Cybersecurity Compliance in Defense Considering the DoD Risk Management Framework (RMF) Dennis W. G. Hackney, B.A., M.B.A., Ph.D., CISSP, CMMC-RP In this module we will cover: Cybersecurity Compliance in Defense
Cybersecurity Compliance in Defense Considering the DoD Risk Management Framework (RMF) Dennis W. G. Hackney, B.A., M.B.A., Ph.D., CISSP, CMMC-RP In this module we will cover: Cybersecurity Compliance in Defense • The foundational defense cybersecurity compliance processes, beginning with the RMF • Organization-wide risk management principals • Key roles in the DoD RMF process • Important activities to be performed in RMF The RMF is a risk-based compliance process Cybersecurity Compliance in Defense • NIST provides non-DoD specific guidance using SP 800-37R2 • The NIST SP 800-37R2 will provide a process overview • DoDI 8510.01 will provide DoD-specific considerations • Next, we’ll quickly review the RMF process steps NIST SP 800-37R2 RMF Process NIST RMF is a 7-step process Cybersecurity Compliance in Defense Prepare according to SP 800-37R2 Cybersecurity Compliance in Defense “Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk.” Categorize according to SP 800-37R2 Cybersecurity Compliance in Defense “Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.” Select according to SP 800-37R2 Cybersecurity Compliance in Defense “Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.” Implement according to SP 800-37R2 Cybersecurity Compliance in Defense “Implement the controls and describe how the controls are employed within the system and its environment of operation.” Assess according to SP 800-37R2 Cybersecurity Compliance in Defense “Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.” Authorize according to SP 800-37R2 Cybersecurity Compliance in Defense “Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.” Monitor according to SP 800-37R2 Cybersecurity Compliance in Defense “Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.” NIST RMF, Remember… Cybersecurity Compliance in Defense • We’ve just completed an overview of each of the RMF steps. • Remember, NIST works with DoD and other Federal agencies to produce standards that can be applied consistently throughout the government. • While both the NIST SP 800-37R2 and DoDI 8510.01 define the RMF, NIST is more generic guidance while DoDI is specific to the Military. • In the upcoming slides, we’ll explain concepts using NIST and then specific DoD requirements following those NIST concepts. NIST RMF Organization (1/3) Cybersecurity Compliance in Defense Security and privacy risk management is organization-wide as displayed in this image from NIST SP 800-37R2. NIST RMF Organization (2/3) Cybersecurity Compliance in Defense • Organization – All systems inherit a common set of controls from this level. • Mission/Business Process – Only systems in this process inherit from the organization and from this set of controls. • Information System – Each system inherits controls from the organization, its mission, and then a tailored set depending on the individual requirements of the system. NIST RMF Organization (3/3) Cybersecurity Compliance in Defense • Preparing for the RMF requires many inputs to name a few: • Representation from Level 1 and Level 2 • An understanding of the information types in Level 3 • The overall technology strategy and modernization initiatives for information systems • Assigning roles and responsibilities and identifying stakeholders • Establishing risk management strategy and risk tolerance • … following the RMF process! DoD RMF Governance (DoDI 8510.01) Cybersecurity Compliance in Defense Risk management activities are synchronized and integrated across the IT lifecycle and logical and organizational entities. DoD RMF Refresher (DoDI 8510.01) DoD RMF is a 6-step process Cybersecurity Compliance in Defense Step 1: CATEGORIZE System (1/2) Cybersecurity Compliance in Defense • Requires the use of (Committee on National Security Systems Instruction (CNSSI) 1253 to “Categorize” the Information System (IS) or Platform IT (PIT) system • Define the system and boundary in a Security Plan • Register the system according to the DoD component (I.e., set up in eMASS) • Assign the qualified RMF Roles (PM/SM, ISO, IO, Mission Owners, ISSM, SCA, AO) Notes: CNSSI_No1253.pdf (dcsa.mil) is not required reading for this course. This provides a preset list of NIST 800-53 controls based on system designations, i.e., CIA ratings. Step 1: CATEGORIZE System (2/2) Cybersecurity Compliance in Defense • RMF Roles Defined • PM/SM. Program Manager/System Manager • ISO. Information System Owner • IO. Information Owner • Mission Owners • ISSM. Information System Security Manager • SCA. Security Control Assessor • AO. Authorizing Official from the DoD Component Step 2: SELECT Security Controls Cybersecurity Compliance in Defense • Common Control Identification (CCI) o Risk-based and provided by Tier 1 and Tier 2 levels • Select security controls and tailor o Based on the IS or PIT system categorization o Considers criterial such as Tactical, PIT, Personally Identifiable Information, Cross-domains, and Classified information • Develop system-level continuous monitoring strategy (CMS) • Review and approve security plan and CMS o ISO or PM/SM submits o AO approves if the proposed security requirements are met or rejects if not Step 3: IMPLEMENT Security Controls Cybersecurity Compliance in Defense • Implement security controls using technical guidance o Security Technical Implementation Guide (STIG) o Security Requirements Guide (SRG) • Security solutions consistent with DoD Component Cybersecurity Architectures o DoD Component is the “owning organization” • Common controls can be inherited by hosting or connected systems Step 4: ASSESS Security Controls Cybersecurity Compliance in Defense • Develop and approve Security Assessment Plan (SAP) • Ensure interoperability and supportability • Ensure reuse and maximize efficiency and effectiveness • SCA assess security controls • Record compliance status • Assign severity to vulnerabilities (not compliant controls) • Establish risk level • SCA prepares the Security Assessment Report (SAR) • Conduct initial remediation actions Step 5: AUTHORIZE System Cybersecurity Compliance in Defense • Prepare the Plan of Action and Milestones (POA&M) • Developed by the ISO or PM/SM • Maintained throughout the system lifecycle • Tracked by the AO • Must be executed and milestones met to maintain authorization • Submit Security Authorization Package to AO • Includes the security plan, SAR, and POA&M) • AO conducts final risk determination • AO makes authorization decision • Responses can be Authorization to Operate (ATO), Interim Authorization To Test (IATT), or Denial of ATO (DATO) • Can be 3 years if risk is not “Very High” or “High”, Authorization Termination Date (ATD) of less than 3 years is set otherwise Step 6: MONITOR Security Controls Cybersecurity Compliance in Defense • Determine impact of changes to the system and environment • ISSM monitors, assesses changes, and reports of risk-level changes to the AO • Assess selected controls annually • Annual review of a required subset of controls to ensure continued compliance • Conduct needed remediation (Based on monitoring) • Update security plan, SAR, and POAM • Report security status to AO • AO reviews reported status • Implement system decommissioning strategy Summary Cybersecurity Compliance in Defense • NIST provides non-DoD specific guidance, SP 800-37R2 • DoDI 8510.01 will provide DoD-Specific Considerations • The DoD RMF is made up of 6 steps (7 for NIST) • Security and privacy risk management is organization-wide • Risk Management include 3 levels (Tiers) ranging from strategic to tactical (system-specific) elements • Know the DoD RMF Steps Cybersecurity Compliance in Defense Considering the Cybersecurity Maturity Model Dennis W. G. Hackney, B.A., M.B.A., Ph.D., CISSP, CMMC-RP In this module we will cover: Cybersecurity Compliance in Defense • The Cybersecurity Maturity Model Certification Model • CMMC Accreditation Body and Ecosystem • Federal Contract Information and Controlled Unclassified Information • The CMMC Assessment Process Note: This course has not been endorsed by the CMMC AB and is not affiliated with the CMMC AB at this time. The instructor of this course is a CMMC Registered Practitioner, and authorized to consult on the CMMC. The information offered in this section is publicly available and can be found on the Web. If your organization is seeking CMMC training, refer to the CMMC Marketplace for more information about CMMC and a listing of Licensed Training Providers. CMMC Program has Multiple Dimensions Cybersecurity Compliance in Defense • An Accreditation Body (CMMC AB) certifies CMMC Third Party Assessment Organizations (C3PAOs) • CMMC is a cost-effective approach for smaller companies, and scalable to larger companies • Built on FAR 52.204-21 & DFARS 252.204-7012 as well as NIST SP 800-171 and SP 800-172 • Maturity-based process including 3-Levels (CMMC V2) • Will be gradually introduced in DoD contract solicitations over the next few years CMMC Model Cybersecurity Compliance in Defense Image reference: https://www.acq.osd.mil/cmmc/about-us.html CMMC Accreditation Body and Ecosystem Cybersecurity Compliance in Defense • Organizations Seeking Certification (OSC) • Certified Professionals, Assessors (CP & CA) • CMMC 3rd Party Assessment Organizations (C3PAO) • Registered Practitioner (RP) • Registered Practitioner Organization (RPO) • Master Instructors (MP) • Licensed Training Providers (LTP) • Licensed Partner Publishers (LPP) Image reference: https://cmmcab.org/ Federal Contract Information (FAR 52.204-21) Cybersecurity Compliance in Defense • Information, • not intended for public release, • provided by or generated for the Government • under a contract • to develop or deliver a product or service to the Government Controlled Unclassified Information (Executive Order 13556) Cybersecurity Compliance in Defense • CUI Executive Agent (EA) is the National Archives and Records Administration (NARA) CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on the behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information” CMMC Assessments Cybersecurity Compliance in Defense • Four types of assessments • Level 1 = Annual self-assessment (FCI) • Level 2 type 1 = Annual self-assessment for select (CUI) programs • Level 2 type 2 = Triennial C3PAO for national security information • Level 3 = Triennial government-led assessments Note: At this time the CMMC rules are under development and these assessment guidelines are subject to change CMMC Requirements Summarized Cybersecurity Compliance in Defense • Access Control (AC) • L1=4, L2=18 • Awareness & Training (AT) • L2=4 • Audit & Accountability (AU) • L2=9 • Configuration Management (CM) • L2=9 • Identification & Authentication (IA) • L1=2, L2=9 • Incident Response (IR) • L2=3 • Maintenance (MA) • L2=6 • Media Protection (MP) • L1=1, L2=8 • Personnel Security (PS) • L2=2 • Physical Protection (PE) • L1=4, L2=2 • Risk Assessment (RA) • L2=3 • Security Assessment (CA) • L2=4 • System and Communications Protection (SC) • L1=2, L2=14 • System and Information Integrity (SI) • L1=4, L2=3 https://www.acq.osd.mil/cmmc/docs/ModelOverview_V2.0_FINAL2_20211202_508.pdf CMMC Assessments Cybersecurity Compliance in Defense This is the instructor’s depiction of the CMMC assessment process. There isn’t a published depiction at this time. All levels follow the same general process, while the numbers of requirements and the assessors will be different. Define Scope (FCI/CUI/critical national security) Implement Security Requirements (L1,L2, L3) Document Report of Compliance Request/Perform Assessment (L1), System Security Plan (Self-attestation, C3PAO, or Government Official) (L2&L3), POA&M (L1,L2, L3) Register Results in Supplier Performance Risk System (SPRS) Reassessment (Annual, Triennial, Level Increases) Summary Cybersecurity Compliance in Defense • The CMMC is a maturity-based assessment model • CMMC AB and Ecosystem are made up of multiple different organizations to support commercial companies contracting to the DoD • L1 is aligned to FCI while L2 is aligned to CUI, Level 3 is under development • The assessment process utilizes a cost-effective approach, including self-assessment, C3PAO, or Government assessors, depending on contract requirements Cybersecurity Compliance in Defense Contrasting and Comparing DoD RMF and the CMMC in Regulation and Practice Dennis W. G. Hackney, B.A., M.B.A., Ph.D., CISSP, CMMC-RP In this module we will cover: Cybersecurity Compliance in Defense • Simplified view of DoD RMF versus CMMC V2 • Divergence in Requirements • Regulations and Other Influences • Risk Assessment Considerations (Lessons Learned V. Industry Maturity) • Cybersecurity Compliance in Practice RMF versus CMMC V2: Process versus Practice Cybersecurity Compliance in Defense DoD RMF is a 6-Step Government Assessment and Authorization Process CMMC V2 is a 3-Level Maturity 3rd Party Certification Process RMF versus CMMC: Target Audience Expectations Cybersecurity Compliance in Defense • Both processes fall back on the NIST SP 800-53 controls • NIST controls are designed to be applied to Federal Information Systems • SP 800-53R5 comprises 20 control families and 1189 controls with enhancements! • Let’s take a look at the totals on the next slide. For more information: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final RMF versus CMMC: The Numbers Say It All Cybersecurity Compliance in Defense Family ACCESS CONTROL AWARENESS AND TRAINING FAMILY AUDIT AND ACCOUNTABILITY ASSESSMENT, AUTHORIZATION, AND MONITORING CONFIGURATION MANAGEMENT CONTINGENCY PLANNING IDENTIFICATION AND AUTHENTICATION INCIDENT RESPONSE MAINTENANCE MEDIA PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION PLANNING PROGRAM MANAGEMENT PERSONNEL SECURITY PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY RISK ASSESSMENT SYSTEM AND SERVICES ACQUISITION SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND INFORMATION INTEGRITY SUPPLY CHAIN RISK MANAGEMENT 800-53.5 800-171.2 147 22 17 3 69 9 32 4 66 9 56 0 70 11 42 3 30 6 30 9 59 6 17 0 37 0 18 2 21 0 26 3 145 0 162 16 118 7 27 0 1189 110 Divergence in Requirements: Quick Summary with History Cybersecurity Compliance in Defense • DoD 5200.28 (The Orange Book) included “Commercial Product Evaluation Process” in 1985 • Applied to DoD information systems, “Trusted Computer Systems” • Evaluations for COTS typically focused on DoD info., not non-DoD info. • However, DoD systems were being designed and built by non-DoD companies. • Companies that attempted the requirements were not able to due to expense and lack of expertise • The DoD could not enforce the requirements on non-DoD, no regulation • While the DoD cybersecurity process matured, there was still the question, “how do we apply this to non-DoD information systems?” Divergence in Requirements: Enter “CUI” Cybersecurity Compliance in Defense • Executive Order 13556 established CUI on November 4, 2010. • Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST SP 800-171 was published in April 2015 • Part 2002 of 32 Code of Federal Regulations prescribed on September 14, 2016Government-wide implementation standards . • DoD Instruction 5200.48, “Controlled Unclassified Information,” established DoD CUI policy on March 6, 2020. Risk Assessment Considerations (1/2) Cybersecurity Compliance in Defense • In theory, cybersecurity risk assessments are used to determine control implementation strategy. • …the higher the risk, the more stringent the control implementation! • Both RMF and CMMC require risk assessments to be completed. • …but control selection is pretty much already done! • From week 1 we recall that the RMF references CNSSI 1253 while CMMC V2 relies on FCI, and CUI controls (i.e., SP 800171)! • If assessing the risk is so important, why don’t companies get to do it? Risk Assessment Considerations (2/2) Cybersecurity Compliance in Defense • … why don’t companies get to do the risk assessment? • Answer: Delegation of authority has caused subjectivity, confusion, and poorer security. • Therefore, the Federal Government defines the information and impacts, consequences, and severities if breaches of confidentially, integrity, or availability occur! • There are still some risk assessment considerations, i.e., whether an AO accepts a risk. • We’ll discuss that more in a later module. Cybersecurity Compliance in Practice Cybersecurity Compliance in Defense • DoD RMF is a “6-Step” process and CMMC V2 is a “3-Level” maturity model • Steps are important in the DoD because there are 1000’s of controls, many different DoD components, DoD information at stake (including classified), and the Government controls the certification process • As where in the CMMC, the contract specifies the Maturity Level (ML) to attain and the CMMC AB controls the certification process • In practice, for both processes we focus on assessing the implementation of controls to measure success. • That’s compliance! Summary Cybersecurity Compliance in Defense • Both the RMF and the CMMC references NIST SP 800-53 controls • RMF has over 1000 possible controls while the CMMC V2 is under 200 • DoD RMF process has matured for over 45 years! • CUI was defined in 2010 and the first CMMC-like process began in 2015 (SP 800-171 first release) • In both RMF and CMMC the information risk assessments have already been done. • CMMC AB manages the certification process while in the RMF, the Government manages the process.
OR