1. ISA 201 Intermediate Information Systems Acquisition

2. Lesson 8 Cybersecurity
LESSON INFORMATION***************************************************************************************************
*Lesson Point of Contact:
* Name: Tim Denman
* Phone: *
*Read Ahead: None
*Length of Presentation:
Presentation (hours): 2.0
Exercise (hours): 1.0
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): ****************************************************************************************************************************
*NOTE: Slide numbers are included as a general guideline only. As the lesson matures and changes, slides will change. Please refer to individual slides for specific ELOs.
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD. SLIDES 4-14
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT) SLIDES (include DiD)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT) SLIDES 25-39
ELO Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT) SLIDES 40-44
Quiz Questions
Q1 - What are the 5 pillars of cybersecurity? (ELO )
A1 - Confidentiality, Integrity, Availability, Non-repudiation, Authentication
Q2 - Cybersecurity reciprocity does which of the following? (ELO )
A2 - Is best achieved through transparency
Q3 - Name the item that is NOT one of the steps in the Risk Management Framework (RMF). (ELO )
A3 - Assign mission assurance control (MAC) categories
Q4 - What are two areas that the DoD definition for cybersecurity stresses that were not stressed in the former definition of Information Assurance? (ELO )
A4 - Communications and Prevention
Q5 - True or False? Information resources must be trustworthy in order to achieve operational resilience. (ELO )
A5 - True

3. Today we will learn to:
Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Key Questions to ask and anticipated answers:
Terms, definition, and acronyms (Only for acronyms on a graphic.)
Cybersecurity

4. Cybersecurity Concepts
Lesson Plan
Cybersecurity Concepts
Cybersecurity in the DoD
The Risk Management Framework (RMF) for DoD Information Technology (IT)
RMF Steps
Exercise
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type: Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Overview Slide only
Key Questions to Ask and Anticipated Answers:
Overview slide only
Terms \ Definitions \ Acronyms:
Cybersecurity

5. What is Information Assurance/ Cybersecurity?
Information Assurance (IA)—Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Department of Defense Directive (DoDD) E, April 23, 2007
Cybersecurity—Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Department of Defense Instruction (DoDI) , March 14, 2014
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
DoDD E – superseded by DoDI
Key Points:
Slide compares the old concept of IA to cybersecurity. Key words in cybersecurity definition are prevention and communications.
Two Major changes in new policy:
Prevention: This can imply software assurance, supply chain risk management, and an overall proactive approach. Traditional IA (rightly or wrongly) came to be recognized as a reactionary approach while cybersecurity is trying to stress being proactive.
Communications: IA had to do with information and information systems where cyber deals with communications. Communications can be via cell phone, computer, or even electronic devices like printers or alarm systems
Key Questions to Ask and Anticipated Answers:
Q: Why the stress on prevention?
A: For security to work it must be proactive. Prevention in the sense of cybersecurity requires greater attention to supply chain risk management, software assurance, and cybersecurity throughout the program lifecycle.
Terms \ Definitions \ Acronyms:
Cybersecurity

6. 5 Aspects (Pillars) of Cybersecurity
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
CNSSI 4009 – IA Glossary
Key Points:
Slide highlights the 5 aspects of cybersecurity
Often only 3 aspects are considered (Confidentiality, Integrity, and Availability)
RMF uses Confidentiality, Integrity, and Availability needs to categorize systems – High, Medium, and Low for each Aspect
Key Questions to Ask and Anticipated Answers:
Q: What is aspect is often sacrificed in the DoD?
A: Availability – We often shut down a service or a software program instead of fixing it and this sacrifices availability. When this happens, there are often work-arounds. Example – Thumb drives; people use CDs or personal as a work-around.
Terms \ Definitions \ Acronyms:
Definitions above taken from CNSS Instruction No. 4009, National Information Assurance Glossary, 26 April 2010
Cybersecurity

7. The Importance of Cybersecurity
We Depend on Communication Superiority for Combat Effectiveness
Cybersecurity Enables Communication Superiority in a Net-Centric Environment
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
If we don’t have information superiority, we lose our advantage. Best weapons in the world are useless, or dangerous to us, without communications
Key Questions to Ask and Anticipated Answers:
Q: Do you more often think of Cybersecurity as enabling or disabling? Why?
A: Let students answer
Q: What is net centricity or net centric operations?
A: Net-centric operations NCO is a theory which proposes that the application of information age concepts to speed communications and increase situational awareness through networking improves both the efficiency and effectiveness of military operations.
Terms \ Definitions \ Acronyms:
Supports ELO #1 – Define and Explain Cybersecurity, related terminology, and associated roles and responsibilities
It should be stressed that cybersecurity’s job is to protect and enable the user. If either side gets out of balance, problems will arise. Unfortunately people do not always view cybersecurity as an enabler of the user. Why?
Generate discussion on why cybersecurity is important to DoD. May comment on inclusion of cybersecurity as a component of the now required “Net-Ready” KPP. Cybersecurity has always been important, but in the “net-centric” environment its importance is greatly magnified.
The job of Cybersecurity is to protect and enable the user.
Cybersecurity

8. Cyber: A National Vulnerability
“Current DoD actions, though numerous are fragmented. Thus DoD is not prepared to defend against this threat.”
“DoD Red teams, using cyber attack tools which can be downloaded from the internet, are very successful at defeating our systems”
“With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks.”
Source: DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat. (January 2013)
“A cyber attack perpetrated by nation states or extremists groups could be as destructive as the terrorist attack on 9/11.” Leon E. Panetta, Former Secretary of Defense
“Cyber attack and cyber defense are here to stay. We as a nation are ill prepared for it, as is every other nation.”
General Peter Pace, USMC (Ret), former Chairman of the Joint Chiefs of Staff
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: (See below)
Key Questions to Ask and Anticipated Answers:
Q: What are Red Teams?
A: Red Team – A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Blue Team – A group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer’s cybersecurity readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer’s networks are as secure as possible before having the Red Team test the systems.
Terms \ Definitions \ Acronyms:
Supports ELO #1 – Define and Explain Cybersecurity, related terminology, and associated roles and responsibilities
Expanded Quote from Mrs. McFarland
The Department must do a better job implementing Information Assurance (IA)* within acquisition systems …….. The current IA requirements processes have not been adequately integrated into DoD acquisition processes. Program Managers (PMs) frequently fail to address IA requirements early within the acquisition life cycle, and subsequently struggle during later acquisition phases to meeting requirements after important design trades have been made.
Excerpts from article in ABC News, April 11, 2011
The United States is still "hugely vulnerable" to cyber attacks, but so are most other nations, a former chairman of the Joint Chiefs of Staff said Monday.
"We're way late" in preparing to defend critical computer systems from hackers, enemies and others, retired Marine Gen. Peter Pace said.
Pace was chairman of the Joint Chiefs, the nation's highest military post, under then-President George W. Bush from 2005 until He spoke at the Space Foundation's Cyber 1.1 conference in Colorado Springs.
Pace said the U.S. probably has the strongest offensive cyber capabilities of any nation, and it has employed cyber attacks in the past. After his remarks, he declined to say how many times that has happened, or to describe the circumstances.
Pace said the federal government should set security requirements for critical computer networks in the private sector, such as banking and finance.
Cybersecurity

9. What is the Biggest Threat to your Organization?
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: (See below)
Key Questions to Ask and Anticipated Answers: (See below)
Terms \ Definitions \ Acronyms:
Supports ELO #1 – Define and Explain Cybersecurity, related terminology, and associated roles and responsibilities
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.
A Rootkit is a …
software tool intended to conceal its presence
software tool intended to provide concealed access to a system
set of programs and code that allows a permanent or consistent, undetectable presence on a machine
600% Increase in the use of Rootkits
A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. According to a report from Russian-based Kaspersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.
Computers that are coopted to serve in a zombie army are often those whose owners fail to provide effective firewalls and other safeguards. An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army "controller" can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.
Threats can come from:
Cyber Terrorists, Espionage, Social Engineering, viruses, Employee Error, Natural Disasters, Portable Memory Devices, Fired Employees, Botnets, Rootkits, Wireless Internet Access, …
Cybersecurity

10. Cyber Incidents and Origins
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Now spam comprises the vast majority of messages sent — 78% of the 210 billion s sent each day, according to one estimate. And 93 billion of these manage to get past the technical defenses like spam filters and blacklists. programs have gotten smarter, but spammers stay one step ahead, using disposable addresses and sending messages from farms of different computers around the world to avoid being blocked. The garbled text spammers load their messages with to get past filters sometimes approaches poetry: sites like spampoetry.org chronicle lines like "Confirm you won fund/ You get it without paying/ Urgent attention"
80 percent of all spam delivered to North America and Europe is sent by only 100 spam gangs, comprised of about individuals around the world.
Of the Top 10 Worst Spammers,
•  3 are from the Ukraine, •  3 are from Russia, •  1 is from Estonia, •  1 is from Hong Kong, •  1 is from India, and •  1 is from the United States
Federal Cyber Incidents Rose 39% in 2010
OMB: Nearly One Third of Incidents Involved Malicious Code
By GovInfoSecurity.com, March 24, 2011.Credit Eligible
Cyber incidents affecting government information systems rose by 39 percent to 41,776 in fiscal year 2010, which ended Sept. 30, according to a new report from the Office of Management and Budget.
OMB's annual report to Congress also revealed that phishing represented more than half of the 107,439 cyber incidents compiled by the United States Computer Emergency Readiness Team for FY2010 from federal, state and local governments, commercial enterprises, American citizens and foreign CERT teams. Thirty-nine percent of the incidents came from the federal government. "Malicious code through multiple means (e.g., phishing, virus, logic bomb) continues to be the most widely used attack approach," the report said.
Among federal agencies, 31 percent of cyber incidents last year involved malicious code. Unauthorized access represented nearly 14 percent of reported incidents; improper usage, 17 percent; scans, probes and attempted access, 27 percent; and denial of service, 0.1 percent. More than 27 percent of federal incidents were categorized as under investigation or other.
Source: US CERT, Selected incident report categories
Source: Akamai – Q2 2014
Cybersecurity

11. Attack Sophistication vs. Intruder Technical Knowledge
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Slide answers why there is a greater need for defense in depth
Notice that in the early 80’s password guessing was the major form of DiD. Refer back to “War Games” clip.
Definition from techterms.org
BotThis is an automated software program that can execute certain commands when it receives a specific input (like a ro-"bot"). Bots are most often seen at work in the Internet-related areas of online chat and Web searching. The online chat bots do things like greet people when they enter a chat room, advertise Web sites, and kick people out of chat rooms when they violate the chat room rules. Web searching bots, also known as spiders and crawlers, search the Web and retrieve millions of HTML documents, then record the information and links found on the pages. From there, they generate electronic catalogs of the sites that have been "spidered." These catalogs make up the index of sites that are used for search engine results.
Definition From Wikipedia
Internet bots, also known as web robots or simply bots, are software applications that run automated tasks over the internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human editor alone. The largest use of bots is in web spidering, in which an automated script fetches, analyses and files information from web servers at many times the speed of a human. Each server can have a file called robots.txt containing rules for the spidering of that server that the bot is supposed to obey.
In addition to their uses outlined above, bots may also be implemented where a response speed faster than that of humans is required (eg gaming bots and auction-site robots) or less commonly in situations where the emulation of human activity is required, for example chat bots.
Zombie computer (often abbreviated zombie) is a computer attached to the Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a "botnet", and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the vector tends to be unconscious, these computers are metaphorically compared to a zombie. (wikipedia)
Zombie: An insecure web server or computer that is hijacked and used in an DoS Attack or to send spam (from securence.com)
From Sophos.com
Morph
A method that a spammer uses to avoid detection by anti-spam software which involves modifying an header.
From Webopedia
Rootkit - A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.
I’m not sure what is meant by “Sweepers”. This is most often associated with spyware, but usually refers to an anti-virus program.
Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005
Cybersecurity

12. Types of System Threats
Passive threats
Interception—unauthorized party gains access to an asset. (attack on part of confidentiality)
Active threats
Interruption—the system asset becomes unavailable or unusable (attack on availability)
Modification—unauthorized party gains access and modifies the asset (attack on confidentiality and integrity)
Fabrication—unauthorized party inserts counterfeit assets into the system (attack on part of confidentiality: authenticity and integrity)
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Threats are classified by the way the information is compromised on its way from its storage to consumption
There are active and passive threats
To protect against adversarial threats (as well as known natural threats), it is necessary to create a defense-in-depth strategy. (NIST SP )
Cybersecurity

13. Stuxnet and Duqu Stuxnet Duqu
Discovered in June of 2010, true intent was discovered in 2011
Mission was to spread as a worm until it found Siemens SCADA systems
Variants of Stuxnet got into five different Iranian facilities used to make uranium rods.
Worm got into facilities even though networks had no outside connections for the worm to travel through
Slightly altered the rotation of centrifuges in order to botch the enrichment process
Subtle changes were impossible to measure because of altered activity logs.
Duqu
Masqueraded as Microsoft Word document.
Had specific targets in eight Middle Eastern countries
Shared some code with Stuxnet
Ultimate goal is either unknown or unreleased
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
One of the biggest stories to hit the community was with the discovery of Stuxnet. Stuxnet was in actuality discovered in June of 2010, but details of its true intent were not discovered until 2011 due to its highly specialized code. It was found that Stuxnet had a very specific mission, and that was spread as a worm until it found equipment manufactured by the Siemens, specifically their SCADA systems. It was found that different variants of Stuxnet found their way into 5 different Iranian facilities used to enrich uranium rods. The worm was able to make its way into the facilities, which was an amazing first feat, as these buildings were air-­‐gapped networks, meaning they had no outside connections for the worm to travel through. This also means that likely the worm was carried into the compounds by workers, possibly on infected thumbdrives. After, Stuxnet made it inside, it would seek out the machines that were in charge of monitoring and controlling the PLC devices that operated the industrial centrifuges. It would alter their rotation ever so slightly at critical times in order to botch the enrichment process. The worm would also alter logging by the device so the subtle change would never be measured.
Later on in September of 2011, another computer worm was found crawling around the internet. This one was called Duqu. Duqu gained quick notoriety as it was found to share some code with Stuxnet. Duqu masqueraded as Microsoft Word documents and targeted seemingly specific targets in eight countries also in the Middle East. These documents once opened exploited a vulnerability in MS Word’s WIN32k TrueType font parsing engine. It’s eventual goal has not been released as public knowledge as of yet.
Cybersecurity

14. Insider Threat Best Practices
Consider threats from insiders and business partners in enterprise-wide risk assessments.
Clearly document and consistently enforce policies and controls.
Incorporate insider threat awareness into periodic security training for all employees.
Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
Anticipate and manage negative issues in the work environment.
Know your assets.
Implement strict password and account management policies and practices.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
Institute stringent access controls and monitoring policies on privileged users.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
What is Meant by "Insider Threat?"
CERT’s definition of a malicious insider is A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems
The threat of attack from insiders is real and substantial. The 2007 E-Crime Watch SurveyTM conducted by the United States Secret Service, the CERT® Coordination Center (CERT/CC), Microsoft, and CSO Magazine,4 found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. In addition, 49% of respondents experienced at least one malicious, deliberate insider incident in the previous year. The impact from insider attacks can be devastating. One employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job with them.
From Common Sense Guide to Mitigation Insider Threats 4th Edition—December 2012, Software Engineering Institute , Carnegie Melon
Cybersecurity

15. Insider Threat Best Practices (Continued)
Institutionalize system change controls.
Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
Monitor and control remote access from all end points, including mobile devices.
Develop a comprehensive employee termination procedure.
Implement secure backup and recovery processes.
Develop a formalized insider threat program.
Establish a baseline of normal network device behavior.
Be especially vigilant regarding social media.
Close the doors to unauthorized data exfiltration.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
What is Meant by "Insider Threat?"
CERT’s definition of a malicious insider is A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems
The threat of attack from insiders is real and substantial. The 2007 E-Crime Watch SurveyTM conducted by the United States Secret Service, the CERT® Coordination Center (CERT/CC), Microsoft, and CSO Magazine,4 found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. In addition, 49% of respondents experienced at least one malicious, deliberate insider incident in the previous year. The impact from insider attacks can be devastating. One employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job with them.
From Common Sense Guide to Mitigation Insider Threats 4th Edition—December 2012, Software Engineering Institute , Carnegie Melon
Cybersecurity

16. Cybersecurity in the DoD
Lesson Plan Status
Cybersecurity Concepts
Cybersecurity in the DoD
The Risk Management Framework (RMF) for DoD Information Technology (IT)
RMF Steps
Exercise
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type: Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Overview Slide only
Key Questions to Ask and Anticipated Answers:
Overview slide only
Terms \ Definitions \ Acronyms:
Cybersecurity

17. Defense in Depth
Department of Defense Directive (Purpose Statement)
DoD will implement a multi-tiered cybersecurity risk management process to protect U.S. interests, DoD operational capabilities, and DoD individuals, organizations, and assets from the DoD Information Enterprise level, through the DoD Component level, down to the IS level as described in National Institute of Standards and Technology (NIST) Special Publication (SP) and Committee on National Security Systems (CNSS) Policy (CNSSP) 22
Definition of Defense in Depth
Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. CNSSI 4009—IA Glossary
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Discuss how the castle is protected
Moat
Terrain
Gates/ guards
Where did the king or queen (most important asset) hide?
What are ways that we protect information?
Use “War Games” video clip to illustrate single means of defense (passwords) that existed in the early 80’s. How have things changed today?
May want to discuss “Defense in Breadth” (see note below and IA within the DoD previously relied on a defense-in-depth approach to assuring information based largely upon firewalls and software patches; the focus was on attempting to keep intruders out and data safe. As approaches to IA have evolved, the DoD is moving towards a defense-in-breadth approach, integrating capabilities of people, operations, and technology to establish a multi-layer, multi-dimensional protection that will assure our information warfare capabilities and information-critical components are trusted throughout their life-span to achieve decision/mission superiority.
Cybersecurity

18. Defense in Depth—A Closer Look
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats.
Host Based Security
Workstation or server based security implementations that augment or enhance local security measures to enforce data integrity, prevent exploitation of the system, and ensure system availability. Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together.
Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts[1]. It can be as simple as a locked door or as elaborate as multiple layers of armed Security guards and Guardhouse placement.
Cybersecurity

19. Defense in Depth Common Security Tactics
Cryptography
Simply put, hiding information. Includes secret and public key cryptography and hash functions.
Firewalls
Often prevents unauthorized access into private networks. Can be hardware, software or a combination of both.
Network traffic monitoring
Examines/analyzes network traffic and usage trends. Identifies anomalies in network traffic.
Vulnerability testing
Exhaustive examination of targeted areas of network infrastructure. Should be done regularly.
Network Intrusion Detection and Prevention
Reads incoming packets of information to find suspicious patterns. Prevention reacts in real-time to block traffic.
Common Access Card (CAC)
Enables encrypting of and facilitates the use of PKI.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
There are several types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnetservers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.[1]
In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA) . For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgettable in public key certificates issued by the CA.
Cybersecurity

20. DoD Cybersecurity Legislation, Policy and Guidance
US Code Title 40 (Clinger-Cohen)
Federal Information Processing Standards
DoD Directive , Information Assurance Training, Certification, and Workforce Management
DoD Manual M, Information Assurance Workforce Improvement Program
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series (Computer Security)
Subchapter III of Chapter 35 of title 44, United States Code, “Federal Information Security Management Act (FISMA) of 2002”
DoD Instruction , Cybersecurity
DoD Instruction , Risk Management Framework for DoD Information Technology
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , (See below)
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
DoD Cybersecurity Policy, Legislation and Guidance
FISMA
DoDI / DoDI
National Security Act of 1947
The National Security Act of 1947 mandated a major reorganization of the foreign policy and military establishments of the U.S. Government. The act created many of the institutions that Presidents found useful when formulating and implementing foreign policy, including the National Security Council (NSC).
The act also established the Central Intelligence Agency (CIA), which grew out of World War II era Office of Strategic Services and small post-war intelligence organizations. The CIA served as the primary civilian intelligence-gathering organization in the government. Later, the Defense Intelligence Agency became the main military intelligence body. In 1949 the act was amended to give the Secretary of Defense more power over the individual services and their secretaries.
What is NSTISSP #11
NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) in January 2000 and revised in June The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Cryptographic Module Validation Program.
Department of Defense (DoD) Directive In 2004, the U.S. Department of Defense (DoD) established Directive : Information Assurance Training, Certification and Workforce Management. It requires that all DoD Information Assurance technicians and managers are trained and certified to effectively defend DoD information, information systems and information infrastructures. DoD Directive Manual The Information Assurance Workforce Improvement Program Manual provides guidance and procedures for the training, certification and management of the DoD workforce that conduct Information Assurance functions in assigned duty positions.
NIST Special Publications (800 Series)
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Cybersecurity

21. Federal Information Security Management Act (FISMA)—2002
The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA:
Categorize the information to be protected.
Select minimum baseline controls.
Refine controls using a risk assessment procedure.
Document the controls in the system security plan.
Implement security controls in appropriate information systems.
Assess the effectiveness of the security controls once they have been implemented.
Determine agency-level risk to the mission or business case.
Authorize the information system for processing.
Monitor the security controls on a continuous basis.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
FISMA
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Discuss that FISMA has been a source of frustration for many and efforts have been made to improve it. At the time of this course, no new guidance has been signed into law to either replace or update FISMA. Ask students: “What do you feel is the problem with FISMA? (if any)” Also, “What should be done to improve FISMA?
The RMF must satisfy the requirements of subchapter III of chapter 35 of Title 44, United States Code (U.S.C.), also known as the “Federal Information Security Management Act (FISMA) of 2002”–DoDI , March 12, 2014
Cybersecurity

22. DoD Cybersecurity Policy
DoD Instruction ,Cybersecurity, Signed March 14, 2014
Cancels or supersedes 11 DoD Directives, Instructions, or Memorandums.
References a total of 132 policy documents
12 National Institute of Standards and Technology (NIST) Special Publications
9 Committee on National Security Systems (CNSS) Instructions or Policies
Adopts the term “cybersecurity” to be used throughout the DoD instead of the term “information assurance (IA).”
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
DoDI – Cybersecurity - 59 pages
Outline
ENCLOSURE 1: REFERENCES
ENCLOSURE 2: RESPONSIBILITIES
ENCLOSURE 3: PROCEDURES
INTRODUCTION
RISK MANAGEMENT
OPERATIONAL RESILIENCE
INTEGRATION AND INTEROPERABILITY
(Continued)
DoDI – RMF – 47 pages
ENCLOSURE 1: REFERENCES
ENCLOSURE 2: RESPONSIBILITIES
ENCLOSURE 3: RMF PROCEDURES
OVERVIEW
RISK MANAGEMENT OF IS AND PIT SYSTEMS
RISK MANAGEMENT OF PRODUCTS, SERVICES, AND PIT
IT Products
IT Services
ENCLOSURE 4: RMF GOVERNANCE
RMF GOVERNANCE
Tier 1 - Organization
Tier 2 - Mission/Business Processes
Tier 3 - IS and PIT Systems
RMF ROLE APPOINTMENT
ENCLOSURE 5: CYBERSECURITY RECIPROCITY
ENCLOSURE 6: RISK MANAGEMENT OF IS AND PIT SYSTEMS ……
RMF STEPS
ENCLOSURE 7: KS
ENCLOSURE 8: RMF TRANSITION
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Cybersecurity

23. RMF - Operational Resilience, Integration, and Interoperability
Information and computing services are available to authorized users whenever and wherever needed
Security posture is sensed, correlated, and made visible to mission owners, network operators, and to the DoD Information Enterprise
Hardware and software have the ability to reconfigure, optimize, self-defend, and recover with little or no human intervention
Integration and Interoperability
Cybersecurity must be fully integrated into system life cycles and will be a visible element of IT portfolios.
Interoperability will be achieved through adherence to DoD architecture principles
All interconnections of DoD IT will be managed to minimize shared risk
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
From DoDI 8500 (p 31)
Operational resilience requires three conditions to be met: information resources are trustworthy; missions are ready for information resources degradation or loss; and network operations have the means to prevail in the face of adverse events.
Key Questions to Ask and Anticipated Answers:
Q: Do COTS software products have a level of operational resilience built in? (see item 3 above)
A: From the Microsoft Windows forum - Windows 8 has self healing ability. It has an in-built, anti -virus software.
Microsoft will introduce in Windows 8 what it calls Storage Spaces – a method of putting drives into a virtual pool from which self-healing virtual disks can be created. So, what do we think about Storage Spaces? First of all, virtualising storage is a good idea, and automating data resilience and recovery from drive failure is very sensible. Perhaps users with Storage Spaces will have less need to rely on backup software or to buy self-protecting external storage arrays such as Drobos.
However, the protection, although RAID-like, is not RAID and not hardware-assisted. We have no information on recovery timings other than that it happens automatically in the background, which is good. Clearly, the larger the capacity of the failed drive, the longer the recovery time will be. Perhaps storage spaces are better carved out from pools made of many small drives than a few large drives.
Q: Why is adhering to DoD architecture principles important for interoperability?
A: If your system is not well architected, the difficulty to assure interoperability is greatly increased. Unfortunately our IT systems are often built on legacy systems and they resemble the Winchester Mystery House!
Terms \ Definitions \ Acronyms:
Other definitions of Operational resilience
(Gartner) Operational resilience is a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.
Operational resilience is "an emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption" (source: Carnegie Mellon's Resilience Management Model CERT-RMM).
This may be a good time to discuss the CERT Resilience Management Model
CERT-RMM has two primary objectives:
Establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model.
Apply a process improvement approach to operational resilience management through the definition and application of a capability-level scale that expresses increasing levels of process improvement.
Cybersecurity

24. RMF and Cybersecurity Reciprocity
Definition: Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.
If applied appropriately, reciprocity will reduce:
Redundant testing
Redundant assessment & documentation
Overall costs in time and resources
Cybersecurity reciprocity is best achieved through transparency (DoDI , March 14, 2014)
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT) SLIDES
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below (from DoDI page 21-22)
a. IS and PIT systems have only a single valid authorization. Multiple authorizations indicate multiple systems under separate ownership and configuration control.
b. Deploying systems with valid authorizations (from a DoD organization or other federal agency) are intended to be accepted into receiving organizations without adversely affecting the authorizations of either the deployed system or the receiving enclave or site. Deploying system ISOs and PMs must coordinate system security requirement with receiving organizations or their representatives early and throughout system development.
d. The process for receiving organization to accept IS and PIT systems is:
(1) Review the complete security authorization package.
(2) Determine the security impact of connecting the deploying system within the receiving enclave or site.
(3) Determine the risk of hosting the deploying system within the enclave or site.
(4) If the risk is acceptable, execute a documented agreement between deploying and receiving organizations (e.g., memorandum of understanding (MOU), memorandum of agreement (MOA), SLA) for the maintenance and monitoring of the security posture of the system (security controls, computer network defense service provider (CNDSP), etc.).
(5) Document the acceptance by the receiving AO.
e. Receiving organizations have the right to refuse deploying systems due to a security authorization package that does not meet sufficiency and completeness requirements as defined on the KS, or excessive risk to the enclave or site, as determined by the enclave or site AO. Refusals must be documented by the refusing AO, and provided to the deploying organization’s ISO or PM, AO, and Component SISO, and to the refusing organization’s Component SISO. Disputes should be resolved at the lowest possible level. Disputes that cannot be resolved will be raised to the next appropriate level (e.g., DoD Component, MA PAO, DSAWG, DoD ISRMC).
Cybersecurity reciprocity is best achieved through transparency (i.e., making sufficient evidence regarding the security posture of an IS or PIT system available, so that an AO from another organization can use that evidence to make credible, risk-based decisions regarding the acceptance and use of that system or the information it processes, stores, or transmits). Components must share security authorization packages with affected information owners (IOs) or stewards and interconnected ISOs to support cybersecurity reciprocity. The reciprocal acceptance of DoD and other federal agency and department security authorizations will be implemented in accordance with the procedures in Reference (q). DoD DoDI , March 14, 2014 ENCLOSURE 3
Key Questions to Ask and Anticipated Answers:
Q: Do your systems ever have to communicate with other systems? How do you make sure that the other system does not compromise your system?
A: No system is fully secure. Reciprocity can be accomplished if the other system is certified as going through at least as rigorous of a security process as your system. RMF sets up a management and arbitration structure, so if lower levels can’t agree on reciprocity, higher levels of each organization get involved to resolve conflicts and disputes.
Terms \ Definitions \ Acronyms:
(Webster’s Dictionary) – Reciprocity - a situation or relationship in which two people or groups agree to do something similar for each other, to allow each other to have the same rights, etc. : a reciprocal arrangement or relationship
(Free Dictionary) – Reciprocity - A mutual or cooperative interchange of favors or privileges, especially the exchange of rights or privileges of trade between nations
Cybersecurity

25. RMF and Continuous Monitoring
Information System Continuous Monitoring— maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Continuous monitoring capabilities will be implemented to the greatest extent possible.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Important: Continuous Monitoring is encouraged in the 8500 series, but getting a continuous monitoring authorization instead of the 3 year maximum ATO does not seem to be a possibility for the foreseeable future. DoD is working on a Continuous monitoring strategy that is scheduled for release sometime early CY 15. A DoD directive on Continuous Monitoring is scheduled for release some time late in CY 15.
From DoDI (p 30)
(3) Monitoring Strategy. Develop and document a system-level strategy for the continuous monitoring of the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation. The strategy must include the plan for annual assessments of a subset of implemented security controls, and the level of independence required of the assessor (e.g., ISSM or SCA). The breadth, depth, and rigor of these annual assessments should be reflective of the security categorization of the system and threats to the system.
From DoDI 8510 (p 35, 38)
If overall risk is determined to be acceptable, and there are no NC controls with a level of risk of “Very High” or “High,” then the authorization decision should be issued in the form of an ATO. An ATO authorization decision must specify an ATD that is within 3 years of the authorization date unless the IS or PIT system has a system-level continuous monitoring program compliant with DoD continuous monitoring policy as issued.
Systems that have been evaluated as having a sufficiently robust system-level continuous monitoring program (as defined by emerging DoD continuous monitoring policy) may operate under a continuous reauthorization. Continuous monitoring does not replace the security authorization requirement; rather, it is an enabler of ongoing authorization decisions.
From DoDI 8500 (p 34)
b. Continuous Monitoring Capability. DoD will establish and maintain a continuous monitoring capability that provides cohesive collection, transmission, storage, aggregation, and presentation of data that conveys current operational status to affected DoD stakeholders. DoD Components will achieve cohesion through the use of a common continuous monitoring framework, lexicon, and workflow as specified in NIST SP (Reference (cs)).
The Continuous Monitoring process steps, as described in NIST SP , consists of:
Define Strategy
Establish measures and metrics
Establish monitoring and assessment frequencies
Implement the monitoring program
Analyze security-related information (data) and report findings
Respond with mitigation actions OR reject/avoid, transfer, or accept risk
Review and update monitoring strategy and program
Key Questions to Ask and Anticipated Answers:
Q: Do you know of Continuous Monitoring software that is being used in the DoD?
A: Obviously, answers will vary, but this is tricky. Be very careful of those developers claiming to have CM capabilities. Tripwire (see below) has gained widespread use over a long time.
Continuous diagnostics & monitoring (also known as continuous monitoring) is not a single solution—it’s a best practice for cybersecurity that government standards, risk-based security frameworks, and compliance mandates require or recommend. Tripwire’s solution for Continuous Diagnostics & Mitigation (CDM) helps agencies reduce their risk by 80%+ in the first months. Tripwire maintains a nonstop security profile, transforming historically static security control assessment process, into an automated security information collection process, enabling continuous risk assessment and compliance.
Tripwire solutions fulfill all CDM requirements set forth by the Department of Homeland Security and have been successfully deployed in many government agencies to provide a comprehensive view of all assets within 72 hours or less.
Terms \ Definitions \ Acronyms:
Continuous Monitoring working definition from NIST (2010) -
Continuous*monitoring (generic) is maintaining ongoing awareness to support organizational risk decisions.
Information security continuous*monitoringis maintaining ongoing* awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed, analyzed and reported at a frequency sufficient to support risk-based security decisions as needed to adequately protect organization information.
Cybersecurity

26. Lesson Plan Status
Cybersecurity Concepts
Cybersecurity in the DoD
The Risk Management Framework (RMF) for DoD Information Technology (IT)
RMF Steps
Exercise
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type: Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Overview Slide only
Key Questions to Ask and Anticipated Answers:
Overview slide only
Terms \ Definitions \ Acronyms:
Cybersecurity

27. Risk Management Framework (RMF) for DoD Information Technology (IT)
DoD Instruction
Risk Management Framework (RMF) for DoD Information Technology (IT)
Signed March 12, 2014
More consistent with established disciplines and best practices for effective systems engineering, systems security engineering, and program protection planning outlined in DoDI
Leverages and builds upon numerous existing federal policies and standards so we have less DoD policy to write and maintain.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
DoDI – Cybersecurity - 59 pages
Outline
ENCLOSURE 1: REFERENCES
ENCLOSURE 2: RESPONSIBILITIES
ENCLOSURE 3: PROCEDURES
INTRODUCTION
RISK MANAGEMENT
OPERATIONAL RESILIENCE
INTEGRATION AND INTEROPERABILITY
(Continued)
DoDI – RMF – 47 pages
ENCLOSURE 1: REFERENCES
ENCLOSURE 2: RESPONSIBILITIES
ENCLOSURE 3: RMF PROCEDURES
OVERVIEW
RISK MANAGEMENT OF IS AND PIT SYSTEMS
RISK MANAGEMENT OF PRODUCTS, SERVICES, AND PIT
IT Products
IT Services
ENCLOSURE 4: RMF GOVERNANCE
RMF GOVERNANCE
Tier 1 - Organization
Tier 2 - Mission/Business Processes
Tier 3 - IS and PIT Systems
RMF ROLE APPOINTMENT
ENCLOSURE 5: CYBERSECURITY RECIPROCITY
ENCLOSURE 6: RISK MANAGEMENT OF IS AND PIT SYSTEMS ……
RMF STEPS
ENCLOSURE 7: KS
ENCLOSURE 8: RMF TRANSITION
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters
Cybersecurity

28. Key RMF Documents NIST Special Publications (SP)
800-37—Guide for Applying the RMF
800-39—Managing Information Security Risks
800-53—Security and Privacy Controls
800-53A—Guide for Assessing the Security Controls
800-60—Guide for Mapping Types of Information and Information Systems to Security Categories
—Information Security Continuous Monitoring
Committee on National Security Systems (CNSS)
Instruction 1253—Security Categorization and Control Selection for National Security Systems
Instruction 4009—Information Assurance Glossary
Policy 11—National Policy Governing the Acquisition of IA and IA-Enabled IT Products
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , See NIST and CNSS policy listed above
Key Points: See below
1. The RMF categorization step, including consideration of legislation, policies, directives, regulations, standards, and organizational mission/business/operational requirements, facilitates the identification of security requirements. FIPS 199 provides security categorization guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.
2. NIST Special Publication provides security control selection guidance for non-national security systems. CNSS Instruction 1253 provides similar guidance for national security systems.
3. NIST Special Publication A provides security control assessment procedures for security controls defined in NIST Special Publication
4. NIST Special Publication Revision 1 provides guidance on authorizing information system to operate.
5. NIST Special Publication Revision 1 provides guidance on monitoring the security controls in the environment of operation, the ongoing risk determination and acceptance, and the approved information system authorization to operated status.
Terms \ Definitions \ Acronyms:
Cybersecurity

29. Applicability ( )
All DoD-owned IT or DoD-controlled IT that receive, process, store, display, or transmit DoD information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services, and products. This includes IT supporting research, development, test and evaluation (T&E), and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
From DoDI
2. APPLICABILITY
a. This instruction applies to:
(1) OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense (OIG DoD), the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense (referred to collectively in this instruction as the “DoD Components”).
(2) All DoD IT that receive, process, store, display, or transmit DoD information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services, and IT products. This includes IT supporting research, development, test and evaluation (T&E), and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD.
b. Nothing in this instruction alters or supersedes the existing authorities and policies of the Director of National Intelligence regarding the protection of sensitive compartmented information (SCI), as directed by Executive Order (Reference (l)) and other laws and regulations. The application of the provisions and procedures of this instruction to information technologies processing SCI is encouraged where they may complement or cover areas not otherwise specifically addressed.
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Platform IT - REFERS TO computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. PIT does not include general purpose systems.
2. MAY:
a. Reside aboard or on a platform
b. Be stand-alone
c. Have an interconnection to other Platform IT (known as a “Platform IT-to-Platform IT
Interconnection”)
d. Have a Platform IT Interconnection (see DoDI ) to other IT that is not Platform
IT (e.g., a general-use ship’s network, such as ISNS, or a non-Platform IT system)
Examples of platforms that may include PIT are: weapons systems, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the research and development of weapons systems, medical devices and health information technologies, vehicles and alternative fueled vehicles (e.g., electric, bio-fuel, Liquid Natural Gas that contain car-computers), buildings and their associated control systems (building automation systems or building management systems, energy management system, fire and life safety, physical security, elevators, etc.), utility distribution systems (such as electric, water, waste water, natural gas and steam), telecommunications systems designed specifically for industrial control systems including supervisory control and data acquisition, direct digital control, programmable logic controllers, other control devices and advanced metering or sub-metering, including associated data transport mechanisms (e.g., data links, dedicated networks).
Cybersecurity

30. Risk Management and the RMF
Multi-tiered Risk Management
DoD will implement a multi-tiered cybersecurity risk management process to protect U.S. interests, DoD operational capabilities, and DoD individuals, organizations, and assets from the DoD Information Enterprise level, through the DoD Component level, down to the IS level
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
NIST SP
Key Points: See below
NIST Special Publication is the flagship document in the series of information security
standards and guidelines developed by NIST in response to FISMA. The purpose of Special
Publication is to provide guidance for an integrated, organization-wide program for
managing information security risk to organizational operations (i.e., mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the Nation resulting
from the operation and use of federal information systems. Special Publication provides a
structured, yet flexible approach for managing risk that is intentionally broad-based, with the
specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by
other supporting NIST security standards and guidelines.
Key Questions to Ask and Anticipated Answers:
Q: How does a well defined organizational structure help in achieving the goal of reciprocity?
A: A chain of command provides a structure for arbitration if disputes about risks come about. If there is a dispute at tier 3, they can be resolved at tier 2 or tier 1.
Terms \ Definitions \ Acronyms:
Defined in NIST SP
Cybersecurity

31. NIST SP 800-39—Risk Management Process Applied Across the Tiers
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
NIST SP
Key Points: See below
Risk Management Process NIST SP
Risk management is a comprehensive process that requires organizations to:
Frame Risk (i.e., establish the context for risk-based decisions);
Assess Risk;
Respond to Risk once determined; and
Monitor Risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations
The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.
The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame.
The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame
The fourth component of risk management addresses how organizations monitor risk over time.
Key Questions to Ask and Anticipated Answers:
Q: The DoD has developed a Risk Management Guide to handle risks. How does this process differ? How is it similar?
A: RM Guide Process is Risk Identification, Analysis, Mitigation Planning, Mitigation Plan Implementation, and Tracking. These steps are consistent with Frame (Identify) Assess (Analysis), Respond (Mitigation Planning/Implementation), and Tracking (Monitor). It should be understood that this process applies to cybersecurity and not to other areas. To be honest, I’ve talked to the RMF developers about this and I was shocked that they did not even seem to know about the Risk Management Guide.
Terms \ Definitions \ Acronyms:
Cybersecurity

32. RMF and the Acquisition Life Cycle
Cybersecurity requirements must be identified and included throughout the lifecycle of systems to include acquisition, design, development, developmental testing, operational testing, integration, implementation, operation, upgrade, or replacement of all DoD IT supporting DoD tasks and missions.
Integration. Cybersecurity must be fully integrated into system life cycles so that it will be a visible element of organizational, joint, and DoD Component architectures, capability identification and development processes, integrated testing, information technology portfolios, acquisition, operational readiness assessments, supply chain risk management, System Security Engineering, and operations and maintenance activities.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , DoDI
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Q: Have cybersecurity professionals typically been involved in critical programmatic IPTs (Financial Planning IPT, Systems Engineering IPT, Contracting IPTs)?
A: No but in each of IPTs above, cybersecurity professionals must play a greater role.
Terms \ Definitions \ Acronyms:
ICD – Initial Capabilities Document
CDD – Capabilities Development Document
DRFPRD – Developmental Request For Proposal Release Decision
PDR – Preliminary Design Review
CDR – Critical Design Review
LRIP – Low Rate Initial Production
CPD – Capabilities Production Document
FRP – Full Rate Production
IOC – Initial Operational Capability
FOC – Full Operational Capability
Cybersecurity

33. NIST SP 800-53 Security and Privacy Controls
Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to:
Protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and
Satisfy a set of defined security requirements
Key questions
What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions?
Have the security controls been implemented, or is there an implementation plan in place?
What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application?
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , NIST SP
Key Points: See below
From NIST SP (Introduction)
The selection and implementation of security controls for information systems and organizations are important tasks that can have major implications on the operations and assets of organizations as well as the welfare of individuals and the Nation.
It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation. These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and accomplish the organization’s stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government by:
• Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;
• Providing a stable, yet flexible catalog of security controls to meet current information protection needs and the demands of future protection needs based on changing threats, requirements, and technologies;
• Providing a recommendation for security controls for information systems categorized in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;
• Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and
• Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts.
Key Questions to Ask and Anticipated Answers:
Q: How does using this standard provide for more reciprocity between DoD organizations and between DoD and non-DoD organizations?
A: This is a federal standard that applies to all federal systems. Commercial organizations not working with federal or DoD systems are requested to use these standards but it is not mandated yet.
Terms \ Definitions \ Acronyms:
A federal information system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
A national security system is any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency: (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, e.g., payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks arising from its information and information systems.
Cybersecurity

34. NIST SP 800-53 Security and Privacy Controls
Security Control Structure
Each family contains security controls related to the general security topic of the family
There are 18 security control families and over 900 controls included in NIST SP
Security Control Identifiers and Family Names
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , NIST SP
Key Points: See below
From NIST SP (p and 13)
Security controls described in this publication have a well-defined organization and structure. For ease of use in the security control selection and specification process, controls are organized into eighteen families. Each family contains security controls related to the general security topic of the family. A two-character identifier uniquely identifies security control families, for example, PS (Personnel Security). Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms implemented by information systems/devices.
The security control structure consists of the following components: (i) a control section; (ii) a supplemental guidance section; (iii) a control enhancements section; (iv) a references section; and (v) a priority and baseline allocation section.
To assist organizations in making the appropriate selection of security controls for information systems, the concept of baseline controls is introduced. Baseline controls are the starting point for the security control selection process described in this document and are chosen based on the security category and associated impact level of information systems determined in accordance with FIPS Publication 199 and FIPS Publication 200, respectively. Three security control baselines have been identified corresponding to the low-impact, moderate-impact, and high-impact information systems using the high water mark defined in FIPS Publication 200 and used in Section 3.1 of this document to provide an initial set of security controls for each impact level.
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Cybersecurity

35. NIST SP 800-53 Security and Privacy Controls (An Example)
Access Control—AC-6—Least Privilege
Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
Control Enhancements:
(1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
Supplemental Guidance: Security functions include, …
(Enhancements 2–9 not shown)
(10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS
References: None.
Priority and Baseline Allocation:
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , NIST SP
Key Points: See below
NIST SP – page F-18 to F-20
AC-6 LEAST PRIVILEGE
Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
Control Enhancements:
(1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
Supplemental Guidance: Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19.
(2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.
Supplemental Guidance: This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4.
(3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
Supplemental Guidance: Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17.
(4) LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS
The information system provides separate processing domains to enable finer-grained allocation of user privileges.
Supplemental Guidance: Providing separate processing domains for finer-grained allocation of user privileges includes, for example: (i) using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) employing hardware and/or software domain separation mechanisms; and (iii) implementing separate physical domains. Related controls: AC-4, SC-3, SC-30, SC-32.
(5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6.
(6) LEAST PRIVILEGE | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS
The organization prohibits privileged access to the information system by non-organizational users.
Supplemental Guidance: Related control: IA-8.
(7) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
Supplemental Guidance: The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7.
(8) LEAST PRIVILEGE | PRIVILEGE LEVELS FOR CODE EXECUTION
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
Supplemental Guidance: In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.
(9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS
The information system audits the execution of privileged functions.
Supplemental Guidance: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2.
(10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Supplemental Guidance: Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Key Questions to Ask and Anticipated Answers:
Note: This slide is only meant to show how NIST SP lays out controls and enhancements. It is not meant to get into the Principle of Least Privilege. If you have questions on this term, a quick definition and example is provided below.
Terms \ Definitions \ Acronyms:
Principled of Least Privilege (POLP) – the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes.
This principle restricts how privileges are granted.
Definition The Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task.
If a subject does not need an access right, the subject should not have that right. Further, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately upon completion of the action. This principle requires that processes should be confined to as small a protection domain as possible.
Example
The UNIX operating system does not apply access controls to the user root. That user can terminate any process and read, write, or delete any file. Thus, users who create back-ups can also delete files. The administrator account on Windows has the same powers.
Cybersecurity

36. NIST SP 800-53 Security and Privacy Controls (continued)
Security Control Designations
There are three distinct types of designations related to the security controls listed. These designations include:
Common Controls
Security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
System-Specific Controls
The primary responsibility of information system owners and their respective authorizing officials.
Hybrid Controls
One part of the control is common and another part of the control is system-specific.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , NIST SP
Key Points: See below
From NIST SP
Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of missions and business functions. A significant challenge for organizations is to determine the most cost-effective, appropriate set of security controls, which if implemented and determined to be effective, would mitigate risk while complying with security requirements defined by applicable federal laws, Executive Orders, regulations, policies, directives, or standards (e.g., FISMA, OMB Circular A-130, HSPD-12, FIPS Publication 200). There is no one correct set of security controls that addresses all organizational security concerns in all situations.
Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components—entities internal or external to the organizations where the systems or components reside. Security capabilities provided by common controls can be inherited from many sources including, for example, organizations, organizational mission/business lines, sites, enclaves, environments of operation, or other information systems.
When common controls protect multiple organizational information systems of differing impact levels, the controls are implemented with regard to the highest impact level among the systems.
Security controls not designated as common controls are considered system-specific or hybrid controls. System-specific controls are the primary responsibility of information system owners and their respective authorizing officials. Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. For example, an organization may choose to implement the Incident Response Policy and Procedures security control (IR-1) as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific. Hybrid controls may also serve as predefined templates for further control refinement. Organizations may choose, for example, to implement the Contingency Planning security control (CP-2) as a predefined template for a generalized contingency plan for all organizational information systems with information system owners tailoring the plan, where appropriate, for system-specific uses.
The determination as to whether a security control is a common, hybrid, or system-specific is context-based. Security controls cannot be determined to be common, hybrid, or system-specific simply based on reviewing the language of the control. For example, a control may be system-specific for a particular information system, but at the same time that control could be a common control for another system, which would inherit the control from the first system. One indicator of whether a system-specific control may also be a common control for other information systems is to consider who or what depends on the functionality of that particular control. If a certain part of an information system or solution external to the system boundary depends on the control, then that control may be a candidate for common control identification.
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Terms are defined above.
Cybersecurity

37. Assessing Security Controls Example Procedures
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI , , NIST SP A
Key Points: See below
This example can be found on PAGE F-316 of NIST SP A
Remember, this is an example only and is not intended to be used for an in-depth discussion
The RMF Knowledge Service Security Control Explorer provides potential assessment methods and objects that are specific to the DoD.
(Must register with the Knowledge Service to log in)
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Cybersecurity

38. Summary of Changes to Cybersecurity Roles & Responsibilities
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
DoDI – page 10
Table 1. Appointment of RMF Roles
Role Appointed By
PAO (formerly principal accrediting authority) DoD MA owner
DoD SISO (formerly the Senior IA Officer) DoD CIO
DoD Component CIO DoD Component head
AO (formerly designated approving (or accrediting) authority) DoD Component head; PAO for MA-managed ISs
AODR (formerly designated approving (or accrediting) authority representative) AO
DoD Component SISO DoD Component CIO or, in organizations in which the position of DoD Component CIO does not exist, the DoD Component head.
SCA (formerly certifying authority) DoD Component SISO is the Component SCA, but may formally delegate the SCA role as appropriate.
PM/SM DoD Component head
ISSM (formerly IA manager) PM or SM
UR ISO
RMF TAG Representative (formerly DIACAP TAG Representative) DoD Component SISO
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Cybersecurity

39. RMF Governance
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Q: At what tier is the system authorized?
A: Tier 3 (Authorizing official). If issues arise, it will go to the next tier. Please note that if an ATO with conditions is granted, it must rise to tier 2, DoD Component CIO
Terms \ Definitions \ Acronyms:
Cybersecurity

40. This site requires CAC registration
RMF Knowledge Service
The Risk Management Framework (RMF) Knowledge Service (KS) is DoD's official site for enterprise RMF policy and implementation guidelines.
Risk Management Framework Knowledge Service
This site requires CAC registration
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points: See below
The Risk Management Framework (RMF) Knowledge Service (KS) is DoD's official site for enterprise RMF policy and implementation guidelines. The RMF Knowledge Service provides Cybersecurity practitioners and managers with a single authorized source for execution and implementation guidance, community forums, and the latest information and developments in the RMF.
The KS and eMASS were designed to work together to provide the DoD cybersecurity community with both implementation guidance, and an automated tool to successfully execute the DoD RMF process.  The function of the RMF KS is to provide 24/7 access to the latest RMF policy, implementation guidance, and assessment procedures necessary to manually implement the RMF, and provides additional capabilities and collaboration features to assist the DoD cybersecurity community in both implementing and managing the RMF process.  The function of eMASS is to provide the DoD user community with a tool that automates the RMF process workflow activities defined on the KS, and enable enterprise functions, such as enterprise visibility, reporting, and inheritance.
What is eMASS?
Enterprise Mission Assurance Support Service, or eMASS, is a government owned web based application, which provides visibility and automation for Cyber Security Management processes. eMASS enables cybersecurity managers and senior decision makers at all enterprise levels to comprehend the scope and state of cybersecurity activities within the enterprise, which can assist in identifying cybersecurity requirements, developing policy, and making decisions concerning acquisition and cybersecurity resources and programming.
Key Questions to Ask and Anticipated Answers:
A few RMF FAQs – There are many more:
1 Why did the DoD move from a unique DoD certification and accreditation process to the risk management framework (RMF)?
The DoD joined the Joint Task Force (JTF) Transformation Initiative Interagency Working Group along with National Institute for Standards and Technology (NIST) and Committee on National Security Systems (CNSS). The efforts of the working group have resulted in a common Federal cybersecurity terminology so we are all speaking the same language. NIST SP “Guide for Applying the Risk Management Framework to Federal Information Systems” was developed under this concept and is used by a majority of federal agencies. DoD leveraged this policy and slightly modified requirements to meet DoD needs.
2 Why was the term cybersecurity adopted in lieu of information assurance (IA)?
The term "cybersecurity" was first used and defined at the federal level in National Security Presidential Directive-54/Homeland Security Presidential Directive-23, "Cybersecurity Policy," January 8, 2008 and came into widespread use across the federal government during the next several years. Considering this widespread use and the fact that the definition of cybersecurity in the Presidential directive is similar to and captures all of the elements of DoD's definition of information assurance it was decided to adopt that term and definition to remain consistent with the terminology used at the federal level.
eMass FAQs (from RMF website)
FAQs
2.01 Where can I find out more about eMASS? Click on the Automated Tools Section, located under the Implementation Guidance menu.  This section describes what eMASS is and also provides detailed information on how to request an instance of eMASS, hardware/software considerations, and Points of Contact (POCs) for additional information.
2.02 Is eMASS currently available for use? Yes, specific guidance on acquiring eMASS can be found on the DIACAP Knowledge Service under the Automated Tools section.
2.03 How do I request an eMASS account? If a user’s organization has an eMASS Instance, then access will be granted by the organization’s eMASS System Administrator.   In some cases, the System Administrator will require a completed DD2875.  The user will need to go to their instance’s eMASS URL and select to register for a new account following the provided instructions.
If a user’s organization is not using eMASS, please refer to the question above.
2.04 Who to contact to acquire eMASS or to request a demonstration? All requests for eMASS must be communicated to the eMASS PM: Yolonda Baldwin, PEO-MA
2.05 Is eMASS mandated by DoD CIO? No. While eMASS is not mandated for use, DoD CIO specifically developed eMASS while initially developing the DIACAP, and has been working hand in hand with DISA to facilitate eMASS’ update to support the RMF for DoD IT.
2.06 Is eMASS Accredited/Authorized? Yes, eMASS has been accredited with an ATO.
2.07 Will eMASS be maintained to a single, joint, GIG-focused standard to prevent four distinct Service flavors? Yes.  DoD will maintain configuration control of eMASS.
2.08 Is eMASS a web-based application? Yes.
2.09 What internet browsers are compatible with eMASS? To enable eMASS to be viewed in a compatible browser, a user must have IE 7+ or Firefox 3.0+.
2.10 What specific functionality does eMASS bring to the assessment and authorization process? eMASS provides capabilities to dynamically manage the workflow and automation for cybersecurity management processes throughout a system’s lifecycle.  It also provides the capability to share visibility of an organization’s systems and users across multiple geographies, providing a virtual team environment.  eMASS offers near real-time security control processing, status, and reporting while standardizing the cybersecurity process through the use of standard assessment procedures and documentation templates.  From end to end, eMASS functionality directly maps to the DIACAP and RMF activities and produces all necessary deliverables.
2.11 Is Training available for eMASS? Yes, on-site technical training is available.  For more information on on-site training, please contact the eMASS PM at DISA:
Terms \ Definitions \ Acronyms:
Cybersecurity

41. RMF Steps Lesson Plan Status Cybersecurity Concepts
Cybersecurity in the DoD
The Risk Management Framework (RMF) for DoD Information Technology (IT)
RMF Steps
Exercise
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type: Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Overview Slide only
Key Questions to Ask and Anticipated Answers:
Overview slide only
Terms \ Definitions \ Acronyms:
Cybersecurity

42. RMF—6 Step Process
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
Informational/introductory only. Steps will be expanded on in the next 3 slides.
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
This process parallels the system life cycle, with the RMF activities being initiated at program or system inception
Cybersecurity

43. RMF—Steps 1 and 2 Step 1—Categorize System
Categorize the system in accordance with CNSSI 1253 and document the results in the security plan.
Describe the system (including system boundary) and document the description in the security plan.
Register the system with the DoD Component Cybersecurity Program
Assign qualified personnel to RMF roles.
Step 2—Select Security Controls
Common Control Identification - Common controls are selected as “common” and provided via the Knowledge Service based on risk assessments conducted by these entities at the Tier 1 and Tier 2 levels
Security Control Baseline and Overlay Selection - Identify the security control baseline for the system
Monitoring Strategy—Develop and document a system-level strategy for the continuous monitoring of the effectiveness of security controls
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication , Security and Privacy Controls for Federal Information Systems and Organizations.
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Excerpt from DoDI
a. Step 1 - Categorize System
 (1) Categorize the system in accordance with Reference (g) and document the results in the security plan. Categorization of IS and PIT systems is a coordinated effort between the PM/SM, ISO, IO, mission owner(s), ISSM, AO, or their designated representatives. In the categorization process, the IO identifies the potential impact (low, moderate, or high) resulting from loss of confidentiality, integrity, and availability if a security breach occurs. For acquisition programs, this categorization will be documented as a required capability in the initial capabilities document, the capabilities design document, the capabilities production document, and the cybersecurity strategy within the program protection plan (PPP). Specific guidance on determining the security category for information types and ISs is included in the KS.
(2) Describe the system (including system boundary) and document the description in the security plan.
(3) Register the system with the DoD Component Cybersecurity Program. See DoD Component implementing policy for detailed procedures for system registration.
(4) Assign qualified personnel to RMF roles. The members of the RMF Team are required to meet the suitability and fitness requirements established in DoD R (Reference (y)). RMF Team members must also meet appropriate qualification standards in accordance with Reference (p). RMF team member assignments must be documented in the security plan.
(5) To avoid potential conflicts of interest or undue influence in RMF roles, certain designations or relationships will not be allowed. The AO or SCA cannot be or report to the PM/SM or program executive officer. The UR cannot be or report to the PM/SM.
b. Step 2 - Select Security Controls
 (1) Common Control Identification. This task is the responsibility of the DoD CIO, DoD Component CIOs, and other organizations and entities that provide solutions for common controls. Common controls are selected as “common” and provided via the KS based on risk assessments conducted by these entities at the Tier 1 and Tier 2 levels. By identifying the security controls that are provided by the organization as common solutions for IS and PIT systems, and documenting the assessment and authorization of the controls in a security plan (or equivalent document), individual systems within those organizations can leverage these common controls through inheritance. See the KS for identification of common controls for DoD and additional information on how they are documented within the security authorization package.
(2) Security Control Baseline and Overlay Selection. Identify the security control baseline for the system, as provided in Reference (g), and document in the security plan. The baselines identified in Reference (g) address the overall threat environment for DoD IS and PIT systems. In this step, the applicable security controls baseline and relevant overlays for a system are assigned. See Reference (g) and the KS for detailed procedures. In brief, the process consists of:
(a) Selecting the applicable initial security control baseline from Reference (g) based on the IS categorization. These security control baselines identify the specific security controls from Reference (h) that are applicable to the system categorization.
  (b) Identifying overlays that apply to the IS or PIT system due to information contained within the system or environment of operation. Overlays may add or subtract security controls, or provide additional guidance regarding security controls, resulting in a set of security controls applicable to that system that is a combination of the baseline and overlay. The combination of baselines and overlays address the unique security protection needs associated with specific types of information or operational requirements. Overlays reduce the need for ad hoc or case-by-case tailoring by allowing COIs to develop standardized overlays that address their specific needs and scenarios. Access to the overlays, and guidance regarding how to determine which overlays may apply, are included in the KS. The KS is the authoritative source for detailed security control descriptions, implementation guidance and assessment procedures. Examples of overlays include:
  1. Tactical environments.
  2. PIT systems (including special categories of PIT systems, such as Industrial Control Systems or tactical PIT systems).
  3. Personally identifiable information (PII) and Health Insurance Portability and Accountability Act (Reference (z)) requirements.
  4. Cross-domain requirements.
  5. Classified information.
  (c) If necessary, tailor (modify) a control set in response to increased risk from changes in threats or vulnerabilities, or variations in risk tolerance. The resultant set of security controls derived from tailoring is referred to as the tailored control set. Tailoring decisions must be aligned with operational considerations and the environment of the IS or PIT system and should be coordinated with mission owner(s) and URs. Security controls should be added or removed only as a function of specified, risk-based determinations. Tailoring decisions, including the specific rationale (e.g., mapping to risk tolerance) for those decisions, are documented in the security plan for the system. Every selected control must be accounted for either by the organization or the ISO or PM/SM. If a selected control is not implemented, then the rationale for not implementing the controls must be documented in the security plan and POA&M. The tailoring process may include:
  1. Applying scoping guidance to the initial set of security controls;
  2. Selecting or specifying compensating controls to adjust the initial set of security controls to obtain an equivalent set deemed to be more feasible to implement; or
  3. Specifying organization-defined parameters in the security controls via explicit assignment and selection statements to complete the definition of the tailored set of security controls.
  (d) Supplementing the tailored baseline security control set, if necessary, with additional controls or control enhancements that consider local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances, and are based on risk assessments consistent with NIST SP (Reference (k)).
(e) The resulting set of security controls is documented, along with the supporting rationale for selection decisions and any system use restrictions, in the security plan. The security plan must identify all common controls inherited from external providers, and establish minimum assurance requirements for those controls.
(3) Monitoring Strategy. Develop and document a system-level strategy for the continuous monitoring of the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation. The strategy must include the plan for annual assessments of a subset of implemented security controls, and the level of independence required of the assessor (e.g., ISSM or SCA). The breadth, depth, and rigor of these annual assessments should be reflective of the security categorization of the system and threats to the system. The SCA should be integral to the development of this strategy. The system-level continuous monitoring strategy must conform to all applicable published DoD enterprise-level or DoD Component-level continuous monitoring strategies.
(4) Security Plan and System-Level Continuous Monitoring Strategy Review and Approval. The DoD Components will develop and implement processes whereby the AO (or designee) reviews and approves the security plan and system-level continuous monitoring strategy submitted by the ISO or PM/SM. By approving the security plan, the AO agrees to the system categorization, the set of security controls proposed to meet the security requirements for the system, and the adequacy of the system-level continuous monitoring strategy. The approval of the security plan also establishes the level of effort required to successfully complete the remainder of the steps in the RMF and provides the basis of the security specification for the acquisition of the system, subsystems, or components. For acquisition programs, approval should be accomplished before Milestone B and the issuance of the design and development request for proposals. If the security plan is deemed unacceptable, the AO or designated representative sends the plan back to the ISO or PM/SM for appropriate action. The AO approval of the security plan must be documented in the security plan.
Cybersecurity

44. RMF—Steps 3 and 4 Step 3—Implement Security Controls
Implement /document security controls specified in the security plan
Security controls that are available for inheritance by IS and PIT systems will be identified and have associated compliance status provided by hosting or connected systems
Step 4—Assess Security Controls
Develop, review, and approve a plan to assess security controls.
Assess the security controls in accordance with the security assessment plan and DoD assessment procedures
Prepare Security Assessment Report and document the issues, findings, & recommendations from security control assessment
Conduct remediation actions on non-compliant security controls based on the findings and recommendations of the SAR
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Excerpt from DoDI
c. Step 3 - Implement Security Controls
 (1) Implement the security controls specified in the security plan in accordance with DoD implementation guidance found on the KS.
  (a) Products used within an IS or PIT system boundary will be configured in accordance with applicable STIGs or SRGs where STIGs are not available.
  (b) Security controls are implemented consistent with DoD and DoD Component IA architectures and standards, employing system and software engineering methodologies, security engineering principles, and secure coding techniques. DoD recommended security control implementation guidance is available on the KS.
  (c) The ISO or PM/SM must ensure early and ongoing involvement by IS security engineers qualified in accordance with DoD M (Reference (aa)). Mission owner(s) must translate security controls into system specifications, ensure the successful integration of those specifications into the system design, and ensure security engineering trades do not impact the ability of the system to meet the fundamental mission requirements. This includes ensuring that technical and performance requirements derived from the assigned security controls are included in requests for proposals and subsequent contract documents for design, development, production, and maintenance.
  (d) The proposed system security design must be addressed in preliminary and critical design reviews. System security design should address security controls that may be satisfied through inheritance of common controls. In addition, mandatory configuration settings are established and implemented on IT products in accordance with federal and DoD policies.
  (e) PMs for programs acquiring IS or PIT systems in accordance with Reference (s) must integrate the security engineering of cybersecurity requirements and cybersecurity testing considerations into the program’s overall systems engineering process, and document and update this approach in the program’s systems engineering plan and PPP throughout the system development lifecycle.
(2) Document the security control implementation in accordance with DoD implementation guidance found on the KS, in the security plan, providing a description of the control implementation (including planned inputs, expected behavior, and expected outputs) if not in accordance with the KS guidance. See the KS for specific control documentation requirements, including required artifacts, templates, and best practices.
(3) Security controls that are available for inheritance (e.g. common controls) by IS and PIT systems will be identified and have associated compliance status provided by hosting or connected systems.
d. Step 4 - Assess Security Controls
(1) Develop, review, and approve a plan to assess the security controls. An assessment methodology consistent with Reference (k) is provided in the KS as a model for use or adaptation. DoD Components will use this model, or justify the use of another risk assessment methodology within the Component, to include addressing understanding of the impact on reciprocity across the federal, Intelligence, and DoD communities. The risk assessment will be used by the SCA to determine the level of overall system cybersecurity risk and as a basis for a recommendation for risk acceptance or denial to the AO. The SCA develops the security assessment plan, and the AO or AODR reviews and approves the plan. PMs of programs acquiring IS and PIT systems, in concert with the SCA and the program’s T&E, working-level integrated product team, must:
  (a) Ensure security control assessment activities are coordinated with the following: interoperability and supportability certification efforts; DT&E events; OT&E events.
  (b) Ensure the coordination of activities is documented in the security assessment plan and the program T&E documentation , to maximize effectiveness, reuse, and efficiency. Where appropriate, integrated testing should include the evaluation of survivability, assessment of controls, and certification testing, as well as developmental and OT&E.
(2) Assess the security controls in accordance with the security assessment plan and DoD assessment procedures. Assessment procedures are used to verify that a security control has been properly implemented. SRG and STIG compliance results will be documented and used as part of the overall security control assessment. The KS is the authoritative source for security control assessment procedures. Actual results are recorded in the SAR and POA&M as part of the security authorization package, along with any artifacts produced during the assessment (e.g., output from automated test tools or screen shots that depict aspects of system configuration). For inherited security controls, assessment test results and supporting documentation are maintained by the providing system and are made available to SCAs of receiving systems on request. For common controls inherited from the enterprise, instructions for documenting compliance are provided on the KS. SCAs will maximize the reuse of existing assessment (i.e., a leveraged authorization), and T&E documentation in their assessment of the system.
  (a) Record Security Control Compliance Status. If no vulnerabilities are found through the process of executing the assessment procedures, the security control is recorded as compliant. If vulnerabilities are found, the control is recorded as NC in the POA&M, with sufficient explanation. Security controls that are not technically or procedurally relevant to the system, as determined by the AO, will be recorded as not applicable (NA) in the POA&M, with sufficient justification. The status and results of all security control assessments in the control set (see paragraph 2b(2) of this enclosure) will be recorded in the SAR. DoD implementation guidance and assessment procedures are available on the KS. Assessment procedures that are used that are not in accordance with the KS will be documented fully in the SAR.
  (b) Assign Vulnerability Severity Value for Security Controls. Vulnerability severity values are assigned to all NC controls by the SCA as part of the security control analysis to indicate the severity associated with the identified vulnerability.  Vulnerability severity values are identified in Reference (k). Vulnerability severity values for security controls are informed by assessment at the CCI level. If a control has a STIG or SRG associated through CCIs, the vulnerabilities identified by STIG or SRG assessments will be used to inform the overall vulnerability severity value for the security control.
  (c) Determine Risk Level for Security Controls. The SCA determines and documents in the SAR a risk level for every NC security control in the system baseline. NC controls are subjected to a risk assessment process that considers multiple factors in producing the risk level. As described in Reference (k), these factors include, but are not limited to:
  1. The SCA’s determination that a credible or validated threat source and potential event exists that is capable of, and likely to, exploit vulnerabilities in the implementation of the control.
  2. Vulnerability severity level and pre-disposing conditions. This includes the SCA’s estimate of the adequacy of existing mitigations or compensating controls to address the vulnerability and mitigations provided by the hosting enclave, CNDSP, or other protective measures.
  3. The cybersecurity attribute (i.e., confidentiality, integrity, or availability) and associated categorization impact level (high, moderate, low) related to the control.
  4. The SCA’s estimate of impact of a successful threat event.
  (d) Assess and Characterize Aggregate Level of Risk to the System. The SCA must determine and document in the SAR an assessment of overall system level of risk (see levels of risk in Reference (k)), and identify the key drivers for the assessment. The SCA’s risk assessment considers threats, vulnerabilities, and potential impacts as well as existing and planned risk mitigation. The risk assessment must address all NC controls, and clearly communicate the SCA’s conclusion on system cybersecurity risk, and any recommendations for special instructions to accompany the authorization decision.
(3) Prepare the SAR, documenting the issues, findings, and recommendations from the security control assessment. The SAR documents the SCA’s findings of compliance with assigned security controls based on actual assessment results. It addresses security controls in a NC status, including existing and planned mitigations. A SAR is always required before an authorization decision. If a compelling mission or business need requires the rapid introduction of a new IS or PIT system, assessment activity and a SAR are still required.
(4) Conduct remediation actions on NC security controls based on the findings and recommendations of the SAR and reassess remediated control(s), as appropriate.
Cybersecurity

45. RMF—Steps 5 and 6 Step 5—Authorize System
Prepare the Plan of Actions and Milestones (POA&M) based on the vulnerabilities identified during the security control assessment
Assemble the security authorization package and submit the package to the AO for adjudication.
Determine the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation
Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable
Step 6—Monitor Security Controls
Determine the security impact of proposed or actual changes to the IS or PIT system and its environment of operation
Assess a subset of the security controls employed within and inherited by the IS or PIT system
Conduct remediation actions
Implement a system decommissioning strategy, when needed.
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed):
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI
Key Points: See below
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Excerpt from DoDI
e. Step 5 - Authorize System
(1) Prepare the POA&M based on the vulnerabilities identified during the security control assessment. A full discussion and templates for preparing a POA&M is provided in the KS.
(a) A POA&M that the ISO or PM/SM develops:
1. Identifies tasks that need to be accomplished to remediate or mitigate vulnerabilities.
2. Specifies resources required to accomplish the elements of the plan.
3. Includes milestones for completing tasks and their scheduled completion dates.
(b) POA&Ms are maintained throughout the system life cycle. Once posted to the POA&M, vulnerabilities will be updated after correction or mitigation actions are completed, but not removed.
(c) Inherited vulnerabilities must be addressed on the POA&Ms. POA&Ms must be active throughout a system’s life cycle as vulnerabilities remain or are remediated.
(d) The AOs, or AODRs, must monitor and track overall execution of POA&Ms under their responsibility.
(e) The ISO or PM/SM must implement the corrective actions identified in the POA&M. With the support and assistance of the ISSM, they must also provide visibility and status to the AO and the SISO.
(f) The DoD Component SISOs must monitor and track the overall execution of system-level POA&Ms across the entire Component until identified security vulnerabilities have been remediated and the RMF documentation is appropriately adjusted.
(2) Assemble the security authorization package and submit the package to the AO for adjudication. The ISSM assembles the security authorization package, consisting of the updated security plan, the SAR, and the POA&M. The security authorization package must also contain, or provide links to, the appropriate documentation for any security controls that are being satisfied through inheritance (e.g., security authorization packages, contract documents, MOAs, and SLAs). The security authorization package is submitted to the AO (via the AODR if appropriate) for review and final acceptance.
(3) Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. The AO considers the current security state of the system (as reflected by the risk assessment and recommendations provided in the SAR), and weighs this against the operational need for the system. The AO must also consider any applicable risk-related guidance from the DoD SISO, PAOs, DoD ISRMC, DSAWG, DoD Component SISO, or mission owner(s). Weighing these factors, the AO renders a final determination of risk to DoD operations and assets, individuals, other organizations, and the Nation from the operation and use of the system. The KS provides additional guidance and tools for conducting system authorization risk assessments.
(4) Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable. The product of this risk determination is the authorization decision. An authorization decision applies to a specifically identified IS or PIT system and balances mission need against risk to the mission, the information being processed, the broader information environment, and other missions reliant on the shared information environment. A DoD authorization decision is expressed as an ATO, an IATT, or a DATO. An IS or PIT system is considered unauthorized if an authorization decision has not been made.
(a) If overall risk is determined to be acceptable, and there are no NC controls with a level of risk of “Very High” or “High,” then the authorization decision should be issued in the form of an ATO. An ATO authorization decision must specify an ATD that is within 3 years of the authorization date unless the IS or PIT system has a system-level continuous monitoring program compliant with DoD continuous monitoring policy as issued.
(b) If NC controls with a level of risk of “Very High” or “High” exist that cannot be corrected or mitigated immediately, but overall system risk is determined to be acceptable due to mission criticality, then the authorization decision will be issued in the form of an ATO with conditions and only with permission of the responsible DoD Component CIO. If the system still requires operation with a level of risk of “Very High” or “High” after 1 year, the DoD Component CIO must again grant permission for continued operation of the system. This authority cannot be delegated below the DoD Component CIO. The DoD Component CIO must concur in writing or through DoD public key infrastructure (PKI)-certified digital signature that the security risk of continued system operation is acceptable due to mission criticality. The DoD Component CIO provides a copy of the concurrence and authorization decision document with supporting rationale to the DoD ISRMC Secretariat and the DoD SISO. This authorization decision closely manages risk while allowing system operation. The ATOs with conditions should specify an AO review period that is within 6 months of the authorization date. The POA&M supporting this ATO documents identified vulnerabilities and specifies corrective actions to be completed before the review.
(c) If the risk determination is being made to permit testing of the system in an operational information environment or with live data, and the risk is acceptable, then the authorization decision should be issued in the form of an IATT.
1. IATTs should be granted only when an operational environment or live data is required to complete specific test objectives (e.g., replicating certain operating conditions in the test environment is impractical), and should expire at the completion of testing (normally for a period of less than 90 days). Operation of a system under an IATT in an operational environment is for testing purposes only (i.e., the system will not be used for operational purposes during the IATT period). The application of an IATT in support of DT&E needs to be planned, resourced, and documented within the program T&E plan in accordance with Reference (s).
2. For full and independent operational testing, an ATO (rather than an IATT) may be required if operational testing and evaluation is being conducted in the operational environment or on deployed capabilities. In this case, the ATO should be reviewed following operational testing and evaluation for modification as necessary in consideration of the operational test results.
  3. All applicable security controls should be tested and satisfied before testing in an operational environment or with live data except for those that can only be tested in an operational environment. In consultation with the ISO or PM/SM, the AO will determine which security controls can only be tested in an operational environment.
  (d) If risk is determined to be unacceptable, the authorization decision should be issued in the form of a DATO. If the system is already operational, the AO will issue a DATO and stop operation of the system immediately. Network connections will be immediately terminated for any system issued a DATO. A DATO may also be issued coincidental to implementing a decommissioning strategy for a system.
  (e) Documentation supporting an authorization decision will be provided in electronic form if requested by AOs of interconnecting IS and PIT systems.
f. Step 6 - Monitor Security Controls
 (1) Determine the security impact of proposed or actual changes to the IS or PIT system and its environment of operation. Included in the security controls assigned to all IS and PIT systems are security controls related to configuration and deficiency management, performance monitoring, and periodic independent evaluations (e.g., penetration testing).
  (a) The ISSM, in coordination with other appropriate personnel (e.g., IS security engineer, system administrators, CNDSP):
  1. Continuously monitors the system or information environment for security-relevant events and configuration changes that negatively affect security posture.
  2. Periodically assesses the quality of security controls implementation against performance indicators, such as: security incidents; feedback from external inspection agencies (e.g., OIG DoD, Government Accountability Office (GAO)); exercises; and operational evaluations, including Director, OT&E IA, assessments.
  3. Must report any significant change in the security posture of the system, and recommended mitigations, immediately to the SCA and AO.
  4. May recommend to the SCA or AO a reassessment of any or all security controls at any time.
(2) Assess a subset of the security controls employed within and inherited by the IS or PIT system in accordance with the AO-approved system-level continuous monitoring strategy.
  (a) The assessor must provide a written and signed (or if digital, DoD PKI-certified digitally signed) report in the SAR format to the AO that indicates the results of an annual assessment of selected security controls. Reference (c) provides additional guidance on conducting annual assessments.
  (b) The results of the annual assessment must be documented in an SAR, which will recommend either no change to the authorization status or downgrade to a DATO. The POA&M will also be updated as appropriate.
(c) The AO must review the SAR in light of mission and information environment indicators and determine a course of action that will be provided to the responsible CIO or SISO for reporting requirements described in FISMA. An AO may downgrade or revoke an authorization decision at any time if risk conditions or concerns so warrant.
(3) Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the POA&M. Systems with a current ATO that are found to be operating in an unacceptable cybersecurity posture through Director, OT&E IA, assessments, GAO audits, OIG DoD audits, or other reviews or events (such as an annual security review or compliance assessment) must have the newly identified vulnerabilities and associated level of risk added to an existing or newly created POA&M.
(4) The PM/SM ensures the security plan and POA&M are updated based on the results of the system-level continuous monitoring process. The ISSM may recommend changes or improvement to the implementation of assigned security controls, the assignment of additional security controls, or changes or improvements to the design of the system itself to the SCA and AO at any time.
(5) Report the security status of the system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.
(6) The AO reviews the reported security status of the system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the nation remains acceptable.
(a) In accordance with Appendix III to OMB Circular A-130 (Reference (ab)), systems must be reassessed and reauthorized once every 3 years. The results of an annual review or a major change in the cybersecurity posture at any time may also indicate the need for reassessment and reauthorization of the system.
(b) Systems that have been evaluated as having a sufficiently robust system-level continuous monitoring program (as defined by emerging DoD continuous monitoring policy) may operate under a continuous reauthorization. Continuous monitoring does not replace the security authorization requirement; rather, it is an enabler of ongoing authorization decisions.
(7) Implement a system decommissioning strategy, when needed, which executes required actions when an IS or PIT system is removed from service. When a system is removed from operation, a number of RMF-related actions are required. Before decommissioning, any control inheritance relationships should be reviewed and assessed for impact. Once the system has been decommissioned, the security plan should be updated to reflect the system’s decommissioned status, and the system should be removed from all tracking systems. Other artifacts and supporting documentation should be disposed of according to its sensitivity or classification. Data or objects in cybersecurity infrastructures that support the DoD Information Enterprise, such as key management, identity management, vulnerability management, and privilege management, should be reviewed for impact.
Cybersecurity

46. Summary
Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Identify the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Key Questions to ask and anticipated answers:
Terms, definition, and acronyms (Only for acronyms on a graphic.)
Cybersecurity

47. Exercise Lesson Plan Status Cybersecurity Concepts
Cybersecurity in the DoD
The Risk Management Framework (RMF) for DoD Information Technology (IT)
RMF Steps
Exercise
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type: Content
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Overview Slide only
Key Questions to Ask and Anticipated Answers:
Overview slide only
Terms \ Definitions \ Acronyms:
Cybersecurity

48. Exercise Read the highlighted portions of the 2 articles.
‘Information Assurance and Acquisition’ starting on page 10 of the IATAC Newsletter
Cybersecurity The Road Ahead for Defense Acquisition
Address the following for your team’s assigned section.
Summarize and explain the topic/ recommendation
How critical to Cybersecurity and overall DoD IT success do you believe this topic is?
Identify how well the topic area is emphasized in DODI and
Identify how well the recommendations in the articles address the Cyber challenges you are experiencing in your organizations.
Identify additional recommendations in your focus area
Team Focus areas:
Team 1: Greater involvement of Cybersecurity professionals throughout the acquisition life cycle
Team 2: Enhanced leadership commitment and understanding of Cybersecurity and the Cybersecurity process
Team 3: Further integration of Cybersecurity into the systems engineering and contracting process
Team 4: Moving beyond Cybersecurity awareness for IT users to prevention and detection
Team 5: Increased focus on software assurance
SLIDE INFORMATION***************************************************************************************************************************
*Slide Type(Content or Exercise): Exercise
*ELO ID (Use a Comma to separate ELOs if more than one is addressed): , , ,
**********************************************************************************************************************************************************
Supporting ELOs ID:
ELO Identify the basic concepts, threats, and best practices associated with cybersecurity in the DoD.
ELO Identify the policies and principles that support cybersecurity for DoD Information Technology (IT)
ELO Identify the major principles and components of the Risk Management Framework (RMF) for DoD Information Technology (IT)
ELO the six steps of the Risk Management Framework (RMF) for DoD Information Technology (IT)
Policy / Directive / Standard / DTM ID:
DoDI ,
Key Points:
Key Questions to Ask and Anticipated Answers:
Terms \ Definitions \ Acronyms:
Lesson Point of Contact:
Name: Tim Denman
Phone:
Length of Presentation:
Presentation: 2.5 hours
Class Exercise: 1.0 hours
TLO: Given a notional software-intensive system, apply cybersecurity policies, concepts, and methods to improve the security of system acquisition processes and software products and the protection of system information.
Cybersecurity Enabling Learning Objectives (ELOs)
ELO #1 – Define and Explain Cybersecurity, related terminology, and associated roles and responsibilities
ELO #2 – Explain the basic concepts and best practices associated with Cybersecurity
ELO #3 – Understand Cybersecurity guidance and policies and the underlying framework
ELO #4 – Identify and explain the major components of the Risk Management Framework (RMF) for DoD Information Technology
Cybersecurity