September 19, 2018 at 2:06 pm #169264
Anyone out there dealing with the DoD implementation of the NIST 800-37 RMF? I have been knee deep in it now since it got rolled out and wanted to share some of the insights I have had as I worked with systems to get them authorized under the RMF.
1. Start early – Implementing will take longer than you think. Regardless of if you already have documentation from the DIACAP days or you have to generate from scratch, expect it to take a while to get done. The RMF looks at just about all IT related policies and procedures.
2. Proper categorization – This one I cannot stress enough. Improper categorization can cause no end to grief as you either struggle to implement controls based on the baseline or tailor controls to meet the security requirements for your system. I had a system that the owner insisted be categorized as High for Integrity. This not only added many controls, it added controls that could not be met without significant cost increase to the program due to the nature of the hardware it was working with.
3. Tailor – Tailoring is your friend and gives you the opportunity to really address the uniqueness of your system. The old mindset was to just call a control Not Applicable (NA) if it wasn’t needed. With tailoring, that is no longer needed. You can “remove” controls so long as you properly document the rational for removing the control. This is also a chance to add controls to address concerns because of the nature of your system. Again, just document the rational for adding the control. Regardless of what you add or remove, the approval authority needs to sign off on the control set.
4. Assessment – Have everyone available for the assessment that you need. That means having sysadmins and network admins available as well as the system owner. The assessment team is going to want to talk to them and in some cases observe how they do their job.
5. Authorization – It has been my experience that the same folks that assessed and made decisions under DIACAP are still making decisions under the RMF. That means that while you may not think a particular finding or findings are the end of the world, the assessment team and the authorizing official may. Be prepared for that check the box mindset. Take the time between the assessment and the authorization to start knocking items off your POA&M so that when the AO comes back and says you need to do x to get the authorization, you are ahead of the game.
No matter what, don’t stress the RMF. It is, first and foremost, a framework for assessing and managing risk to your system. It serves to help you identify your risks and make the appropriate decisions on how to address those risks whether by transfer, mitigation, or acceptance.
September 20, 2018 at 10:59 pm #169306MTGreenParticipant
I appreciate the insights, as I have studied the issues but have not worked on authorizing a system. Criteria for system categorization is covered in FIPS PUB 199 and for a system to be categorized as high then your owner would have to show
“The potential impact is HIGH if—
− The loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is not able to perform one or more of its
primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial
loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.”
I can understand how DoD might have owners who can loosely interpret “major damage to organizational assets” but get some lawyers involved and these terms can get nailed down a little tighter.
I totally agree with your comments on tailoring, narrowing controls, and having proper input for a risk assessment. Observing operations is important, and tangible artifacts demonstrating the expected output of control processes are good if you are talking about a operational system because they express operations over time.
Thanks for the post, and I have been glad to read your other input as well.
September 21, 2018 at 11:08 am #169313
Yeah, categorizing is an adventure. Start in FIPS 199 but then go to CNSSI 1253 that then points you over to NIST SP 800-60 Vol I & II that then pints you back to CNSSI. All the wile you do your best to figure out what data the system really is handling and where and how the system will be used just to figure out if you need to go up or down in the objective. Was fun times and I wish I had pointed out to the customer that with the legacy equipment we are dealing with that going High on any category would be unattainable. But the customer is always right.
September 21, 2018 at 3:28 pm #169315MTGreenParticipant
I appreciate the follow up. NIST SP 800-60 does make an effort to provide more information, but as you say it point on to other reverences, and is far from definitive. It does seem that the maintenance of indefinite terms is designed to support the concept that the customer is always right, or the flexibility of system owners. It will be interesting to see how that changes over time.
September 21, 2018 at 6:57 pm #169316
There is one data type that you can always fall back on in the 800-60 series: the general data type. This is a customer defined data type and allows the customer to address any unique conditions or data that their system may handle. And it does go back to the customer is always right.
You must be logged in to reply to this topic.