the system RMF Step 1 – Risk Assessment Report (RAR)
- 15 - RMF Step 1 – Risk Assessment Report (RAR)
- 16 - RMF Process Walk Through – Step 2-1 through 2-3: Selecting Security Controls ISSM Actions:  Select the security controls applicable to the IS. The selection is based upon the results of the categorization (which is impacted by the RAR). (Controls for Moderate/Low/Low impact are included in the DSS SSP Template)  Tailor the controls as needed by supplementing, modifying, or tailoring out controls to effectively manage risk for any unique system conditions.  Develop a strategy for continuous monitoring of security control effectiveness.  Document the security controls selection results in the SSP. Output(s): Initial System Security Plan Reference(s): NIST SP 800-53 rev 4, CNSSI 1253, DAAPM (appendix A, D)
- 17 - Security Controls Summary- NIST 112 10 58 82 50 34 48 56 26 22 22 116 86 13 15 10 50 16 826 Individual Controls from 18 “families” according to NIST SP-800-53r4
- 18 - Security Controls Summary- DSS Appendix D 57 7 30 31 25 24 7 28 11 17 11 51 22 9 12 8 21 15 386 Individual Controls from 18 “families” according to DAAPM- App-D
- 19 - Security Controls – Overlays (DAAPM, App D.)
- 20 - Control Selection Using Excel A Spreadsheet is available at www.dss.mil/rmf . This would need converted to a PDF for input into OBMS
- 21 - Now you are done selecting controls, but remember…
- 22 - RMF Process Walk Through – Step 2-4: Submit Security Controls/ Categorization NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence. Risk Assessment Report (RAR) is complete Categorization is complete Control Selection is complete Now at this point….
- 23 - • Use OBMS to submit initial documents. • Submit the SSP in OBMS as the “SSP” • Submit the Risk Assessment Report (RAR) as the “IS Profile” • Submit a “blank” Certification Statement as the “Security Package Submission and Certification Statement” • Submit other necessary artifacts as “other” (Note: There is a “SSP appendices” document that can be used for things like the POA&M, DD-254, etc.) • Remember that all documents in OBMS must be .pdf RMF Process Walk Through – Step 2-4: ISSM Submits Step “2” work via OBMS
- 24 - RMF Process Walk Through – Step 2-4: DSS Response to Controls/Categorization ISSP/SCAActions:  Review the initial SSP and RAR to ensure it meets the necessary security requirements and effectively identifies potential risks to the IS. The ISSP/SCA also reviews the ISSM-recommended deltas from the standard baseline.  Documents concurrence or non-concurrence in the Categorization & Implementation Concurrence Form.  Categorization & Implementation Concurrence Form is returned to ISSM via OBMS. (Note: This is done with a new form, but the “comments” drop down is used in OBMS.) Output: DSS Categorization & Implementation Concurrence Form • The ISSP/SCA is focusing their review on the Categorization of the IS and the Selection of controls and will only comment on detailed supporting information if time permits.
- 25 - RMF Process Walk Through – Step 2-4: ISSM Response to DSS “step 2” review ISSM Actions:  If concurrence for both categorization and selection of initial baseline controls is issued, proceed to RMF Step 3.  If non-concurrence is issued, address outstanding issues documented in Categorization & Implementation Concurrence Form. Once issues are addressed, resubmit the RAR and initial SSP via OBMS. Output(s): Initial SSP with identified controls, Continuous Monitoring Strategy, RAR, and Categorization & Implementation Concurrence Form
- 26 - RMF Process Walk Through – Step 3: Implement Security Controls ISSM Actions:  Implement security controls as determined/documented in RMF Step 2.  Revise the SSP in order to document the security control implementation.  Start a Plan of Action and Milestones (as applicable).  Conduct an initial assessment to facilitate early identification of weaknesses and deficiencies.  Document (or update as necessary) the security control implementation in the SSP. Output: Updated SSP with a complete functional description of security control implementation. Reference(s): CNSSI 1253, NIST SP 800-53, and DAAPM (Appendix A & D)
- 27 - RMF Process Walk Through – Step 4: Assess Security Controls ISSM Actions:  Conduct an initial assessment of the effectiveness of the security controls in accordance with the security procedures defined in the SSP.  Utilize the Defense Information System Agency (DISA) vulnerability scanning tools (SCAP Compliance Checker and DISA STIG Viewer) and the DSS Technical Assessment Job Aids to support the initial assessment. If the IS cannot be assessed utilizing the specified scanning tools, please document the justification in the SSP.  Finalize the SSP to reflect the actual state of the security controls, as required, based on the vulnerabilities of the security control assessment, reassessment, and completion of any remediation actions taken.  Submit the final SSP, signed Certification Statement, RAR, POA&M, and supporting artifacts via OBMS. Artifact(s): Final SSP, singed Certification Statement, RAR, POA&M, and SSP Supporting Artifacts Reference(s): NIST SP 800-53A, DAAPM, www.dss.mil/rmf
- 28 - The following tools are helpful :  SCAP Content Checker (SCC)- This tool (developed for SPAWAR) allows you to compare your system configuration to a “defined” standard (typically called a “benchmark”).  DISA STIG Viewer- This is a DISA application used to view various “Security Technical Implementation Guide (STIG) content  DISA STIG Content • Complete Comprehensive STIG • Benchmarks • IAVMs- Information Assurance Vulnerability Management….i.e., Patching • STIG Checklists Output: Confirmation that controls have been properly implemented, Checklists, etc.. Reference(s): http://iase.disa.mil/stigs/Pages/index.aspx# NOTE: Some DISA Content is PKI encrypted which can present some difficulty for Contractors. RMF Process Walk Through – Step 4: Assess Security Controls- Assessment Tools
- 29 - The STIG Viewer is used to create a checklist of 300 Overall STIG Items RMF Process Walk Through – Step 4: Assessment Tools-Windows 7 Example The SCC can analyze 254 Windows 7 automated computer settings based on a Windows 7 STIG Benchmark (V1R31) Remaining 46 Items need to be manually assessed An IAVM STIG checklist can be generated to view 493 Vulnerabilities (as of 12-23-2016) to confirm Patch implementation XCCDF results file is created and imported into the overall checklist. Technical & Manual Checks
- 30 - RMF Process Walk Through – Step 4: Assessment Tools- STIG Viewer Sign up to get notified about STIG updates… A guide for the STIG viewer (Now at version 2.5.1) is located at….http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
- 31 - RMF Process Walk Through – Step 4: Assessment Tools- SCC Tool
- 32 - RMF Process Walk Through – Step 4: Assessment Tools- STIG Checklist
- 33 - RMF Process Walk Through – Step 2-4: Submit Security Controls/ Categorization NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence. Certification is ready for signature Final POA&M is complete Final SSP is complete Now at this point….
- 34 - RMF Process Walk Through – Step 4: Assess Security Controls ISSP/SCAActions:  Receives/Reviews the final SSP, Certification Statement, RAR, POA&M, and SSP Supporting Artifacts via OBMS.  If the SSP is acceptable and the documentation fully addresses all system security controls and security configurations, an on-site validation will be scheduled. Artifact(s): Final SSP, POA&M Reference(s): DAAPM, NIST SP 800-53A
- 35 - RMF Process Walk Through – Step 5: Authorize the IS ISSP/SCAActions:  Perform an on-site validation:  Assess the technical security controls and system configuration utilizing the DISA vulnerability scanning tools (SCAP Compliance Checker/DISA STIG Viewer).  Document any weaknesses and deficiencies within the Security Assessment Report.  Identify necessary remediation actions in the POA&M.  Prepares the System Assessment Report (SAR).  Completes Security Authorization Package which included a risk based recommendation  Submits Security Authorization Package to AO. AO Actions:  Assess the Security Authorization Package and issue an authorization decision. The authorization decision will be an Interim Authorization to Operate (IATO), Authorization to Operate (ATO), or Denial of Authorization to Operate (DATO). The authorization decision will include any terms and conditions of operation as well as the authorization termination date (ATD).  The Authorization Letter will be provided to the ISSM via OBMS. Artifact(s): System Assessment Report (SAR), Authorization Letter Reference(s): DAAPM
- 36 - RMF Process Walk Through – Step 6: Monitor the IS ISSM Actions:  Determine the security impact of proposed or actual changes to the IS and its operating environment and inform the ISSP/SCA as necessary.  Assess a selected subset of the security controls, based on the approved continuous monitoring strategy, and inform the ISSP/SCA of the results.  Update SSP documentation and work to satisfy POA&M requirements. Provide regular status reports to the ISSP/SCA per the continuous monitoring strategy.  Conduct any necessary remediation actions based on findings discovered during continuous monitoring.  Ensure IS security documentation is updated and maintained. Review the reported security status of the IS.  As necessary, develop and implement an IS decommissioning strategy. Artifact(s): Updated POA&M, Updated SSP, Status Reports, Decommissioning Strategy (as necessary), and Continuous Monitoring Strategy. Reference(s): DAAPM, NIST SP 800-137
- 37 -  RMF is a new process for both ISSPs and ISSMs. Success can only be achieved by becoming familiar with the DAAPM and utilizing all available resources. The DAAPM is the ultimate authority.  As with any new process, the first SSP submission will be the most challenging. After the first SSP submission is completed, the process will become more routine.  The DSS Risk Management Framework Information and Resources Web Page provides links to Policy/Guidance, Resources, Training, and Toolkits.  Helpful information can also be accessed at the RMF Knowledge Service Webpage (https://rmfks.osd.mil/login.htm). RMF Helpful Hints
- 38 - DSS RMF Information and Resources Web Page www.dss.mil/rmf
- 39 - Questions? Contact your local ISSP or visit http://www.dss.mil/rmf/.

Recomendados

Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
James W. De Rienzo
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 

Recomendados

Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
James W. De Rienzo
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
Prime Infoserv
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
James W. De Rienzo
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
akquinet enterprise solutions GmbH
 

Mais conteúdo relacionado

Mais procurados

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Mais procurados (20)

NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 

Semelhante a DSS RMF Training.pptx

SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
akquinet enterprise solutions GmbH
 
Part 1 Major Events DocumentationScenario You visit a retail.docx
Part 1 Major Events DocumentationScenario You visit a retail.docxPart 1 Major Events DocumentationScenario You visit a retail.docx
Part 1 Major Events DocumentationScenario You visit a retail.docx
alisondakintxt
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™
CPaschal
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 
TEBO NDAGHA cyber resume
TEBO NDAGHA cyber resumeTEBO NDAGHA cyber resume
TEBO NDAGHA cyber resume
FRANKLINE TEBO
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
Rochester Security Summit
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptx
StevenTharp2
 

Semelhante a DSS RMF Training.pptx (20)

NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
 
Part 1 Major Events DocumentationScenario You visit a retail.docx
Part 1 Major Events DocumentationScenario You visit a retail.docxPart 1 Major Events DocumentationScenario You visit a retail.docx
Part 1 Major Events DocumentationScenario You visit a retail.docx
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 
Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
TEBO NDAGHA cyber resume
TEBO NDAGHA cyber resumeTEBO NDAGHA cyber resume
TEBO NDAGHA cyber resume
 
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3Continuous Monitoring: Monitoring Strategy – Part 2 of 3
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Resume_Santoro_Aug_2016
Resume_Santoro_Aug_2016Resume_Santoro_Aug_2016
Resume_Santoro_Aug_2016
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdf
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptx
 

Mais de Muhammad Mazhar

Mais de Muhammad Mazhar (6)

Compliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptxCompliance & Auditing (UBL).pptx
Compliance & Auditing (UBL).pptx
 
Reference_Template.pptx
Reference_Template.pptxReference_Template.pptx
Reference_Template.pptx
 
NISTSP80037rev2.pptx
NISTSP80037rev2.pptxNISTSP80037rev2.pptx
NISTSP80037rev2.pptx
 
Central Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptxCentral Depository Committee of Pakistan.pptx
Central Depository Committee of Pakistan.pptx
 
NISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptxNISTSP80037rev2-by Beruos.pptx
NISTSP80037rev2-by Beruos.pptx
 
CDC (1).pptx
CDC (1).pptxCDC (1).pptx
CDC (1).pptx
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

DSS RMF Training.pptx

  • 1. 1 Risk Management Framework (RMF) NIST SP 800 30 Defense Security Service May 2017
  • 2. - 2 - • Review terminology/resources for RMF • Set expectations for completing documentation • Provide examples for discussion • Address Authorization requests via OBMS • Discuss Security Controls Assessor (SCA) Visit to the facility Goals of the Presentation
  • 3. - 3 -  What is Risk Management Framework (RMF)? o A unified information security framework for the entire federal government that replaces legacy Certification and Accreditation (C&A) processes applied to information systems (ISs). o A key component of an organization’s information security program used in the overall management of organizational risk.  When will RMF replace C&A (Phased Implementation)? o RMF has already replaced C&A for Stand-Alone systems as of October 3, 2016. Multi-User Standalones (MUSA) and Single-User Standalones (SUSA) were required to execute the RMF process for any expiring C&A accreditations and new submittals. o The Transition date for Local Area Networks (LAN) and Wide Area Networks (WAN) is tentatively set for January 1, 2018. (You can submit RMF plans prior to the start date) RMF Basics
  • 4. - 4 - Here is the way some people see things NIST SP-800-53r4 NIST SP-800-30 NIST SP-800-37 CNSSI-1253 Risk Assessment Report (RAR) System Assessment Report (SAR) SCAP Compliance Checker DISA STIGs DAAPM Terminology/Resources CDSE Training on RMF DOD 5220.22-M (NISPOM) SSP SSP Appendices ISSM Certification Statement DSS In Transition NIST SP 800-61 www.dss.mil/rmf Continuous Monitoring NIST SP 800-60 NIST SP 800-53A NIST SP-800-137
  • 5. - 5 - Local Area Network, Wide Area Network or Interconnected System between August 1, 2016 – 28 February 2017 RMF Policy References
  • 6. - 6 - Planning Guidance/Resources NIST SP-800-53 (rev 4)- Security and Privacy Controls for Federal Information Systems and Organizations, Dated April 2013 (with Jan 2015 updates) NIST SP-800-30 (rev 1)- Guide for Conducting Risk Assessments, dated September 2012 NIST SP-800-37 (rev 1) - Guide for Applying the Risk Management Framework to Federal Information Systems, dated February 2010 (with June 2014 updates) CNSSI-1253 Security Categorization and Control Selection for National Security Systems, Dated March 27, 2014 DAAPM- DSS Assessment and Authorization Process Manual, Dated August 24, 2016 Basic guidance for requesting the authorization of an information system for classified Government work. CDSE RMF Training- There are 7 courses that ISSMs are required to complete to get an Overall understanding of RMF (see “ISSM Required Online Training” in the DAAPM). NISPOM- DOD 5220.22-M, Dated February 2006 (with change 2 dated May 18, 2016) Basic starting point for cleared contractors to implement RMF (NISPOM 8-100.d) NIST SP 800-61 (rev 2)- Computer Security Incident Handling Guide, Dated August 2012 www.dss.mil/rmf- One stop website for many tools and templates needed for RMF NIST SP 800-60 (vol 1-2)- Guide for mapping information to categories, Dated August 2008
  • 7. - 7 - Security Controls and Continuous Monitoring The RMF process will manage risk more effectively through the introduction of security controls and continuous monitoring of those controls. Resources to assist in the RMF Process Many additional resources can be found on the NIST website (www.nist.gov) National Industrial Security Program Operating Manual (NISPOM) NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans Committee on National Security Systems Instruction (CNSSI) 1253: Security Categorization and Control Selection for National Security Systems Purpose of Security Controls and Continuous Monitoring Benefits of Security Controls and Continuous Monitoring Assess security control effectiveness for an IS Document changes to the IS or its environment of operation Conduct security impact analyses of associated changes Report the security status of an IS Facilitate more efficient enterprise management of cybersecurity Increase security in the system development and acquisition processes Ensure compliance with national standards and reporting requirements
  • 8. - 8 - RMF Process Stakeholders – New Terminology Old Term in the C&A Process New Term in the RMF Process Designated Approving Authority (DAA) Authorizing Official (AO) Regional Designated Approving Authority (RDAA) Regional Authorizing Official (RAO) Office of the Designated Approving Authority (ODAA) NISP Authorization Office (NAO) Information Systems Security Professional (ISSP) ISSP/Security Control Assessor (SCA) Customer, Government Contracting Activity (GCA) Information Owner (IO) Contractor Information System Owner (ISO) *Information Systems Security Manager (ISSM) ISSM *Information Systems Security Officer (ISSO) ISSO Many RMF stakeholder titles have been revised in the transition from C&A. The following table outlines former terms in the C&A process as well as the corresponding new terms in the RMF process. Both sets of terms will continue to be used during the transition to RMF. *Titles will remain the same in RMF.
  • 9. - 9 - Connecting the Dots – What is Changing? What is staying the same? Process C&A RMF ODAA Business Management System (OBMS) Same Same System Security Plan (SSP) Template C&A Template RMF Template Categorization Basic, Med, High PLs Low, Mod, High Accessibility Certification Statement Same Same Risk Acknowledgement/Tailoring-out Risk Acknowledged Tailored-Out/Risk Acknowledgement MOU MOU MOU/ISA Standing-Up Like System Self- Certification Type Authorization Controls NISPOM Refs NIST Controls Approval to Process Accreditation Authorization
  • 10. - 10 - Connecting the Dots – What is Changing? What is staying the same? Process C&A RMF OBMS File Designation Submit Artifacts within OBMS  SSP  Certification Statement  Profile  SSP  Certification Statement  Risk Assessment Report  POA&M  SSP Supporting Artifacts (appendices) SSP Security Package Submission and Certification Statement IS Profile Other Other Issues Related to Authorization Comments Form Accreditation Letter Comments form used to concur with categorization/controls Terms & Conditions in Authorization Letter
  • 11. - 11 - RMF Process Walk Through: Introduction NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence.
  • 12. - 12 -  RMF Courses Introduction to RMF (CS124.16) Continuous Monitoring (CS200.16) Categorization of the System (CS102.16) Selecting Security Controls (CS103.16) Implementing Security Controls (CS104.16) Assessing Security Controls (CS105.16) Authorizing Systems (CS106.16) Monitoring Security Controls (CS107.16) CDSE Training Courses
  • 13. - 13 - RMF Process Walk Through - STEP 1: Categorize the IS ISSM Actions:  Categorize the Information System (IS) based on the impact due to a loss of Confidentiality, Integrity, and Availability of the information that will be processed. (Note: The DSS SSP template is based on a Moderate Confidentiality, Low Integrity, and Low Availability Impact. Make sure you haven’t been contractually required to address different Impact Levels)  Perform a Risk/Threat Assessment and ensure a Risk Assessment Report (RAR) is completed. (Note: Seek information from all available sources (e.g., Government Customer/Information Owner, Program Managers, Local service risk/threat developed documents)  Document the system description, including the system/authorization boundary, in the System Security Plan.  Assign qualified personnel to RMF roles and document team member assignments in the SSP. Output(s): Risk Assessment Report, Initial System Security Plan Reference(s): NIST SP 800-30 rev 1, NIST SP 800-60, CNSSI 1253, DAAPM
  • 14. - 14 -  What guide is used when conducting a Risk Assessment? o NIST 800-30 Rev 1, Guide for Conducting Risk Assessments  What is the purpose of the RAR? o Inform decision makers and support risk responses by identifying:  Relevant threats  Vulnerabilities both internal and external to the organization  Impact to the organization that may occur given the potential for threats exploiting vulnerabilities  Likelihood that harm will occur o The end result is a determination of risk. o The RAR will be used to “fine tune” security controls for the life of the system RMF Step 1 – Risk Assessment Report (RAR)
  • 15. - 15 - RMF Step 1 – Risk Assessment Report (RAR)
  • 16. - 16 - RMF Process Walk Through – Step 2-1 through 2-3: Selecting Security Controls ISSM Actions:  Select the security controls applicable to the IS. The selection is based upon the results of the categorization (which is impacted by the RAR). (Controls for Moderate/Low/Low impact are included in the DSS SSP Template)  Tailor the controls as needed by supplementing, modifying, or tailoring out controls to effectively manage risk for any unique system conditions.  Develop a strategy for continuous monitoring of security control effectiveness.  Document the security controls selection results in the SSP. Output(s): Initial System Security Plan Reference(s): NIST SP 800-53 rev 4, CNSSI 1253, DAAPM (appendix A, D)
  • 17. - 17 - Security Controls Summary- NIST 112 10 58 82 50 34 48 56 26 22 22 116 86 13 15 10 50 16 826 Individual Controls from 18 “families” according to NIST SP-800-53r4
  • 18. - 18 - Security Controls Summary- DSS Appendix D 57 7 30 31 25 24 7 28 11 17 11 51 22 9 12 8 21 15 386 Individual Controls from 18 “families” according to DAAPM- App-D
  • 19. - 19 - Security Controls – Overlays (DAAPM, App D.)
  • 20. - 20 - Control Selection Using Excel A Spreadsheet is available at www.dss.mil/rmf . This would need converted to a PDF for input into OBMS
  • 21. - 21 - Now you are done selecting controls, but remember…
  • 22. - 22 - RMF Process Walk Through – Step 2-4: Submit Security Controls/ Categorization NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence. Risk Assessment Report (RAR) is complete Categorization is complete Control Selection is complete Now at this point….
  • 23. - 23 - • Use OBMS to submit initial documents. • Submit the SSP in OBMS as the “SSP” • Submit the Risk Assessment Report (RAR) as the “IS Profile” • Submit a “blank” Certification Statement as the “Security Package Submission and Certification Statement” • Submit other necessary artifacts as “other” (Note: There is a “SSP appendices” document that can be used for things like the POA&M, DD-254, etc.) • Remember that all documents in OBMS must be .pdf RMF Process Walk Through – Step 2-4: ISSM Submits Step “2” work via OBMS
  • 24. - 24 - RMF Process Walk Through – Step 2-4: DSS Response to Controls/Categorization ISSP/SCAActions:  Review the initial SSP and RAR to ensure it meets the necessary security requirements and effectively identifies potential risks to the IS. The ISSP/SCA also reviews the ISSM-recommended deltas from the standard baseline.  Documents concurrence or non-concurrence in the Categorization & Implementation Concurrence Form.  Categorization & Implementation Concurrence Form is returned to ISSM via OBMS. (Note: This is done with a new form, but the “comments” drop down is used in OBMS.) Output: DSS Categorization & Implementation Concurrence Form • The ISSP/SCA is focusing their review on the Categorization of the IS and the Selection of controls and will only comment on detailed supporting information if time permits.
  • 25. - 25 - RMF Process Walk Through – Step 2-4: ISSM Response to DSS “step 2” review ISSM Actions:  If concurrence for both categorization and selection of initial baseline controls is issued, proceed to RMF Step 3.  If non-concurrence is issued, address outstanding issues documented in Categorization & Implementation Concurrence Form. Once issues are addressed, resubmit the RAR and initial SSP via OBMS. Output(s): Initial SSP with identified controls, Continuous Monitoring Strategy, RAR, and Categorization & Implementation Concurrence Form
  • 26. - 26 - RMF Process Walk Through – Step 3: Implement Security Controls ISSM Actions:  Implement security controls as determined/documented in RMF Step 2.  Revise the SSP in order to document the security control implementation.  Start a Plan of Action and Milestones (as applicable).  Conduct an initial assessment to facilitate early identification of weaknesses and deficiencies.  Document (or update as necessary) the security control implementation in the SSP. Output: Updated SSP with a complete functional description of security control implementation. Reference(s): CNSSI 1253, NIST SP 800-53, and DAAPM (Appendix A & D)
  • 27. - 27 - RMF Process Walk Through – Step 4: Assess Security Controls ISSM Actions:  Conduct an initial assessment of the effectiveness of the security controls in accordance with the security procedures defined in the SSP.  Utilize the Defense Information System Agency (DISA) vulnerability scanning tools (SCAP Compliance Checker and DISA STIG Viewer) and the DSS Technical Assessment Job Aids to support the initial assessment. If the IS cannot be assessed utilizing the specified scanning tools, please document the justification in the SSP.  Finalize the SSP to reflect the actual state of the security controls, as required, based on the vulnerabilities of the security control assessment, reassessment, and completion of any remediation actions taken.  Submit the final SSP, signed Certification Statement, RAR, POA&M, and supporting artifacts via OBMS. Artifact(s): Final SSP, singed Certification Statement, RAR, POA&M, and SSP Supporting Artifacts Reference(s): NIST SP 800-53A, DAAPM, www.dss.mil/rmf
  • 28. - 28 - The following tools are helpful :  SCAP Content Checker (SCC)- This tool (developed for SPAWAR) allows you to compare your system configuration to a “defined” standard (typically called a “benchmark”).  DISA STIG Viewer- This is a DISA application used to view various “Security Technical Implementation Guide (STIG) content  DISA STIG Content • Complete Comprehensive STIG • Benchmarks • IAVMs- Information Assurance Vulnerability Management….i.e., Patching • STIG Checklists Output: Confirmation that controls have been properly implemented, Checklists, etc.. Reference(s): http://iase.disa.mil/stigs/Pages/index.aspx# NOTE: Some DISA Content is PKI encrypted which can present some difficulty for Contractors. RMF Process Walk Through – Step 4: Assess Security Controls- Assessment Tools
  • 29. - 29 - The STIG Viewer is used to create a checklist of 300 Overall STIG Items RMF Process Walk Through – Step 4: Assessment Tools-Windows 7 Example The SCC can analyze 254 Windows 7 automated computer settings based on a Windows 7 STIG Benchmark (V1R31) Remaining 46 Items need to be manually assessed An IAVM STIG checklist can be generated to view 493 Vulnerabilities (as of 12-23-2016) to confirm Patch implementation XCCDF results file is created and imported into the overall checklist. Technical & Manual Checks
  • 30. - 30 - RMF Process Walk Through – Step 4: Assessment Tools- STIG Viewer Sign up to get notified about STIG updates… A guide for the STIG viewer (Now at version 2.5.1) is located at….http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
  • 31. - 31 - RMF Process Walk Through – Step 4: Assessment Tools- SCC Tool
  • 32. - 32 - RMF Process Walk Through – Step 4: Assessment Tools- STIG Checklist
  • 33. - 33 - RMF Process Walk Through – Step 2-4: Submit Security Controls/ Categorization NISPAssessment & Authorization Life Cycle ISSM conducts self-assessment and updates the SSP to reflect the actual state of the IS. ISSP reviews submitted SSP and assesses the IS. 4. ASSESS Security Controls ISSM conducts risk assessment to determine system categorization (confidentiality, integrity, and availability). 1. CATEGORIZE Information System Starting Point ISSM continuously tracks and reports IS changes to the ISSP IAW the Continuous Monitoring Plan/Strategy. 6. MONITOR Security Controls 5. AUTHORIZE Information System AO determines risk. If acceptable, AO formally authorizes system to operate. ISSM implements security controls selected for the IS. 3. IMPLEMENT Security Controls 2. SELECT Security Controls ISSM selects security controls and applies tailoring and supplemental controls as needed based on risk assessment. ISSP reviews SSP and provides concurrence. Certification is ready for signature Final POA&M is complete Final SSP is complete Now at this point….
  • 34. - 34 - RMF Process Walk Through – Step 4: Assess Security Controls ISSP/SCAActions:  Receives/Reviews the final SSP, Certification Statement, RAR, POA&M, and SSP Supporting Artifacts via OBMS.  If the SSP is acceptable and the documentation fully addresses all system security controls and security configurations, an on-site validation will be scheduled. Artifact(s): Final SSP, POA&M Reference(s): DAAPM, NIST SP 800-53A
  • 35. - 35 - RMF Process Walk Through – Step 5: Authorize the IS ISSP/SCAActions:  Perform an on-site validation:  Assess the technical security controls and system configuration utilizing the DISA vulnerability scanning tools (SCAP Compliance Checker/DISA STIG Viewer).  Document any weaknesses and deficiencies within the Security Assessment Report.  Identify necessary remediation actions in the POA&M.  Prepares the System Assessment Report (SAR).  Completes Security Authorization Package which included a risk based recommendation  Submits Security Authorization Package to AO. AO Actions:  Assess the Security Authorization Package and issue an authorization decision. The authorization decision will be an Interim Authorization to Operate (IATO), Authorization to Operate (ATO), or Denial of Authorization to Operate (DATO). The authorization decision will include any terms and conditions of operation as well as the authorization termination date (ATD).  The Authorization Letter will be provided to the ISSM via OBMS. Artifact(s): System Assessment Report (SAR), Authorization Letter Reference(s): DAAPM
  • 36. - 36 - RMF Process Walk Through – Step 6: Monitor the IS ISSM Actions:  Determine the security impact of proposed or actual changes to the IS and its operating environment and inform the ISSP/SCA as necessary.  Assess a selected subset of the security controls, based on the approved continuous monitoring strategy, and inform the ISSP/SCA of the results.  Update SSP documentation and work to satisfy POA&M requirements. Provide regular status reports to the ISSP/SCA per the continuous monitoring strategy.  Conduct any necessary remediation actions based on findings discovered during continuous monitoring.  Ensure IS security documentation is updated and maintained. Review the reported security status of the IS.  As necessary, develop and implement an IS decommissioning strategy. Artifact(s): Updated POA&M, Updated SSP, Status Reports, Decommissioning Strategy (as necessary), and Continuous Monitoring Strategy. Reference(s): DAAPM, NIST SP 800-137
  • 37. - 37 -  RMF is a new process for both ISSPs and ISSMs. Success can only be achieved by becoming familiar with the DAAPM and utilizing all available resources. The DAAPM is the ultimate authority.  As with any new process, the first SSP submission will be the most challenging. After the first SSP submission is completed, the process will become more routine.  The DSS Risk Management Framework Information and Resources Web Page provides links to Policy/Guidance, Resources, Training, and Toolkits.  Helpful information can also be accessed at the RMF Knowledge Service Webpage (https://rmfks.osd.mil/login.htm). RMF Helpful Hints
  • 38. - 38 - DSS RMF Information and Resources Web Page www.dss.mil/rmf
  • 39. - 39 - Questions? Contact your local ISSP or visit http://www.dss.mil/rmf/.

Notas do Editor

  1. The amount of terminology and available reference material can sometimes feel overwhelming. This presentation will attempt to help put things in perspective.
  2. Remember that all files loaded into OBMS must be pdf files. Items in “red” are required by OBMS or the submitter will get an error
  3. The highlighted steps is where the most DSS involvement will be.
  4. You may be asked to coordinate a RAL with the Information Owner if items tailored out are not already included in the RAR.
  5. We are still in Step 2 of the RMF process and the ISSM has just completed the RAR, The system categorization, and the selection of controls (identified by the boxed area. The question is now how do you get that to DSS?
  6. ISSM are encouraged to use available tools to aid with their assessment of the implemented controls. These tools are not mandatory, but they will be used by the SCA during the onsite review.
  7. Here is an overall diagram related to the possible review of a Windows 7 computer. You can review the 278 technical settings either manually or in an automated fashion with the SCC and then evaluate the other items manually
  8. This STIG viewer can be used to view STIG content from many different areas. You can view Benchmarks, IAVMs, or overall STIG content.
  9. Here is an example of what the SCAP Compliance Checker (SCC) looks like. The tool can be used in conjunction with many different benchmarks. This can include benchmarks that relate to the Operating System software and various Application software.
  10. This is what a typical STIG checklist will look like and as you fill it out the chart in the upper left and the colors for completed items will help identify which items remain open.
  11. We are still in Step 2 of the RMF process and the ISSM has just completed the RAR, The system categorization, and the selection of controls (identified by the boxed area. The question is now how do you get that to DSS?