NIST Risk Management Framework (RMF) Process NISP Workflow ...

DSS CI/IO GCA Stakeholders

NIST Risk Management Framework (RMF) Process

Categorization & Coordination Control Discussion with GCA

Coordinate with ISR/CISA

NISP Workflow

ISSM/ISSO

Start

STEP 1: CATEGORIZE

Initial SSP, RAR

SSP and Supporting Artifacts

Threat Profile

Initial SSP w/ identified controls,

RAR

STEP 2: SELECT

Controls Submit Initial / Revise Package

SSP with tailored

controls

Final SSP, Certification Statement, RAR, POA&M, and SSP Supporting Artifacts

STEP 4: ASSESS

Test / ISSM Certify System

Updated SSP w/ functional description of security control implementation, POA&M (if applicable)

STEP 3: IMPLEMENT

ISSM Builds System / Update Configuration

Return to

Step 3

Updated POA&M, Updated SSP, Status Reports,

Decommissioning Strategy (as necessary) and Continuous Monitoring Strategy

Repeat

STEP 6: MONITOR

JULY 2017

Monitoring Phase: ISSM is responsible for ensuring the security posture is

maintained. Assess impact of changes to the system upon the environment. Review selected controls annually

Authorization Official (AO)

ISSP/SCA Assigned?

YES

NO

TL Assigns an ISSP/SCA

Final SSP, SSP Supporting Artifacts, POA&M (if applicable), SAR, and Authorization Letter

STEP 5: AUTHORIZE

AO Deny System

YES

NO

Concur?

STEP 2: SELECT

Validate Categorization and Controls Selection

Initial SSP w/ identified

controls, RAR

Final SSP, Certification Statement, RAR, POA&M, and SSP Supporting

Artifacts

STEP 4: ASSESS

Test ISSM Certify System

Schedule / Conduct On-Site Visit

NO

Existing Active Authorization?

Use Systems Return

YES

vice Denial

ISSP Return SSP with Rationale to Industry

ISSP Update OBMS Vulnerability Table & Security Assessment

Report

NO

Authorization

Recommendation? YES

Start Security Assessment Report and complete OBMS

inputs

STEP 5: AUTHORIZE

AO Approves System

Final SSP, SSP Supporting Artifacts,

POA&M (if applicable), SAR, and Authorization Letter

STEP 6: MONITOR

ISSP continually assesses system

posture

Updated POA&M, Updated SSP, Status Reports,

Decommissioning Strategy (as necessary) and Continuous Monitoring Strategy

ATO Letter Update OBMS Include Artifacts Forward to AO

Complete SAR Authorization

Letter

INTERNAL PROCESS START PROCESS

DOCUMENT MANUAL

STORAGE

KEY

EXTERNAL PROCESS EXTERNAL CONTROL DECISION PROCESS VARIABLE STOP ASSOCIATION RETURN

ISSP

TEAM LEAD (TL)

DSS Risk Management Framework (RMF) Process ? Step 1 (Categorize)

Homepage

Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18

Start

Collect Key Documents (Contract, DD 254, RAR, SCG, etc.)

Determine System s Authorization Boundary

Current RAR On

Record?

Higher Yes Impact Levels

Justified?

Determine Final Categorization of No IS & Information

There-in (Default=M-L-L)

Update SSP (Description, Auth Boundary, System

Type, etc.)

Goto RMF Step-2

No

Prepare Risk Assessment Report (RAR)

Yes

Obtain GCA / Stakeholder

Approval (SSP Artifact)

ISSM

DSS IO/CI

Coordinate with Company s

Assigned DSS ISR/ CISA

Provide Program Risk Assessment/

Threat Data Information

GCA / Stakeholder Approval Memo

GCA/ Stakeholders

ISSP/ SCA

AO

DSS Risk Management Framework (RMF) Process ? Step 2 (Select Security Controls)

Homepage

Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18

ISSM

From RMF Step-1

Identify Baseline Security Controls

For IS Categorization

DAAPM

DSS Overlay

Update SSP with Baseline Security

Controls

Tailor Security Controls As Needed

REF: RAR, SCG, Contract, etc.

Update SSP with Tailored Security

Controls & Justification

NIST SP 80053v4

CNSSI 1253 Overlay(s)

DSS Overlay

Tailored SecCtrl Approval

(DD 254, SOW, RAL)

Develop CONMON Strategy

Tailored-Out SecCtrls?

Submit SSP, RAR, CONMON

Yes Strategy, & Artifacts into OBMS

UNCLAS Docs Only

Email ISSP of DSS RMF Step 1/2

OBMS Submission

No

GCA/ Stakeholders

ISSP/SCA

To RMF Step-3

Email ISSM of DSS RMF Step 1/2

OBMS Submission

Return OBMS Record back to Submitter (ISSM)

Upload Categorization & Implementation Concurrence Form

into OBMS

Complete Categorization & Implementation Concurrence Form

Complete Categorization & Implementation Non-Concurrence

Form

Notify ISSM of RAL

Requirement

No No

AO

Yes

Requires

RAL?

Yes

Concur w/Cat & SecCtrl

Selection?

Yes

SecCtrl Justification Included?

No

Coordinate Tailored SecCtrls with ISSP-TL / AO

Review RMF Pkg Submission

To Step 4 Part (B)

Proceed w/ DATO Action

Severe Yes Issues w/

RMF Pkg

No

Validate Tailored-Out

SecCtrls Justification (DD 254, SOW)

ISSP-TL / AO

DSS Risk Management Framework (RMF) Process ? Step 3 (Implement Security Controls)

Homepage

Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18

ISSM

From RMF Step-2

Implementation Tools

DAAPM

STIG Viewer

Tailored SSP

NAO Group Policy Config

Tool

SCAP Compliance Checker (SCC)

Tool

Manual Configuration

Implement Technical Security

Controls on System(s)

Develop Applicable Non-Technical Documentation

Updated SSP (UNCLAS Docs Only)

Update SSP with Security Control Implementation

Status

Various Applicable Policies

Continuity of Operations (COOP)

Plan

Disaster Recovery Plan (DRP)

Configuration Management (CM)

Plan

Incident Response Plan (IRP)

Security Awareness Training Plan

Start POA&M As Applicable

To RMF Step-4

MOU/MOAs

Other Applicable Artifacts

ISSP/SCA

AO

GCA

DSS Risk Management Framework (RMF) Process ? Step 4 (Assess Security Controls) ? Part (A)

Homepage

Source: DAAPM Ver. 1.1 Author: A.E. Carbone/IOFSA Revised: 2017/05/18

From RMF Step-3

Conduct Initial Assessment to Ensure Security Controls Operating

as Intended

Update SSP with Actual Security Control State

Information

Develop/Update POA&M with Residual Vulnerabilities

Download Validation Tools and Install on System for SCA OSV (STIG Viewer, SCC,

etc.)

Submit Final RMF Authorization

Package via OBMS (UNCLAS Docs Only)

Email ISSP of

OBMS Submission

To RMF Step-4B

ISSM

Assessment Tools DAAPM

Updated SSP

Tailored SSP Parameters

NIST Security Controls

SCAP Compliance Checker (SCC)

STIG Viewer Tool

POA&M

ISSM Appointment Letter

(Required)

Certification Statement (Required)

SSP (Required)

RAR (Required)

COOP, DRP, etc.

POA&M (Required)

CM Plan CCB Charter

Contract Info

(DD 254, SOW, RFP)

MOU/MOA/ISA

IRP

Security Awareness &

Training Plan

RAL(s)

All Other Relevant Artifacts (Policy)

ISSP/ SCA

AO

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download