RISK MANAGEMENT FRAMEWORK (RMF) V2

RISK MANAGEMENT FRAMEWORK (RMF)

V2.0

Derek Duchein, CISSP, CRISC

Cybersecurity Professor, DAU derek.duchein@dau.mil

CHRONOLOGY

SP 800-37 Rev. 1 published February 2010 (Updated 6/5/2014)

"Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach"

DODI 8510.01 published March 2014 (updated 7/28/2017 - DIACAP to RMF timing and Coast Guard Applicability).

SP 800-37 Rev. 2 published December 2018

"Risk Management Framework for Information

Systems and Organizations: A System Life Cycle

Approach for Security and Privacy"

2

WHY RMF 2.0?

3



4

5

CYBERSECURITY POSTURE

"The cybersecurity of our weapons and networks needs increased attention. In support of that, the Department needs to evolve how we monitor our cybersecurity posture. The two-phase Cooperative Vulnerability and Penetration Assessment (CVPA) and Adversarial Assessment (AA) approach currently outlined in DOT&E test guidance is necessary to help inform the cybersecurity posture of DOD systems, but is not sufficient. This testing has greatly improved our understanding of cyber vulnerabilities, but in addition to dedicated assessments, DOD systems must be built to include technologies to continuously monitor cybersecurity, and automatically find and patch software vulnerabilities. Periodic assessments by Red Teams alone are not adequate, because the security of system software can change at any time due to operator errors, or adversary cyber-attacks." (p. i)

6

7

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download