Search This Blog

Monday, June 17, 2019

Week 03 - Demystify First Two Steps of the RMF

TL:DR - Determining the baseline controls to be implemented for the system is half the battle, G.I. Joe.


An explanation of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) was published on June 10, 2019. This is a follow-up to that post by explaining the processes regarding the first two steps of the RMF and how it would be used by an organization. In epic fashion, the United States (U.S.) federal government, NIST, did not create a single document for these steps (Categorization and Select Controls) for simple understanding, but created an absorbent amount of documents to secure information systems. These documents are interconnected and just one document does not be explained for holistic understanding. The following documents are referenced:



FIPS-199, Standards for Security Categorization of Federal Information and Information Systems, requires that federal government agencies categorize information and information systems. NIST Special Publication (SP), 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I & II, is the guideline for establishing the categorization and provides the various information types, descriptions, and suggested information ranking for confidentiality, integrity, and availability.

In order to categorize a system, the Mission-Based Information Types and Delivery Mechanisms (NIST SP 800-60, Table 4), Services Delivery Support Functions and Information Types (NIST SP 800-60, Table 5), and Government Resource Management Functions and Information Types (NIST SP 800-60, Table 6) are used to determine which information types exist or supported by the system. These tables are included for reference:




In addition, the following are considerations for when categorizing.
  • Business and mission areas 
  • Indicating whether the information is time-critical in rationales for assigning availability impact levels 
  • Rationales for assigning information to the General Information Type 
  • Results of reviewing the identified security categorizations for the aggregate of information types 
  • Effects of various factors and circumstances (e.g., data aggregation, critical system functionality, privacy, trade secrets, critical infrastructure, aggregation, critical system functionality, extenuating circumstances) on the system category 

The results of the analysis are to document as an example in the table shown below. For each information type, an example of an explanation is provided to justify selection of that type. These information types are listed in Step 1 of the table. Step 2 of the table identifies the provisional confidentiality, integrity, and availability categorization of each information type, while Step 3 identifies any adjustments to it. Finally, Step 4 identifies the overall categorization of the system using the “high water mark” from the collection of information types selected from NIST 800-60 as noted above.


At this point, the system reviewed has been categorized. Then FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, requires that the minimum security requirements (a.k.a. “Security Controls”) are applied to the system based on its categorization of the system which is located in NIST SP 800-53, Security and Privacy Controls for Systems and Organizations. 

Example of controls to be applied based on its categorization:


Security controls are physical, technical, and or administrative safeguards or countermeasures to avoid, counteract, or minimize loss/unavailability due to threats that cause risk. Administrative controls are actions taken by people as directed by policy and procedures. Technical controls are carried out or managed by automated systems. These controls are categorized as preventive, detective, corrective, and compensatory (SANS). It is important to note that NIST SP 800-53 states what the controls are, but allows the organization to define parameters within the control and how to implement them.

These four documents are basic building blocks for protecting systems owned by the U.S. federal government. There are other documents that are connected like creation of the System Security Plan (document dhow the controls are implement) and creation of risk assessment documents (detailing and explaining risk to the confidentiality, availability, and ingenuity of the system and or data based on how the controls are implemented). Even though controls can be required, it doesn’t mean that they are effective. How the controls are implemented and managed are more important in meeting the intent. Furthermore, each systems is different and where one method and or tool works for another system may not be the right solution for another. The federal government is moving away from compliance based assessment of controls to effectiveness of the control and capabilities deployed. This model has been dubbed The Cybersecurity Framework.

No comments:

Post a Comment