Presentation is loading. Please wait.

Presentation is loading. Please wait.

Josh Thompson Classified Information Systems – Western Region

Published byBenedict Thomas Modified over 5 years ago

Similar presentations

Presentation on theme: "Josh Thompson Classified Information Systems – Western Region"— Presentation transcript:

1 Defense Security Service’s Risk Managed Framework (RMF) Authorization & Assessment Process
Josh Thompson Classified Information Systems – Western Region Northrop Grumman

2 What is Risk Management Framework (RMF)
It is a unified information security framework for the entire federal government that replaces legacy Certification and Accreditation (C&A) Processes applied to information systems RMF is a key component of an organization’s information security program used in the overall management of organizational risk

3 Why RMF

4 DSS A&A Process Flow

5 Primary Activities by Step
Step 1 – Categorize Risk Assessment Report SSP System Identification Key Roles & Responsibilities System Environment General Description Purpose Interconnections Applicable Appendixes Must include at least a conceptual system/network diagram Step 1 Similar to completing the ISFO SSP Template High level overview to “register” the new system with DSS Gives your ISSP a heads up that a new system is being initiated

6 Primary Activities by Step
Step 2 – Selection Updated Risk Assessment Plan (if required) SSP Updated Step 1 Information (If required) Control Selection Overlays Tailoring Include Continuous Monitoring Strategy Step 2 Initially a very short step This step is used to tailor, which will be more beneficial in the future. Need to better understand the controls and expectations before we can justify tailoring Continuous monitoring strategy is already (tentatively) defined

7 Primary Activities by Step
Step 3 – Implementation Updated Risk Assessment Plan (if required) SSP Updated Step 1 & 2 Information (If required) Finalize System Description & Diagrams Must include HW/SW Lists Control Implementation Approach Each implemented control must be described/documented Systems Controls Implemented on all systems Step 3 This is where the real work begins Rather than completing the IS Profile template, the contractor must now explain how we are meeting the control Recommend relying heavily on the NIST- to-NISPOM Security Control Mapping document for guidance Requires participation from ISSM/ISSO, FSO, System Administrators, Program Management, other stakeholders

8 NIST to NISPOM Mapping

9 Primary Activities by Step
Step 4 – Assess ISSM Develops Security Assessment Plan Primarily Based on the DSS Technical Assessment Guides ISSM Performs Initial Assessment & Develops a POA&M ISSM Provides Initial Assessment and POA&M to SCA SCA Performs On-site validation Step 4 SCAP is a big part of this step Tip – Run SCAP on your systems prior to submitting your step 3 documentation to DSS. Retain those results for DSS to review upon arrival Create a POAM on your system prior to DSS’s arrival identifying all open findings Your POAM may be classified based on your system’s SCG

10 Primary Activities by Step
Step 5 – Authorize AO issues ATO Step 6 – Monitor ISSM Performs Continuing Monitoring Based On Continuous Monitoring Strategy Step 5 Same as it’s always been Step 6 Think weekly audits, AV updates, patching, and self-inspections We’ve always done these things Don’t get hung up on “ConMon”. Look at the requirement and think about how you’ve been doing this all along Biggest change – You can’t forget about the system just because you have an ATO

11 ?

Download ppt "Josh Thompson Classified Information Systems – Western Region"

Similar presentations

Windows Server ® 2008 and Windows Server ® 2008 R2 Active Directory ® Domain Services Infrastructure Planning and Design Published: February 2008 Updated:

Windows Server ® 2008 and Windows Server ® 2008 R2 Active Directory ® Domain Services Infrastructure Planning and Design Published: February 2008 Updated:
NIST Special Publication 800-26, “Security Self- Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division.

NIST Special Publication , “Security Self- Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Managing a “Data Spill” Corrie Velez Technical Security Orlando, Florida March 14, 2012.

Managing a “Data Spill” Corrie Velez Technical Security Orlando, Florida March 14, 2012.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Risk Management Framework

Risk Management Framework
Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.

Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
An overview of the NIST Risk Management Framework ISA 652 Fall 2010

An overview of the NIST Risk Management Framework ISA 652 Fall 2010

Similar presentations

Ads by Google