• Skip to main content
  • Skip to primary sidebar

ConvoCourses

Cyber Security Compliance and IT Jobs

  • Cyber Security Training
  • about me.
  • Information Assurance Jobs

RMF Lesson Learned

October 30, 2014 by Bruce Brown Leave a Comment

Speaking from my own experience I would say the following are my biggest lessons learned from working on large RMF projects:

  • Know the risks of the system
  • What is the Impact if the system goes down
  • Fit the RMF Controls to the System
  • Keep All stakeholders in the Loop

rmf - Know the risks of the systemKnow the risks of the system.  As you go into an RMF project you should get to know the system and/or network environment well enough to understand not only the functions of the system and its assets, but where the known and potential vulnerabilities may be.  You will also need to do research on the most likely threats (internal and external to the system).  If you know basic characteristics and functionality of the system, vulnerabilities and likely threats to the vulnerabilities of the assets, you will be able to determine the qualitative or quantitative risks.

Lesson I Learned:  Risk assessment is a continuous process.  

 

RMF - Impact

 

What is the impact if the system goes down.  Once you have an idea of the risks to the asset, you will need to consider the impact to the organization and/or mission if the system does have its confidentiality, integrity or availability compromised.  How long can the system lose connectivity?  And what happens when availability is lost?  Who is contacted if availability is lost?  Who is the POC if secrets a leaked?  What is the most important area of protection on the system?  Is availability of the system more important than confidentiality and integrity?  You need to focus on the value of the data to the customer and the data owner.

Lesson I learned:  Knowing the value of the data is the key to understanding the system itself and what needs to be protected.

 

RMF - Controls to the systemFit the RMF Controls to the system.  Once you know the systems asset characteristics, vulnerabilities,  most likely threats, and impact if the system goes down, you will have a better idea of what controls will be most useful.  You will have a solid argument on WHY certain controls can be skipped while others must be met.  AND you know the security posture and the security classification of the system.  The classification of the system comes from the Information System Owner.  Security Professionals can make recommendations, but we are not the decision makers, we don’t own the system so its not our call. YES, we are sometimes called upon to help make a decision or even develop a recommendation, but the final decision is in the hands of the System Owner.  Classification of the system will give a better idea of the importance of the confidentiality, integrity and availability of the data making it easier to select NIST 800-53 controls.  Once you know what controls need to be applied to mitigate known vulnerabilities, you have armed yourself with some facts to take to others involved in the project.

 Lesson I learned:  The goal is not to apply every security control, but to make the system secure.

 

RMF - Stakeholders in the loopKeep All Stakeholders in the Loop.  Who are stakeholders?  These are the individuals and organizations with a vested interest in the success of the project as a whole.  The term stakeholders is not always used.  Sometimes its called RMF Team and it used to be called DIACAP Team.  What ever you call it, this group includes but is not limited to:  The System Owner, Information System Officer, Information System Security Manager, Information System Security Officer, Technical staff, User representative.

Information System Owner is the person(s) controlling the budget of the project.  They are usually too busy to attend every meeting but without them there might not be a political will to continue.  The are sometime represented by the User representative who is mostly concerned with maintain functionality of the system as security controls are applied.  The Information System Security Managers (ISSM) involvement is managing the work of the Information System Security Officer (ISSO), making recommendations to the system owner and/or upper management who controls the budget.  Sometime the ISSO and the ISSM are the same person.  The ISSO works directly with the technical staff to apply security controls or produce/find security artifacts to support evidence of security controls.  The technical staff might consist of a system administrator, a system security engineer, a network/firewall engineer or whoever is going to be applying security controls on the system.

 Lesson I learned:  The more the stakeholders know about what is going on, the better.

 

How do you inform the RMF Stakeholders need to know?

Meetings, webcasts, one on one, emails or some combination of all.  You need to be straight forward and realistic with all parties involved.  For example, if there is a need for an approved enterprise firewall that will cost no less than 10,000USD, don’t try to sugar coat this fact by telling them they can get a cheap firewall from BestBuy.  Be honest about how much time the RMF process will take.  Its a lot of work and a lot of time it depends on others getting you the right documentation so you have to factor that in the total time.  If you don’t know, find out.  Do all your homework so that you can let the team know the details of the project, what is driving the need to the RMF, and the impact if it is not completed.

 

Lastly (and this is important) make sure the team knows that you are on their side.   They need to know that you are part of the team and want to enable the functionality in a secure way.  For some reason, some security professionals don’t care about customer service and want to bite the hand that feeds them.  You can give good service and good security.  In other words, you can be a security pro without being a DICK!

 

Filed Under: NIST Security Framework, risk management Tagged With: diarmfs, rmf, RMF Lesson Learned

Reader Interactions

Leave a Reply Cancel reply

You must be logged in to post a comment.

Social connect:

Primary Sidebar

search


This book is an overview of how the NIST SP 800-37 risk management framework works from the perspective of an information system security officer (ISSO).

also available on Amazon!

View Book

NIST RMF 800-37 templates
Free 800-37 templates

The NIST 800 Template download contains a .doc file template and xls templates for POAMs, Federal, State, cloud based and a legacy template as well as resources where you can find more on NIST 800-37 documents for your use.

View Book

Learn to Make 6 Figures in CyberSecurity

Cyber Security How to make up to 6 Figures
6 figures in Cyber Security

This course explains how I have been able to consistently make 6 figures doing cyber security. There is a method that I have used during my development in cyber security. I am presenting that method to you.

View Course

Teleworking - IT Remote Work
Teleworking – IT Remote Work

Teleworking is something I have been doing for the last 5 years. This is how I did it.

Find Teleworking IT Jobs

View Course

RMF ISSO Foundations Training
RMF ISSO Foundations Training

RMF ISSO Foundations

I was an Information System Security Officer (ISSO) doing Risk Management Framework (NIST SP 800-37) for over a decade. I am a Cybersecurity veteran and I can explain (in plain English) what you DO in the Risk Management Framework process as an ISSO.

View Course

NIST SP 800-37 Presentation
NIST SP 800-37 Presentation

View Course

login

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Posts

  • How to find a telework remote position
  • Cybersecurity & IT Convocourses – POAM, SSP and Security Impact Analysis
  • Cyber Security Engineer Aurora CO job
  • More Teleworking after pandemic
  • Can a US citizen married to a foreigner get a US clearance for finding jobs

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

  • http://Www.Finance.Ipt.Pw/ on SRG/STIG Applicability Guide and Collection Tool Update
  • Elsa7 on ConvoCourses podcast: Cyber Security day to day activity
  • Tony on STIG Update – DISA has released the Microsoft SQL Server 2016 STIG Version 1
  • horloge on SCAP Compliance Checker SCC)
  • 218 Information assurance Success Criteria – ITSECURITYSURVIVAL.COM on Information Assurance Vulnerability Alert

Tags

8140 8570 ArcSight c&a CISSP convocourses cyber cybersecurity cyber security DIACAP DIARMF diarmf - implement disa DISA STIG dodd 8140 dodd 8140 cyberspace workforce HBSS IA implement implementation info assurance information assurance information security ISSO it jobs it jobs in usa job jobs Linux mcafee network nist nist risk management framework nist risk management framework 800-37 podcast risk risk assessment risk management risk management framework rmf security STIG stigs unix windows

Copyright © 2022 · Author Pro on Genesis Framework · WordPress · Log in

Posting....