1. Risk Management Framework
FITSP-M Module 3
Risk Management Framework
FITSP-M Module 3 - Risk Management Framework

2. Leadership
“…Through the process of risk management, leaders must consider risk to U.S. interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “
- The National Strategy For Cyberspace Operations
Office Of The Chairman, Joint Chiefs Of Staff, U.S. Department Of Defense
FITSP-M Module 3 - Risk Management Framework

3. FITSP-M Exam Module Objectives
Application Security
Contingency Planning
Data Security
Planning
Risk Assessment
Security Assessments and Authorization
FITSP-M Module 3 - Risk Management Framework

4. Risk Management Framework Overview
Section A: SP r1
Evolution of Risk Management
International and National Standards
Components of Risk Management
Section B: Risk Management Framework (RMF)
Characteristics of RMF
The Fundamentals of RMF
Section C: Roles & Responsibilities
Section D: Steps in the RMF Process
FITSP-M Module 3 - Risk Management Framework

5. Section A
SP r1 - Guide for Applying the Risk Management Framework to Federal Information Systems
FITSP-M Module 3 - Risk Management Framework

6. Evolution of Risk Management
SP updated Revision 1 From Guidelines for C&A of Federal Information Systems to Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
SP supersedes SP From Risk Management Guide for Information Technology Systems to Managing Information Security Risk Organization, Mission and Information System View
FITSP-M Module 3 - Risk Management Framework

7. Risk Management Approach
FITSP-M Module 3 - Risk Management Framework

8. Risk Management Redefined
FITSP-M Module 3 - Risk Management Framework

9. Harmonization of International and National Standards
ISO/IEC Risk management – Principles and guidelines
ISO/IEC Risk management – Risk assessment techniques
ISO/IEC Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC Information technology – Security techniques – Information security risk management systems
FITSP-M Module 3 - Risk Management Framework

10. SP 800-37r1 – Risk Management Framework (RMF)
Section B
SP r1 – Risk Management Framework (RMF)
FITSP-M Module 3 - Risk Management Framework

11. Risk Management Framework and the SDLC
FITSP-M Module 3 - Risk Management Framework

12. Risk Management Framework
Traditional C&A
Risk Management Framework
Phase
Task
Subtask
Step
Initiation
1: Preparation.
Information System Description
1.2
Security Categorization
1.1
1.3
Information System Registration
Threat Identification
Vulnerability Identification
Security Control Identification
2.1
Common Control Identification
2.2
Security Control Selection
3.1
Security Control Implementation
3.2
Security Control Documentation
2.3
Monitoring Strategy
Initial Risk Determination
2: Notification
Notification
Planning And Resources
3: SSP Analysis, Update, And Acceptance.
Security Categorization Review
System Security Plan Analysis
System Security Plan Update
System Security Plan Acceptance
2.4
Security Plan Approval
FITSP-M Module 3 - Risk Management Framework

13. Risk Management Framework
Traditional C&A
Risk Management Framework
Phase
Task
Subtask
Step
Certification
4: Security Control Assessment
Documentation Supporting Materials
Methods And Procedures
4.1
Assessment Preparation
Security Assessment
4.2
Security Control Assessment
Security Assessment Report
4.3
5: Security Certification Documentation
Findings And Recommendations
4.4
Remediation Actions
System Security Plan Update
POAM Preparation
5.1
Plan of Action and Milestones
Accreditation Package Assembly
5.2
Security Authorization Package
Accreditation
6: Accreditation Decision
Final Risk Determination
5.3
Risk Determination
Risk Acceptability
5.4
Risk Acceptance
7: Security Accreditation Documentation
Security Accreditation Package Transmission
Continuous Monitoring
8: Configuration Management
Documentation Of Information System Changes
6.1
Information System and Environment Changes
Security Impact Analysis
9: Control Monitoring
Security Control Selection
2.3
Monitoring Strategy (sorta)
Selected Security Control Assessment
6.2
Ongoing Security Control Assessments
10: Status Reporting And Documentation
6.4
Key Updates
POAM Update
6.3
Ongoing Remediation Actions
Status Reporting
6.5
Security Status Reporting
 RMF 6.6
 Ongoing Risk Determination and Acceptance
 RMF 6.7
Information System Removal and Decommissioning
FITSP-M Module 3 - Risk Management Framework

14. FITSP-M Module 3 - Risk Management Framework

15. FITSP-M Module 3 - Risk Management Framework

16. FITSP-M Module 3 - Risk Management Framework

17. FITSP-M Module 3 - Risk Management Framework

18. FITSP-M Module 3 - Risk Management Framework

19. Fundamentals of RMF Integrated Organization-wide Risk Management
System Development Life Cycle
Information System Boundaries
Security Control Allocation
Roles & Responsibilities
FITSP-M Module 3 - Risk Management Framework

20. Integrated Organization-Wide Risk Management
FITSP-M Module 3 - Risk Management Framework

21. System Development Life Cycle
Phases of the SDLC
Initiation
Development/Acquisition
Implementation
Operation/Maintenance
Disposal
Security Requirements
Integrated Project Teams
Reusing Information
FITSP-M Module 3 - Risk Management Framework

22. Security Categorization
Step Task
RMF Task
Phase
SDLC
1.1
Security Categorization
Categorize
Initiation (concept/requirements definition)
1.2
Information System Description
1.3
Information System Registration
2.1
Common Control Identification
Select
2.2
Security Control Selection
2.3
Monitoring Strategy
2.4
Security Plan Approval
Development/Acquisition
3.1
Security Control Implementation
Implement
Implementation
3.2
Security Control Documentation
4.1
Assessment Preparation
Assess
4.2
Security Control Assessment
4.3
Security Assessment Report
4.4
Remediation Actions
FITSP-M Module 3 - Risk Management Framework

23. Plan of Action and Milestones
5.1
Plan of Action and Milestones
Authorize
Implementation
5.2
Security Authorization Package
5.3
Risk Determination
5.4
Risk Acceptance
6.1
System and Environment Changes
Monitor
Operation/Maintenance.
6.2
Ongoing Security Control Assessments
6.3
Ongoing Remediation Actions
6.4
Key Updates
6.5
Security Status Reporting
6.6
Ongoing Risk Determination and Acceptance
6.7
System Decommissioning
Disposal
FITSP-M Module 3 - Risk Management Framework

24. Knowledge Check Place the SDLC Phase within the appropriate RMF step
Which NIST special publication supersedes SP as the source for guidance on risk management?
What are the four components of the new Risk Management Model?
Give an example of Tier 1 risk.
Which phase of the SDLC should define security requirements?
Development/Acquisition
Implementation
Initiation
Disposal
Operation/Maintenance.
RMF 1 - Security Categorization
RMF 2 - Security Control Selection
RMF 3 - Security Control Implementation
RMF 4 - Security Control Assessment
RMF 5 - Security Authorization
RMF 6 - Security Control Monitoring
Place the SDLC Phase within the appropriate RMF step
FITSP-M Module 3 - Risk Management Framework

25. Information System Boundaries
Establishing Information System Boundaries
Boundaries for Complex Information Systems
Changing Technologies and the Effect on Information System Boundaries
FITSP-M Module 3 - Risk Management Framework

26. Changing Technologies Effect on Information System Boundaries
Dynamic Subsystems
Net-centric
Service-oriented Architecture
Cloud Computing
External Subsystems
Contractor Systems
Trust Relationships
FITSP-M Module 3 - Risk Management Framework

27. FedRAMP Federal Risk and Authorization Management Program
Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
Increase confidence in security of cloud solutions
Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations
Ensure consistent application of existing security practices Increase confidence in security assessments
Increase confidence in security assessments
Increase automation and near real-time data for continuous monitoring
FITSP-M Module 3 - Risk Management Framework

28. Security Control Allocation Options
System-specific
Common
Hybrid
Inherited
FITSP-M Module 3 - Risk Management Framework

29. Roles & Responsibilities
Section C
Roles & Responsibilities
FITSP-M Module 3 - Risk Management Framework

30. Organization-wide RM Strategy/ New Roles
Risk Executive (function)
Information Security Architect
Information System Security Engineer
FITSP-M Module 3 - Risk Management Framework

31. RMF Roles & Responsibilities
Head Of Agency (Chief Executive Officer)
Risk Executive (Function)
Chief Information Officer
Information Owner/Steward
Senior Information Security Officer
Authorizing Official
Authorizing Official Designated Representative
Common Control Provider
Information System Owner
Information System Security Officer
Information Security Architect
Information System Security Engineer
Security Control Assessor
FITSP-M Module 3 - Risk Management Framework

32. Head Of Agency (Chief Executive Officer)
Highest-level Senior Official
Overall Responsibility
Information & Information Systems
Security Integrated with Strategic and Operational Processes
Sufficiently Trained Personnel
Establishes Appropriate Accountability
Provides Active Support
Oversight of Monitoring
FITSP-M Module 3 - Risk Management Framework

33. Risk Executive (Function)
Ensures Risk-related Considerations are Organization-wide
Consistent Across Organization
Coordinates with Senior Leadership to:
Provide Comprehensive Approach
Develop a Risk Management Strategy
Facilitate Sharing of Risk Information
Provides Oversight
Provide Forum to Consider All Risk Sources
FITSP-M Module 3 - Risk Management Framework

34. Chief Information Officer
Designating Senior Information Security Officer
Information Security Policies
Ensuring Adequately Trained Personnel
Assisting Senior Officials with Their Security Responsibilities
Appropriate Allocation of Resources
FISMA Reporting
FITSP-M Module 3 - Risk Management Framework

35. Information Owner/Steward
Authority For Specified Information
May or May Not Be the Same as System Owner
Provide Input to Information System Owners
Rules of Behavior
Single System May Contain Information from Multiple Information Owners/Stewards
FITSP-M Module 3 - Risk Management Framework

36. Senior Information Security Officer
Carries Out the CIO FISMA Responsibilities
Primary Liaison for CIO to Organization’s Senior Officials
Possesses Professional Qualifications
Heads Office that Conducts FISMA Reporting
FITSP-M Module 3 - Risk Management Framework

37. Authorizing Official Formally Assumes Responsibility
Budgetary Oversight
Accountable for Security Risks
Senior Management Position
Approve Security Plans and Plan of Actions and Milestones (POAMs)
Information System May Involve Multiple Authorizing Officials
Authorizing Official Designated Representative
FITSP-M Module 3 - Risk Management Framework

38. Common Control Provider
Documenting Common Controls
Validating Required Control Assessments
Documenting Assessment Findings in SAR
Producing POAMs
FITSP-M Module 3 - Risk Management Framework

39. Information System Owner
Aka Program Manager
Focal Point for Information System (IS)
Responsible for IS throughout the SDLC
Addressing The Operational Interests of User Community
Ensuring Compliance with Information Security Requirements
SSP, Development and Maintenance
Deciding Who Has Access to System
Works with Assessor to Remediate Deficiencies
FITSP-M Module 3 - Risk Management Framework

40. Information System Security Officer
Ensures Appropriate Security Posture
Principal Advisor
Day-to-Day Security Operations
Environmental
Physical
Personnel
Incident Handling
Training and Awareness
Policies and Procedures
Active System Monitoring
FITSP-M Module 3 - Risk Management Framework

41. Information Security Architect
Security Requirements Adequately Addressed In Enterprise Architecture
Reference Models
Segment And Solution Architectures
Resulting Information Systems
Liaison Between The Enterprise Architect And Information System Security Engineer
Advisor to Senior Officials
System Boundaries
Assessing Severity of Deficiencies
POAMs
Risk Mitigation Approaches
Security Alerts
FITSP-M Module 3 - Risk Management Framework

42. Information System Security Engineer
Information System Security Engineering: A process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and
configuration.
Part of the Development Team
Employ Security Control Best Practices
Coordinate Security-related Activities
FITSP-M Module 3 - Risk Management Framework

43. Security Control Assessor
Conduct SSP Assessments
Conduct Control Assessments
Provide Assessment of Deficiencies
Recommend Corrective Action
Prepare SAR (Security Assessment Report)
Assessor Independence
Unbiased Assessment Process
Objective Information for Risk Determination
FITSP-M Module 3 - Risk Management Framework

44. Knowledge Check
What establishes the scope of protection for organizational information systems?
What is the difference between a dynamic subsystem and an external subsystem.
What program uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Which RMF role helps to ensure that risk-related considerations for individual information systems are viewed from an organization-wide perspective?
Which RMF role is responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture?
FITSP-M Module 3 - Risk Management Framework

45. Steps in the RMF Process
Section D
Steps in the RMF Process
FITSP-M Module 3 - Risk Management Framework

46. The Risk Management Process
Well-defined, Risk-related Tasks
Sequential
Iterative
Clearly Defined Roles
Tight Integration with SDLC
Milestone Checkpoints
Level of Effort
Importance/Criticality of a System
Categorization, The First Step…
FITSP-M Module 3 - Risk Management Framework

47. Steps of the RMF Step 1 – Categorize Information System
Step 2 – Select Security Controls
Step 3 – Implement Security Controls
Step 4 – Assess Security Controls
Step 5 – Authorize Information System
Step 6 – Monitor Security Controls
Gap Analysis
FITSP-M Module 3 - Risk Management Framework

48. Step 1 – Categorize Information System
Security Categorization
Information System Description
Information System Registration
FITSP-M Module 3 - Risk Management Framework

49. Step 2 – Select Security Controls
Common Control Identification
Security Control Selection
Monitoring Strategy
Security Plan Approval
FITSP-M Module 3 - Risk Management Framework

50. Step 3 – Implement Security Controls
Security Control Implementation
Security Control Documentation
Planned Inputs
Expected Behavior
Expected Outputs
FITSP-M Module 3 - Risk Management Framework

51. Step 4 – Assess Security Controls
Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
FITSP-M Module 3 - Risk Management Framework

52. Step 5 – Authorize Information System
Plan Of Action And Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
FITSP-M Module 3 - Risk Management Framework

53. Step 6 – Monitor Security Controls
Information System And Environment Changes
Ongoing Security Control Assessments
Ongoing Remediation Actions
Key Updates
Security Status Reporting
Ongoing Risk Determination And Acceptance
Information System Removal And Decommissioning
FITSP-M Module 3 - Risk Management Framework

54. Risk Management Framework Key Concepts & Vocabulary
Section A: SP r1
Evolution of Risk Management
Harmonization of International and National Standards
Components of Risk Management
Multitiered Risk Management
Section B: Risk Management Framework (RMF)
Characteristics of RMF
The Fundamentals of RMF
Steps in the RMF Process
FITSP-M Module 3 - Risk Management Framework

55. Next Module: Gap Analysis
Questions?
Next Module: Gap Analysis
FITSP-M Module 3 - Risk Management Framework