top of page
Search

RMF Step 2: Selecting Security Controls

In Step 2, the process selects a final security control set for DoD systems based on the system categorization established in Step 1 of RMF the process categorizes systems according to the security control baseline established in Step 1 of RMF in CNSSI 1253, "Security Categorization and Control Selection for National Security Systems," with further discussion and detail in DoDI 8510.01, "Risk Management Framework (RMF) for DoD Information Technology (IT)."

The following RMF Team Members participate in selecting security controls:

  • Authorizing Official (AO)

  • Information Systems Security Manager (ISSM) or Information System Security Officer (ISSO), if assigned

  • Information System Owner (ISO)

  • Program Manager

  • Additional personnel as designated by Component leadership


The process for selecting security controls begins by aggregating the controls specified in table D-1 in Appendix D of CNSSI 1253 based on the security categorization of the system (i.e., the values determined for each security objective [confidentiality, integrity, and availability]). The security control explorer page also contains the same security controls as those in CNSSI 1253.


Security control overlays provide additional security controls, remove security controls, or provide more guidance on security controls, which can be combined with the security control baseline values in CNSSI No. 1253 and NIST SP 800-53 to create a combined set of security controls tailored to a specific system. Selecting and applying security control overlays is accomplished using the unique guidance in the standardized, approved, and CNSS-published overlays.


The KS page provides more information on overlays.

  • RMF team might have to tailor or modify a control set in response to an increase in risk from threat or vulnerability changes or variations in risk tolerance. After tailoring, the resulting set of security controls is known as the tailored control set.

  • The tailoring of RMF must be in sync with the environmental and operational aspects of the system, and the RMF team should work with mission owners and user representatives to align their tailoring choices with operational considerations. For example, security controls may only be added or removed based on risk-based determinations by RMF teams.

  • RMF team members should document the tailoring decisions, including the reasons for those decisions, in the security plan for the system.

  • The ISO or PM/SM must account for every selected control. If an organization does not implement a selected control from an overlay or baseline, then the ISO or PM/SM must document the rationale for not implementing the controls in the security plan and POA&M.

  • After scoping the initial set of security controls, selecting or specifying compensating controls that are easier to implement, or specifying organization-defined parameters in the security controls via explicit assignment and selection statements, the tailoring process may include any of the following: applying scoping guidance to the initial set of security controls; selecting or specifying compensating controls deemed more feasible to implement; or specifying organization-defined parameters in the security controls via explicit assignment and selection statements.


If necessary, add additional controls or control enhancements to the Tailored set to satisfy local conditions, such as the operating environment, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. Following NIST SP 800-30 "Guidelines for Conducting Risk Assessments," risk assessments must supplement the tailored baseline security control set with additional controls or enhancements.

There may be residual risks not adequately addressed by the tailored control set that may be addressed by supplementing security controls. (See NIST SP 800-30.) In addition, in many cases, specific threats to or vulnerabilities in an NSS or requirements of public laws, Executive Orders, directives, policies, standards, or regulations will warrant additional security controls or control enhancements (see NIST SP 800-30.)

The suitability of security controls tailored to a particular environment at the risk assessment stage heavily depends on the risk assessment results.

An organization should select compensating controls from the NIST SP 800-53 Security Controls Catalog to reduce risk to an established tolerance level.


Inherited Common or Hybrid Security Controls:

Security controls inherited from one or more sources can be identified on the inherited common controls page as Inherited Common or Hybrid Security Controls if the control is only partially inheritable.


Document the Final Security Control Set:

The RMF team must document the security controls set and the supporting rationale for the selection and use restrictions in the security plan. In addition, the security plan must identify all common controls inherited from external providers and establish minimum assurance requirements for those controls.


​​​​​​​Overlay Application and Selection

Overlays provide support information, control enhancements, and additional tailoring guidance from the tailoring process, in addition to security control baseline specifications. Overlays may be more or less stringent than the security control baselines and can be applied to numerous information systems. The standardized control specifications provided by communities of interest through security control overlay specifications address the requirements and circumstances of their unique systems and scenarios. Overlays may reduce the need for ad hoc tailoring of security controls, yet, they might still need to eliminate it. In addition to being applied to a single system, a system might require multiple overlays.

A standard baseline may include or exclude security controls based on overlays. The security plan must document subtracted security controls, but they must not be recorded in the POA&M. The security plan documents N/A security controls that have been subtracted via an overlay. When controls from the baseline and overlays are integrated, multiple security sets are created. When RMF teams tailor a system, conflicting guidance may result from applying multiple overlays and removing security controls. For security controls added during tailoring, the RMF team must include an explanation in the comment column of the security plan.

NSS Specific Overlays Established Under CNSSI 1253

The CNSS creates, reviews, approves, and releases overlays. The CNSS website is the CNSS' official source for NSS overlays. It is where downloadable copies of the approved and published overlays can be found. The list of available


Overlays includes the following:

  • Cross Domain Solutions

  • Space Platform

  • Intelligence (FOUO)

  • Classified Information

  • Privacy


A good approach to Information Security Continuous Monitoring (ISCM)

Risk management, part of the system development life cycle process described in RMF, is integrated with security. That process includes ongoing monitoring of an organization's security architecture and security program and its security architecture and program. It is critical to monitor an organization's security architecture and security program to ensure that its operations remain within a reasonable level of risk, even after changes occur. When resources are limited and time is of the essence, timely, relevant, and accurate information is crucial.

Risk management, part of the system development life cycle process described in RMF, is integrated with security. That process includes ongoing monitoring of an organization's security architecture and security program and its security architecture and security program. It is critical to monitor an organization's security architecture and security program to ensure that its operations remain within a reasonable level of risk, even after changes occur. When resources are limited and time is of the essence, timely, relevant, and accurate information is crucial. It is critical to remember that all security controls, including operational and management controls, must be regularly evaluated for effectiveness, even if monitoring these controls cannot be automated or is difficult.


ISCM aims to keep corporate security risks in mind and their potential mitigation strategies to assist with risk mitigation decisions, such as prioritizing security responses that drive down vulnerabilities in Department of Defense Information Systems, networks, and data.


An up-to-date view of information security risks across an organization is complicated and multifaceted. ISCM will provide commanders and other leaders with security status or risk scores for a single system, a collection of systems, a core business process, or the entire organization. Following sensor data originating at Tier 3 and affiliated organizations, ISCM utilizes systems, networks, and missions across the DoD Information Network to provide cross-Tier cybersecurity risk awareness that supports mission success and system configuration. Selected courses of action are informed by this knowledge, and systems are configured correctly, correctly, and continually as mission assurance can be achieved.


It's not enough to monitor constantly.

It's a key part of the risk management process. However, more is needed to provide a comprehensive enterprise-wide risk management approach. In addition, continuous monitoring is part of the risk management process. Circular A-130 and the risk management concepts in FISMA require that the explicit approval and acceptance of risk be made by an AO on an ongoing basis. Both technical and non-technical security control assessments are considered when making risk-based decisions. As such, continuous monitoring does not replace the security authorization requirement for DoD information systems and PIT systems. Rather, continuous monitoring is integrated into a comprehensive, risk management-based information security strategy part of an enterprise architecture and software development life cycle. In conjunction with a risk-based approach, a security lifecycle-based approach can also include a continuous monitoring program. The risk-based decisions made by AOs are influenced by the continuous monitoring program's existence, as it is a consideration in the security authorization decisions. The FISMA requires continuous monitoring to be performed at least once per year to assess the security controls.


In conjunction with a risk-based approach, a security lifecycle-based approach can also include a continuous monitoring program. The risk-based decisions made by AOs are influenced by the continuous monitoring program's existence, as it is a consideration in the security authorization decisions. In addition, the FISMA requires continuous monitoring to be performed at least once per year to assess security controls.


​System-Level Continuous Monitoring

An RMF-approved system-level strategy must include a plan for annually assessing a subset of security controls and the degree of independence required of the assessor (e.g., ISSM or SCA). The strategy must also include a plan for assessing a subset of security controls every year and a level of independence required of the assessor (e.g., ISSM or SCA). The strategy should include a plan for assessing a system's security categorization, threats, and rigor. The SCA should be a key participant in its development.

The NIST security standards 800-137 and 800-137A must fully meet the information security continuous monitoring requirements and recommendations in SP 800-137. As a result, a more robust continuous monitoring system at the system level is required, and it must comply with all published DoD enterprise or DoD component continuous monitoring strategies to ensure all planned, required, and deployed security controls remain effective over time in light of inevitable changes.

The system-level continuous monitoring strategy involves AO and other proper officials reviewing on an ongoing basis the security status of the system (including the effectiveness of security controls employed within and inherited by the system) to determine whether the risk to organizational operations, asset protection, individuals, and other organizations is still acceptable. In addition to working with other appropriate personnel (e.g., information system security engineers, system administrators, and cybersecurity service providers), the ISSM, in cooperation with other suitable personnel, is responsible for continuously monitoring DoD Component information systems and PIT systems for security-relevant events and configuration changes that negatively impact security posture.


The AO (or designee) reviews and approves the security plan and system-level continuous monitoring strategy proposed by the ISO or PM/SM. The AO agrees to the system categorization, and the security controls proposed to satisfy the system's security requirements by approving the security plan. The level of effort required to complete the remaining steps in RMF and the security specification for the system, subsystems, and components being acquired will be based on the approval of the security plan. Milestone B of RMF should be approved before the design and development request for proposals is issued. If the security plan is deemed unacceptable, it should be returned to the ISO or PM/SM for appropriate action. The approval of the security plan must be recorded in the security plan.

A deficient security plan will not adequately guide the system developer in building the system, the system administrator in starting the system, the assessment team in testing the system's compliance with the controls, or the system's capacity to resist or record intrusions.

The AO has approved the system-level continuous monitoring strategy, which determines how to continuously monitor all the selected security controls. The system-level continuous monitoring strategy must include specifications and a rationale for setting those parameters.

  • Criticality of the security control to maintain the system's cybersecurity posture

  • Frequency of monitoring each security control (or control element)

  • Method of monitoring (manual, automated, or semi-automated)

  • Reporting channels and mechanisms (to whom and how quickly, based on criticality)

  • Tracking and resolution (promptly to meet criticality concerns)

Maintaining a high frequency of monitoring of critical security controls is usually impossible through manual or semi-automated methods. Therefore, critical security controls must usually be automated or semi-automated to achieve a high frequency of monitoring.

The Plan of Action and Milestones (POA&M) is used to track non-compliant or ineffective security controls, but updating the POA&M and sending such updates to authorities can be a somewhat laborious process. In addition, the POA & M usually needs to be more dynamic to track fast actions associated with identifying, analyzing, and fixing the more significant security controls in real time. Therefore, real-time risk management requires more responsive reporting and tracking methods.


The growing demand for continuous monitoring tools and processes will progress over the forthcoming years as the Pentagon outlines a strategy for its enterprise continuous monitoring program. However, we may only be able to monitor some of the selected security controls or monitor the security controls at the desired frequency at such time. Even with a minimal continuous monitoring program, we must identify and monitor the subset of security controls most critical to sustaining the cybersecurity posture at a reasonable level of risk. This is why all continuous monitoring programs (regardless of how basic or developed) receive approval from the AO in conjunction with the security plan. As continuous monitoring capabilities become more proficient, the Pentagon may be granted continuous authorization.


Authorization Approaches

NIST SP 800-37 describes three methods for securing and authorizing systems. Organizations must be mindful of system interconnections and business partnerships when selecting a method.


Authorization with a Single AO

A senior leadership official is held responsible and accountable for the system and must also accept security risks that may impact organizational operations, assets, individuals, and other organizations.

Authorization with Multiple AOs

In this approach, multiple officials from the same or different organizations are interested in authorizing a system. As a result, a system is jointly accountable and responsible for by multiple AOs, and it may pose a security risk to the organization's operations and assets, individuals, other organizations, and the nation.

In this approach, multiple officials from the same or different organizations are interested in authorizing a system. As a result, a system is jointly accountable and responsible for by multiple AOs, and it may pose a security risk to the organization's operations and assets, individuals, other organizations, and the nation.

Leveraging of an Existing Authorization

In this final approach, an authorized approach, the DoD AO accepts some or all of the information in an existing security authorization package generated by another federal agency or other DoD Component (the "owning organization") to use the same information resources (such as a system or services provided by the system). The DoD Component AO reviews the owning organization's security authorization package to determine the risk to the leveraging DoD organization before accepting the authorization. DoD policy requires the reciprocal acceptance of existing DoD and other US Government agency and department system authorizations, and the leveraging DoD organization must employ artifacts that contribute to the authorization decisions as much as possible.

 
 
 

Comments

bottom of page