Top Rated Pune Call Girls Wadgaon Sheri ⟟ 6297143586 ⟟ Call Me For Genuine S...
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
1. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Kelley Dempsey
NIST IT Laboratory
Computer Security Division
NIST SP 800-37 Revision 2
Risk Management Framework for Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
(Final Public Draft)
Department of Commerce, October 2018
RMFRISK MANAGEMENT FRAMEWORK
2.0
2. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
NIST/ITL/CSD Public Comment Process
All publications produced by CSD go through the public
comment process
Your voice will be heard!!
Receive notifications of newly posted drafts (and more) by
subscribing at http://csrc.nist.gov/publications/subscribe.html
There may be one or more drafts of a given publication
Drafts are published at
http://csrc.nist.gov/publications/PubsDrafts.html
Lengths of public comment periods vary
3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Risk Management
“If we guard our toothbrushes
and diamonds with equal zeal, we will
lose fewer toothbrushes and more
diamonds.”
-McGeorge Bundy, National Security Advisor to U.S.
Presidents Kennedy and Johnson
4. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Risk can never be eliminated and so it must be
MANAGED!!
Managing risk doesn’t mean
fixing everything,
nor does it mean
not fixing anything…
Risk Management
is about
knowledge and understanding!
Graphic copied from:
http://www.featurepics.com/online/Risk-
1109124.aspx
5. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
RMF Roles and Responsibilities
Senior Accountable Official for Risk Management
and Risk Executive (Function)
Senior Agency Official for Privacy
Authorizing Official (AO) and Designated Rep
Senior Information Security Officer
Common Control Provider
System Owner
Information Owner/Steward
System Security/Privacy Officer
Control Assessor
6. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
SP 800-37 Rev 2 Timeline So Far
Federal interagency working group review during spring 2017
Extensive discussion sessions with OMB OIRA throughout
winter/spring 2017/2018
JTF Review
Initial Public Draft released 9 May 2018 with six week
comment period
NIST adjudicated ~400 comments and developed FPD
OIRA review and approval
FPD released 2 October 2018
7. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
Public comment period through 31 October 2018
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
NIST and OIRA adjudicate FPD public comments
NIST develops final publication
Review by JTF
Review and approval by OIRA
Final publication planned for December 2018*
SP 800-37 Rev 2 Final Timeline
*Publication date dependent on OMB OIRA review and approval
8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
RMF 2.0
CATEGORIZE
FIPS 199
SP 800-60
CUI Registry
ASSESS
SP 800-53A
AUTHORIZE
SP 800-37
MONITOR
SP 800-137/137A
NISTIR 8011
NISTIR 8212 & Tool
PREPARE
SP 800-18
SP 800-30
SP 800-39
SP 800-160
IMPLEMENT
Many NIST Pubs
SELECT
FIPS 200
SP 800-53
9. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Authorization Boundaries (Section 2.5/App G)
Defines the scope of protection for systems (i.e.,
what is included with the system to be authorized
WRT information, components, people, etc.)
Includes system hardware, software, firmware,
processes, and technologies needed to support
organizational missions/business processes
May or may not include the environment of operation
Is established before system security categorization
and the development of security plans
10. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Improvements in RMF 2.0
Addition of organization and system level
Prepare Step and associated tasks
Integrates privacy risk management
Integrates supply chain risk management
Expansion of Authorization options
Aligns RMF with CSF
Aligns RMF with security engineering
processes
11. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
RMF 2.0 Task Outcomes
Tasks Outcomes
Task I-1
CONTROL IMPLEMENTATION
Controls specified in the security and privacy plans
are implemented.
[Cybersecurity Framework: PR.IP-1]
Systems security and privacy engineering
methodologies are used to implement the controls
in the system security and privacy plans.
[Cybersecurity Framework: PR.IP-2]
Task I-2
BASELINE CONFIGURATION
The configuration baseline is established.
[Cybersecurity Framework: PR.IP-1]
The security and privacy plans are updated based on
information obtained during the implementation of
the controls.
[Cybersecurity Framework: Profile]
12. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
RMF 2.0 Task Structure
RISK ASSESSMENT—ORGANIZATION
Task P-3 Assess organization-wide security and privacy risk and update the results on an ongoing
basis.
Potential Inputs: Risk management strategy; mission or business objectives; current threat
information; system-level risk assessment results; previous organization-level risk assessment
results; security- and privacy-related information from continuous monitoring; information
sharing agreements or memoranda of understanding.
Potential Outputs: Organization-level risk assessment results.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive
(Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Authorizing Official or
Authorizing Official Designated Representative.
Discussion: Risk assessment at the organizational level is focused on risk to mission or business
objectives and leverages aggregated information from system-level risk…..
References: NIST SP 800-30; NIST SP 800-39 (Organization Level, Mission/Business Process
Level); NIST SP 800-161; NIST IR 8062.
New
13. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Privacy is Fully Integrated into RMF
In accordance with OMB Circular A-130
Privacy in the RMF addressed in section 2.3
Privacy called out in task text as appropriate
(e.g., Task P-3 is to assess security and
privacy risk)
Privacy-specific Inputs, Outputs, Roles, and
References specified as appropriate in tasks
Privacy-specific detail in task discussions
14. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
RMF and CSF Alignment
Inputs and Outputs reference CSF as
applicable, e.g., CSF profile as potential
output from Task P-4
Task Outcome tables reference CSF
sections, categories, or sub-categories as
applicable
References for tasks list applicable CSF
sections
15. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Security Engineering and RMF Alignment
Task references list related 800-160 process as
applicable
Section 2.4 discusses system elements/enabling
systems and tasks focus on stakeholder
requirements
16. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Supply Chain and RMF Alignment
Discussion of Supply Chain Risk Management
(SCRM) within the RMF added in section 2.8
SCRM addressed in Task discussions as applicable
SCRM artifacts included in task Inputs and Outputs
as applicable
SCRM responsibilities noted in Appendix D
Supply chain risk is addressed as part of security risk
17. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Prepare Step: Organization Level
Task P-1: ID and assign people to RM roles
Task P-2: Establish an org-wide RM strategy
Task P-3: Assess organization-wide risk
Task P-4: Org-wide tailored baselines (optional)
Task P-5: Common Control identification
Task P-6: Prioritize within impact level (optional)
Task P-7: Organization-wide ISCM strategy
18. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Prepare Step: System Level (1 of 2)
Task P-8: ID missions/business functions and
processes to be supported by the system
Task P-9: ID system stakeholders
Task P-10: ID assets that require protection
Task P-11: Determine authorization boundary
Task P-12: ID information types
19. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Prepare Step System Level (2 of 2)
Task P-13: ID information lifecycle
Task P-14: Assess system-level risk
Task P-15: Define security and privacy
requirements for system and environment
Task P-16: Determine placement within EA
Task P-17: System registration IAW org policy
20. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
New/Revised Tasks in Existing Steps (1 of 2)
Categorize, Task C-2: Review and approve
categorization results and decision
Select, Task S-1: Allocate requirements
(expanded from identify common controls)
Select, Task S-3: Tailor selected controls
Select, Task S-4: Document planned
implementation details in plans
Implement, Task I-2: Document implementation
details different from planned (config baseline)
21. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
New/Revised Tasks in Existing Steps (2 of 2)
Assess, Task A-1: Select appropriate assessor
Assess, Task A-6: POA&M (moved from Authorize)
Authorize, Task R-2: Risk analysis added to risk
determination by AO
Authorize, Task R-3: Respond to risk
Authorize, Task R-5: Report the authorization
decision and significant risk as required
22. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Authorization Options
Authorization to Operate
System Authorization (Traditional or Joint)
Type Authorization
Facility Authorization
Common Control Authorization
Authorization to Use
Denial of Authorization
Note: Ongoing authorization supplemental guidance
(June 2014) incorporated into Appendix F
23. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
SP 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations
As of October 2018
24. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
Call for pre-comments spring 2016
Adjudicated ~3000 comments and coordinated with
SMEs (Privacy, SCRM, ID Mgmt., Crypto, etc.)
Federal interagency working group baseline review
during late winter/early spring 2017
Extensive discussion sessions with OMB OIRA
throughout spring/summer 2017
IPD published 15 August 2017
Adjudicated ~2000 public comments as above
FPD currently under development
800-53 Rev 5 Timeline So Far
25. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Final Public Draft (FPD) next steps:
Review by JTF
Review and approval by OMB OIRA
FPD publication planned for January 2019*
Final publication next steps:
Adjudicate public comments on the FPD
NIST develops final publication
Reviews and approvals as above
Final publication planned for Spring 2019*
800-53 Rev 5 Timeline for FPD and Final
*Publication date dependent on OMB OIRA review and approval
26. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Complete integration of privacy controls (removal
of Appendix J with App J mapping in FPD)
Two new Privacy Control families in IPD changed
to different new Privacy Control family in FPD
New Supply Chain control family in FPD
Incorporated Program Management family into
main control set
Complete control set in Chapter 3
800-53 Rev 5 Changes Summary (1 of 4)
27. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Baselines and tailoring guidance will be placed
in new volume, SP 800-53B
Some changes to all baselines, mostly in
accordance with suggestions from working group
Revised/clarified/added control language and
supplemental guidance
Streamlined front matter to focus only on the
control set and how to use it
800-53 Rev 5 Changes Summary (2 of 4)
28. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Removed lead-in entities to each control
Focus on outcomes
Align with security engineering
Align with Cybersecurity Framework
Retained entity info in a column in table (App ?)
Reduced the federal focus
More usable and welcoming for all sectors
More usable and applicable for all system types
More usable for security engineering in all sectors
800-53 Rev 5 Changes Summary (3 of 4)
29. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Rearranged appendices
Removed priority codes
Keywords appendix added in IPD to be removed
in FPD and provided as supplemental material
Thorough scrub of:
Related Controls
References
Glossary
ISO 27001 Mapping
800-53 Rev 5 Changes Summary (4 of 4)
30. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Security Control Structure – Revision 5
AU-4 AUDIT LOG STORAGE CAPACITY
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-
defined audit log retention requirements].
Discussion: Organizations consider the types of audit logging to be performed and the audit
log processing requirements when allocating audit log storage capacity. Allocating
sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded
and resulting in the potential loss or reduction of audit logging capability.
Related controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, SI-4.
Control Enhancements:
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system
component, or media other than the system or system component conducting the logging.
Supplemental Guidance: This type of transfer, also known as off-loading, is a common process in systems
with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log
storage is used only in a transitory fashion until the system can communicate with the secondary or alternate
system allocated to audit log storage, at which point the audit logs are transferred. This control
enhancement is similar to AU-9(2) in that the audit logs are transferred to a different entity; however, the
primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records.
Organizations can select either enhancement to obtain the dual benefit of increased audit log storage
capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Related controls: None
References: None.
31. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
Security Controls are Technology Neutral
Security controls are intentionally not focused
on any specific technologies
Security control implementations &
assessment methods will likely vary based
on the technology to which the control is
being applied, e.g.:
Cloud-based systems
Mobile systems
Applications
Sensors
“IoT”
32. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
800-53B Rev 5 BaselinesCNTL
NO. CONTROL NAME
PRIVACY-
RELATED
CONTROL BASELINES
LOW MODERATE HIGH
Access Control – AC
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2)
(3) (4) (10)
(13)
AC-2 (1) (2)
(3) (4) (5) (10)
(11) (12) (13)
AC-3 Access Enforcement AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement — AC-4 AC-4 (4)
AC-5 Separation of Duties — AC-5 AC-5
AC-6 Least Privilege AC-6 (7) (9) AC-6 (1) (2)
(5) (7) (9) (10)
AC-6 (1) (2)
(3) (5) (7) (9)
(10)
AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification — — —
AC-10 Concurrent Session Control — — AC-10
AC-11 Device Lock — AC-11 (1) AC-11 (1)
AC-12 Session Termination — AC-12 AC-12
AC-13 Withdrawn
AC-14 Permitted Actions without
Identification or Authentication
AC-14 AC-14 AC-14
33. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33
800-53 Rev 5 Appendix Excerpt
CONTROL NAME
CONTROL ENHANCEMENT NAME
WITHDRAWN
PRIVACY-
RELATED
IMPLEMENTED
BY
ASSURANCE
PL-1 Planning Policy and Procedures P O A
PL-2 Security and Privacy Plans P O A
PL-2(1) Concept of operations W Incorporated into PL-7.
PL-2(2) Functional architecture W Incorporated into PL-8.
PL-2(3) Plan and coordinate with other organizational
entities
P O A
PL-3 System Security Plan Update W Incorporated into PL-2.
PL-4 Rules of Behavior P O A
PL-4(1) Social media and networking restrictions O A
PL-5 Privacy Impact Assessment W Incorporated into RA-8.
PL-6 Security-Related Activity Planning W Incorporated into PL-2.
PL-7 Concept of Operations P O
PL-8 Security and Privacy Architectures P O A
PL-8(1) Defense-in-depth O A
PL-8(2) Supplier diversity P O A
PL-9 Central Management P O A
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O
Note: Privacy-related controls and control enhancements are not allocated to baselines in this table. See XXX for control selection and
implementation guidance
34. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34
Privacy fully integrated throughout Rev 5
Privacy controls from App J and OMB A-130 privacy
requirements incorporated into main control set
Privacy controls added in existing families
Most in Program Management family
Some in other families (SA, SI)
“Sharing” existing controls
New privacy family: Processing Permissions (PP)
Privacy Appendix to include:
Mappings to OMB requirements and controls from App J
Summary tables
800-53 Rev 5 Privacy Integration
35. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
800-53 Rev 5 FPD Control Families
ID FAMILY ID FAMILY
AC Access Control PE Physical and
Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Security Assessment and
Authorization
PP Processing Permissions*
CM Configuration Management PS Personnel Security
CP Contingency Planning RA Risk Assessment
IA Identification and
Authentication
SA System and Services
Acquisition
IR Incident Response SC System & Communications
Protection
MA Maintenance SP Supply Chain Protection*
MP Media Protection SI System and Information
Integrity
*New families in Rev 5 FPD
36. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 36
Purpose: Increase agility and reduce effort and angst due
to significant change every 3-5 years
Web application operational immediately after R5 final
Provides workflows for:
Customers to propose changes to all aspects of controls
NIST staff to review proposals and push to SMEs if necessary
Public comments on proposed changes
Saving approved changes in a sandbox until next version
JTF review, OIRA review/approval, Editorial Review Board
Versions:
Minor (to include errata) – planned for quarterly
Major – planned for annually
800-53 Update Automation Application
37. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 37
Status of Other FISMA Publications
SP 800-18 Rev 2, Security Plan Guideline: In progress, IPD early CY 2019.
SP 800-47 Rev 1, Managing System Information Exchanges (working title):
In progress, IPD early CY 2019 (Current version title is Security Guide for
Interconnecting Information Technology Systems)
SP 800-60 Rev 2, Information Types Guideline: Partnering with NARA to
incorporate CUI - Temporarily on hold
SP 800-137A, Assessment Procedures for the ISCM Program: In progress,
IPD before end of CY 2018
NIST SP 800-160*, Systems Security Engineering: Volume 1 published 11-
16, Volume 2 IPD on Multidisciplinary Approach to SE published 3-18
NISTIR 8011*, Automation Support for Ongoing Assessment, Volumes 1 and
2: Final June 2017; Volume 3 in ERB/final to be published in next few weeks
NISTIR 8212 and Tool, ISCM Assessment: In Progress, IPD early CY 2019
* Multiple volumes planned
38. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 38
Contact Information
Comments: sec-cert@nist.gov (goes to all of the above)
Web: csrc.nist.gov/sec-cert
Position Name
Project Leader and NIST Fellow Dr. Ron Ross
Team Lead and Senior Information
Security Specialist
Victoria Pillitteri
Senior Information Security Specialist Kelley Dempsey
Information Security Specialists Ned Goren, Jody Jacobs
Administrative Support Jeff Brewer