Sctm Rmf

Joint SAP implementation Guide

Supplemental guidance to JSIG

Guide for assessing security controls

Security Categorization and Control Selection for National Security Systems

Risk Management Framework

RMF Assessment and Authorization

Authorization

Controls

Baseline Baseline +Accessibility Overlay Baseline + CDS Overlay

Impact Levels

Security Controls Traceability Matrix

Security Assessment Report (SAR)

Authorizing Official (AO)

Delegated Authorizing Official (DAO)

Information Systems Security Manager (ISSM)

Information System Security Officer (ISSO)

Information System Owner (ISO)

Information Assurance Standard Operating Procedures (IA SOP)

External Information System

Approval to Operate

Authorization to Operate (ATO) with a Plan of Actions and Milestone (POA&M)

Element Head (SAPCO) Authorizing Official (AO) Delegated Authorizing Official (DAO)

Security Control Assessor (SCA) Information Owner/Steward (IO)

Information System Owner (ISO) Information Systems Security Officer/Manager

• Bears ultimate responsibility for mission accomplishment and execution of business functions and all decisions made on his/her behalf • Responsible for adequately mitigating risks to the organization, individuals, and the Nation • Designates an Authorizing Official to make authorization decisions on behalf of Element Head (DoDM 5205.07 v1)

• Shall have a broad and strategic understanding of the SAP Community, his/her organization, and its place/role in the overall SAP Community • Accountable to the Element Head for system authorization and associated risk management decision • Authority to formally assume responsibility for operating an information system at an acceptable level of risk

• Acts on behalf of the authorizing official • Carries out and coordinates the required activities associated with security authorization (DoDM 5205.07, JSIG) • Cannot authorize "HIGH" Impact Level systems

• Designated by the Authorizing Official • Responsible for performing the comprehensive evaluation of the security features of an information system • Responsible for determining the degree to which it meets its security requirements (NIST SP 800-37)

• Has statutory or operational authority for specified information and responsibility for establishing controls for its generation, classification, collection, processing, dissemination, and disposal • Typically, in the case of Stewards of classified information, this role is also the appointed Original Classification Authority (OCA) for that particular information

• Responsible for overall procurement, development, integration, modification, or operation and maintenance of an IS • Responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security controls • Appoints the program ISSM/ISSO and ISSE • ISSM/ISSO and ISSE may be the same person

• Responsible for the day-to-day security posture and continuous monitoring for a system • Responsible for the overall information assurance of a program, organization, system, or enclave

Develop a Risk Assessment Report (RAR) specific to the Information System: • Identify and prioritize risks that inform risk response decisions • Identify asset(s) • Identity threats • Identify vulnerabilities & predisposing conditions • Determine the likelihoods • Identify Impacts • Determine risks & uncertainties • Communicate the results

6

RMF Step 1: Categorization of the System RMF Step 2: Selecting Security Controls RMF Step 3: Implementing Security Controls RMF Step 4: Assessing Security Controls RMF Step 5: Authorizing Systems RMF Step 6: Monitor Security Controls

18

AC - Access Control AT - Awareness and Training AU - Audit and Accountability CA - Security Assessment and Authorization CM - Configuration Management CP - Contingency Planning IA - Identification and Authentication IR - Incident Response MA - Maintenance MP - Media Protection PE - Physical and Environmental Protection PL - Planning PM - Program Management PS - Person Security RA - Risk Assessment SA - System and Services Acquisition SC - System and Communications Protection SI - System and Information Integrity

ISSO/ISSM

Security Control Assessor (SCA)

AO/DAO

ISSO/ISSM

Process to ensure ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based decision making.

Examine Interview Test

Authorization to Operate Interim Authority to Test Denial of ATO

SSP (includes the RAR, SCTM, & CONMON Plan) SAR POA&M

Three Impact Ratings Low Moderate High

Confidentiality (C) Integrity (I) Availability (A)

• Common • Baseline • Overlays • Tailor controls • Supplement

A security control that is inherited by one or more organizational information system

Management, operational, and technical controls implemented by an organization in lieu of recommended controls in the baseline list of controls

Provides the strategy to routinely evaluate selected IA controls/metrics. Reference NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines.

Defines plans of action and milestones related to correcting weaknesses or deficiencies, as well as reducing or eliminating known vulnerabilities and identifies completion dates.

Defines the organizationally established level of acceptable risk associated with the operation of an IT system at a specific level; identifies risks; and provides an assessed residual-risk-level for the system

Contains security control assessment results and recommended corrective actions for security-control weaknesses and deficiencies

Provides an overview of security requirements, description of agreed-upon controls and other supporting security-related information