Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 3

1 APPLICATION OF THE RISK MANAGEMENT FRAMEWORK 2 3.1 RMF STEP 1 - CATEGORIZE INFORMATION SYSTEM 2.1 TASK 1-1 SECURITY CATEGORIZATION 2.1.1 TASK 2.1.2 Primary Responsibility 2.1.3 Supporting Roles 2.1.4 System Development Life Cycle Phase 2.1.5 Supplemental Guidance 2.1.6 References 2.2 TASK 1-2 INFORMATION SYSTEM DESCRIPTION 2.2.1 TASK 2.2.2 Primary Responsibility 2.2.3 Supporting Roles 2.2.4 System Development Life Cycle Phase 2.2.5 Supplemental Guidance 2.2.6 References 2.3 TASK 1-3 INFORMATION SYSTEM REGISTRATION 2.3.1 TASK 2.3.2 Primary Responsibility 2.3.3 Supporting Roles 2.3.4 System Development Life Cycle Phase 2.3.5 Supplemental Guidance 2.3.6 References 2.4 Milestone Checkpoint #1 3 3.2 RMF STEP 2 - SELECT SECURITY CONTROLS 3.1 TASK 2-1 SECURITY CONTROL SELECTION 3.1.1 TASK 3.1.2 Primary Responsibility 3.1.3 Supporting Roles 3.1.4 System Development Life Cycle Phase 3.1.5 Supplemental Guidance 3.1.6 References 3.2 TASK 2-2 COMMON CONTROL IDENTIFICATION 3.2.1 TASK 3.2.2 Primary Responsibility 3.2.3 Supporting Roles 3.2.4 System Development Life Cycle Phase 3.2.5 Supplemental Guidance 3.2.6 References 3.3 TASK 2-3 MONITORING STRATEGY 3.3.1 TASK 3.3.2 Primary Responsibility 3.3.3 Supporting Roles 3.3.4 System Development Life Cycle Phase 3.3.5 Supplemental Guidance 3.3.6 References 3.4 TASK 2-4 SECURITY PLAN APPROVAL 3.4.1 TASK 3.4.2 Primary Responsibility 3.4.3 Supporting Roles 3.4.4 System Development Life Cycle Phase 3.4.5 Supplemental Guidance 3.4.6 References 3.5 Milestone Checkpoint #2 4 3.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS 4.1 TASK 3-1 SECURITY CONTROL IMPLEMENTATION 4.1.1 TASK 4.1.2 Primary Responsibility 4.1.3 Supporting Roles 4.1.4 System Development Life Cycle Phase 4.1.5 Supplemental Guidance 4.1.6 References 4.2 TASK 3-2 SECURITY CONTROL DOCUMENTATION 4.2.1 TASK 4.2.2 Primary Responsibility 4.2.3 Supporting Roles 4.2.4 System Development Life Cycle Phase 4.2.5 Supplemental Guidance 4.2.6 References 4.3 Milestone Checkpoint #3 5 3.4 RMF STEP 4 - ASSESS SECURITY CONTROLS 5.1 TASK 4-1 ASSESSMENT PREPARATION 5.1.1 TASK 5.1.2 Primary Responsibility 5.1.3 Supporting Roles 5.1.4 System Development Life Cycle Phase 5.1.5 Supplemental Guidance 5.1.6 References 5.2 TASK 4-2 SECURITY CONTROL ASSESSMENT 5.2.1 TASK 5.2.2 Primary Responsibility 5.2.3 Supporting Roles 5.2.4 System Development Life Cycle Phase 5.2.5 Supplemental Guidance 5.2.6 References 5.3 TASK 4-3 SECURITY ASSESSMENT REPORT 5.3.1 TASK 5.3.2 Primary Responsibility 5.3.3 Supporting Roles 5.3.4 System Development Life Cycle Phase 5.3.5 Supplemental Guidance 5.3.6 References 5.4 Milestone Checkpoint #4 6 3.5 RMF STEP 5 - AUTHORIZE INFORMATION SYSTEM 6.1 TASK 5-1 REMEDIATION ACTIONS 6.1.1 TASK 6.1.2 Primary Responsibility 6.1.3 Supporting Roles 6.1.4 System Development Life Cycle Phase 6.1.5 Supplemental Guidance 6.1.6 References 6.2 TASK 5-2 PLAN OF ACTION AND MILESTONES 6.2.1 TASK 6.2.2 Primary Responsibility 6.2.3 Supporting Roles 6.2.4 System Development Life Cycle Phase 6.2.5 Supplemental Guidance 6.2.6 References 6.3 TASK 5-3 SECURITY AUTHORIZATION PACKAGE 6.3.1 TASK 6.3.2 Primary Responsibility 6.3.3 Supporting Roles 6.3.4 System Development Life Cycle Phase 6.3.5 Supplemental Guidance 6.3.6 References 6.4 TASK 5-4 RISK DETERMINATION 6.4.1 TASK 6.4.2 Primary Responsibility 6.4.3 Supporting Roles 6.4.4 System Development Life Cycle Phase 6.4.5 Supplemental Guidance 6.4.6 References 6.5 TASK 5-5 RISK ACCEPTANCE 6.5.1 TASK 6.5.2 Primary Responsibility 6.5.3 Supporting Roles 6.5.4 System Development Life Cycle Phase 6.5.5 Supplemental Guidance 6.5.6 References 6.6 Milestone Checkpoint #5 7 3.6 RMF STEP 6 - MONITOR SECURITY CONTROLS 7.1 TASK 6-1 INFORMATION SYSTEM AND ENVIRONMENT CHANGES 7.1.1 TASK 7.1.2 Primary Responsibility 7.1.3 Supporting Roles 7.1.4 System Development Life Cycle Phase 7.1.5 Supplemental Guidance 7.1.6 References 7.2 TASK 6-2 ONGOING SECURITY CONTROL ASSESSMENTS 7.2.1 TASK 7.2.2 Primary Responsibility 7.2.3 Supporting Roles 7.2.4 System Development Life Cycle Phase 7.2.5 Supplemental Guidance 7.2.6 References 7.3 TASK 6-3 ONGOING REMEDIATION ACTIONS 7.3.1 TASK 7.3.2 Primary Responsibility 7.3.3 Supporting Roles 7.3.4 System Development Life Cycle Phase 7.3.5 Supplemental Guidance 7.3.6 References 7.4 TASK 6-4 CRITICAL UPDATES 7.4.1 TASK 7.4.2 Primary Responsibility 7.4.3 Supporting Roles 7.4.4 System Development Life Cycle Phase 7.4.5 Supplemental Guidance 7.4.6 References 7.5 TASK 6-5 SECURITY STATUS REPORTING 7.5.1 TASK 7.5.2 Primary Responsibility 7.5.3 Supporting Roles 7.5.4 System Development Life Cycle Phase 7.5.5 Supplemental Guidance 7.5.6 References 7.6 TASK 6-6 ONGOING RISK DETERMINATION AND ACCEPTANCE 7.6.1 TASK 7.6.2 Primary Responsibility 7.6.3 Supporting Roles 7.6.4 System Development Life Cycle Phase 7.6.5 Supplemental Guidance 7.6.6 References 7.7 TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING 7.7.1 TASK 7.7.2 Primary Responsibility 7.7.3 Supporting Roles 7.7.4 System Development Life Cycle Phase 7.7.5 Supplemental Guidance 7.7.6 References 7.8 Milestone Checkpoint #6 8 Footnotes

CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments. NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.). Reading security documents is often difficult for people who feel overwhelmed trying to link the different data elements into a comprehensive picture. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier. Dan Philpott 04:10, 8 December 2009 (UTC)

APPLICATION OF THE RISK MANAGEMENT FRAMEWORK

In the line "Execution of the RMF tasks by common control providers, both internal and external to the organization, helps to ensure that the security capabilities provided by the common controls can be inherited by information system owners with a known degree of assurance." The issue here is the reference to a known degree of assurance. How is the degree of assurance known? Often organizations have no insight into the security operations of a common control provider or information system from which controls are inherited. To state that the degree of assurance is known may not be accurate. At best the degree of assurance can be estimated based on the level of trust one has in the controls provider, but trust is an inherently unmeasurable quality. Recommend restating "common controls can be inherited by information system owners with an appropriate level of trust."

3.1 RMF STEP 1 - CATEGORIZE INFORMATION SYSTEM

TASK 1-1 SECURITY CATEGORIZATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 1-2 INFORMATION SYSTEM DESCRIPTION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 1-3 INFORMATION SYSTEM REGISTRATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #1

3.2 RMF STEP 2 - SELECT SECURITY CONTROLS

TASK 2-1 SECURITY CONTROL SELECTION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-2 COMMON CONTROL IDENTIFICATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-3 MONITORING STRATEGY

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 2-4 SECURITY PLAN APPROVAL

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #2

3.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS

TASK 3-1 SECURITY CONTROL IMPLEMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 3-2 SECURITY CONTROL DOCUMENTATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #3

3.4 RMF STEP 4 - ASSESS SECURITY CONTROLS

TASK 4-1 ASSESSMENT PREPARATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-2 SECURITY CONTROL ASSESSMENT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 4-3 SECURITY ASSESSMENT REPORT

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #4

3.5 RMF STEP 5 - AUTHORIZE INFORMATION SYSTEM

TASK 5-1 REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-2 PLAN OF ACTION AND MILESTONES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-3 SECURITY AUTHORIZATION PACKAGE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-4 RISK DETERMINATION

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 5-5 RISK ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #5

3.6 RMF STEP 6 - MONITOR SECURITY CONTROLS

TASK 6-1 INFORMATION SYSTEM AND ENVIRONMENT CHANGES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-2 ONGOING SECURITY CONTROL ASSESSMENTS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-3 ONGOING REMEDIATION ACTIONS

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-4 CRITICAL UPDATES

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-5 SECURITY STATUS REPORTING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-6 ONGOING RISK DETERMINATION AND ACCEPTANCE

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING

TASK

Primary Responsibility

Supporting Roles

System Development Life Cycle Phase

Supplemental Guidance

References

Milestone Checkpoint #6

Footnotes