Tenacity Solutions Incorporated. David Comings, Ph.D. Risk Management Framework Applied to Cross-Domain Solutions -. Introductions & Objectives (Agenda). Instructor – Who Am I? Background Objectives (Agenda) RMF Overview & Application to Cross-Domain Solutions. Presentation Scope.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
David Comings, Ph.D.
Risk Management Framework
Applied to Cross-Domain Solutions -
NIST 800-37 / NIST800-30
Continuously track changes to information system that may affect security controls and reassess control effectiveness
CNSSI 1253 (1199)
Categorization & Initial Tailoring Guidance,
as well as NSS Community agreed upon “defined variables”
NIST SP 800-53 / CNSSI 1253
Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk Assessment.
NIST 800-39 / NIST 800-37 / NIST 800-30
Determine risk to organizational operations, assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.
Implement security controls within enterprise
architecture using sound systems engineering practices; apply security configuration settings.
NIST SP 800-53A / NIST 800-37
Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system).Risk Management Framework – 6 Steps
Background & History
“National Security systems and assets, whether physical or virtual, are extremely vital to the United States, such that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”
− USA Patriot Act (P.L. 107-56)
Define a common set of impact levels and adopt and apply them across the Intelligence Community (IC) and the Department of Defense (DoD). Organizations will no longer use different levels with different names based on different criteria.
Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing
Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline
Adopt a common lexicon, using CNSSI Instruction 4009 as a baseline, thereby providing DoD and IC a common language and common understanding.
Institute a Senior Risk Executive function, which bases decisions on an “enterprise” view of risk considering all factors, including Mission, IT, Budget, and Security.
Incorporate Information Assurance (IA) into Enterprise Architectures and deliver IA as common enterprise services across the IC and DoD.
Enable a common process that incorporates security within the lifecycle processes and eliminates security-specific processes. The common processes will be adaptable to various development environments.
Cross-Domain Controls and NSA System Requirements
Supply Chain/ Acquisition Controls