National Industrial Security Program (NISP) Risk Management Framework (RMF): Cybersecurity Overview

Slide Note
Embed
Share

The presentation delves into the NISP RMF, a risk-based cybersecurity approach focusing on Authorization to Operate decisions, residual risk, and compliance with security controls. It highlights the roles of Authorizing Officials, Government Contracting Agents, and security teams in ensuring a secure defense industrial base. Various components such as NISP Connection Process Guide, eMASS, and CCRI are discussed within the context of cyber risk and compliance in defense information systems.

fredrick
fredrick Follow

Uploaded on Jul 15, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. UNCLASSIFIED UNCLASSIFIED NATIONAL INDUSTRIAL SECURITY PROGRAM (NISP) PROTECTIONAND DEFENSEOF INFORMATION SYSTEMSINTHE DEFENSE INDUSTRIAL BASE Presented by: Alexander Hubert, CISSP, Eastern Region Authorizing Official (AO) UNCLASSIFIED

  2. UNCLASSIFIED UNCLASSIFIED Agenda Abstract Meet Us! DCSA NAO Office DCSA RAO and Staff Cybersecurity Tool Set NISP RMF Implementation Regional RMF Workload Cyber Risk Cyber Compliance Contrast Cyber Risk and Cyber Compliance Conclusion References Questions and Discussion DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 2 UNCLASSIFIED

  3. UNCLASSIFIED UNCLASSIFIED Abstract Risk Management Framework (RMF) is a risk-based approach to cybersecurity. Authorization to Operate decisions are based on residual risk and Authorizing Official (AO) risk appetite. Operational need is considered with push note from Government Contracting Agent (GCA). 32 CFR Part 117 is law; compliance is mandatory. Part 117.18 directs compliance with Information System Security. DoDM 5220.32 Volume 1 is informational to industry and implements policy, assigns responsibilities, establishes requirements, and provides procedures, consistent with Executive Order (E.O.) 12829, (Manual 5220.32 Volume 1), and E.O. 10865, for the protection of classified information that is disclosed to, or developed by contractors, licensees, and grantees (referred to in this manual as contractors) of the U.S. Government (USG). RMF security controls are implemented in accordance with RMF implementation guidance as outlined in NIST SP 800-53r4 Non-compliance with an RMF security control will drive a Plans of Action and Milestone (POAM) document and determination of residual risk If the non-compliant control references a compliance item in 32 CFR Part 117, then that finding becomes an administrative finding or vulnerability Team work makes the dream work! DCSA ISSPs work together with Contractor ISSMs to ensure a complete and accurate site picture and enable a risk-based Authorization to Operate decision. Also responsible for security oversight during security reviews and onsite assessments DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 3 UNCLASSIFIED

  4. UNCLASSIFIED UNCLASSIFIED The DCSA Cybersecurity Team NAO Office National Industrial Security Program (NISP) Authorization Office (NAO) Responsible for execution of NISP Risk Management Framework (RMF) DCSA Assessment & Authorization Process Manual (DAAPM) NISP Connection Process Guide (in draft) Internal Security Operating Manuals Internal Instruction Quality Assurance & Consistency Field support, policy interpretation and guidance Interconnection Agreements, Memorandum of Understanding (MOU/MOA) Army SAP oversight NISP Enterprise Mission Assurance Support Service (eMASS) NISP Assessment & Authorization Metrics DCSA Command Cyber Readiness Program (CCRI) Government & Industry stakeholder engagements DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 4 UNCLASSIFIED

  5. UNCLASSIFIED UNCLASSIFIED The DCSA Cybersecurity Team RAO & Staff Regional Authorizing Officials (AO) - direct report to Regional Directors; appointed officials responsible for authorization of NISP classified systems Supervisory Team Leads (TL) direct report to Regional AO; manage respective ISSP workload; Quality Assurance on ATO packages Cyber Team Leads (5) Lead Command Cyber Readiness Inspections (CCRIs) Cybersecurity SME Information System Security Professionals (ISSP) RMF Security Control Assessors (SCAs) Security Reviews Onsite Assessments Administrative Inquiries (AI) i.e. classified data spills Command Cyber Readiness Inspection (CCRI) Certified Technical Reviewers (Network, Operating System, End Point Security, Insider Threat, Vulnerability Scanning) Electronic Communication Plan (ECP); FOCI Mitigation Stakeholder Engagement (local working groups, training, guidance) DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 5 UNCLASSIFIED

  6. UNCLASSIFIED UNCLASSIFIED Cybersecurity Tool Set DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 6 UNCLASSIFIED

  7. UNCLASSIFIED UNCLASSIFIED NISP RMF Implementation Change Change Analysis Prepare Continuous Monitoring System Decision Authorize Categorize Select Assess GCA (i.e. dd254) Implement Industry Action DCSA Action DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 7 7 UNCLASSIFIED

  8. UNCLASSIFIED UNCLASSIFIED Workload Metrics DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 8 UNCLASSIFIED

  9. UNCLASSIFIED UNCLASSIFIED Let s Change Gears - Cyber Risk DCSA adopts the NISP Enterprise Mission Assurance Support Service (eMASS) as evidence and authorization decision repository for RMF Assess and Authorize process NISP eMASS - https://nisp.emass.apps.mil/Public/SiteAgreement Authorizations: Authorization to Operate (ATO); Authorization to Operate with Conditions (ATO-C); Denial of Authorization to Operate (DATO) DCSA adopts NIST RMF as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (ISs) RMF is a risk-based approach to cybersecurity DAAPM guides cleared industry in RMF and NISP eMASS to obtain and maintain an authorization Authorization decision is based on residual risk and Authorizing Official (AO) risk appetite High Residual Risk and High Impact Plans of Actions and Milestones (POAMs) impacts ATO decision AO reserves the right to prohibit granting a full ATO if an RMF package has at least one non-compliant control with a control residual risk level of high or very high DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 9 UNCLASSIFIED

  10. UNCLASSIFIED UNCLASSIFIED Cyber Compliance 32 CFR Part 117 NISPOM Protection of classified information that is disclosed to, or developed by contractors of the U.S. Government (USG) Prescribes industrial security procedures and practices, under Executive Order 12829 or successor orders, to safeguard USG classified information that is developed by or disclosed to contractors of the USG Prescribes requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information and protect special classes of classified information Prescribes that contractors will implement the provisions of this rule no later than 6 months from the effective date of this rule DoDM 5220.32 Vol 1 (Informational Only) Those non-DoD executive branch departments and agencies (referred to collectively as the non-DoD Components ) identified in Part 117 of Title 32, Code of Federal Regulations (CFR), also known and referred to in this volume as the National Industrial Security Program Operating Manual (NISPOM). These non-DoD Components have entered into agreements with the Secretary of Defense (SecDef), pursuant to E.O. 12829, under which DoD acts as the CSA, to provide security oversight services to ensure the protection of classified information disclosed to or generated by contractors. DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 10 UNCLASSIFIED

  11. UNCLASSIFIED UNCLASSIFIED Contrast Cyber Risk and Cyber Compliance 32 CFR Part 117 32 CFR Part 117 Mapped to RMF Security Mapped to RMF Security Control Family Control Family Part 117.12 Security Training and Briefings AT Security Awareness and Training Part 117.18 - General Insider Threat and Cognizant Security Agency (CSA)-Issued Guidance Part 117.18 - Information System Security Program AC Access Control; AT Security Awareness and Training; AU Audit and Accountability; CA Security Assessment and Authorization; CM Configuration Management; CP Configuration Planning; IA Identification and Authentication; IR Incident Response; MA Maintenance; MP Media Protection; PE Physical and Environmental Protection; PL Planning; PM Program Management; PS Personnel Security; RA Risk Assessment; SA System and Service Acquisition; SC System and Communications Protection; SI System and Information Integrity Part 117.18 Contractor Responsibilities Certification, Information System Security Manager (ISSM) and Officer (ISSO), IS User Part 117.18 Information System Security Life-Cycle Initial Development, Continuous Awareness, Risk Management Decisions, Reciprocity Part 117.18 Risk Management Framework Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 11 UNCLASSIFIED

  12. UNCLASSIFIED UNCLASSIFIED Conclusion DAAPM v2.2 (and future versions) rule the roost in regards to guidance on how to achieve an ATO in NISP DIB DCSA ISSPs are industry s first line of defense in achieving success. Communicate with these professionals to succeed in achieving an ATO and minimizing vulnerabilities (compliance) RMF is a risk-based approach to cybersecurity; ATO decisions are risk-based Compliance with 32 CFR Part 117 is mandatory and select RMF security controls walk- back to compliance items in 32 CFR Part 117 DoDM 5220.32 Volume 1 is provided for situational awareness; know what the GCA expects of cleared industry! Team with your assigned ISSP for access to authoritative guidance and systems, and communicate, communicate, and communicate to smooth the ATO and compliance process DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 12 UNCLASSIFIED

  13. UNCLASSIFIED UNCLASSIFIED References National Institute of Technology and Standards (NIST) Special Publication (SP) 800-37r2 - Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy NIST SP 800-53r4 - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (and) r5 - Assessing Security and Privacy Controls in Information Systems and Organizations NIST SP 800-series: https://csrc.nist.gov/publications/sp 32 CFR Part 117, NISPOM - https://www.dcsa.mil/mc/isd/NISPOM-Rule/ DoDM 5220.32, Vol 1 - NISPOM: Industrial Security Procedures for Government Activities https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522032v1.PDF?ver=1BFNVqOK XaqdXcO618H-yg%3D%3D DCSA Assessment and Authorization Process Manual v2.2 **Available to cleared contractors processing classified information under the cognizance of DCSA** CNSSI 1253 Security Categorization and Control Selection for National Security Systems - https://www.cnss.gov/CNSS/issuances/Instructions.cfm CNSSD 504 Directive on Protecting National Security Systems from Insider Threat - https://www.cnss.gov/CNSS/issuances/Directives.cfm DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 13 UNCLASSIFIED

  14. UNCLASSIFIED UNCLASSIFIED QUESTIONS? DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY 14 UNCLASSIFIED

Related


Understanding Continuous Monitoring in Risk Management Framework (RMF)

Understanding Continuous Monitoring in Risk Management Framework (RMF)

persephone
Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

emmitt
National Access Elsewhere Security Oversight Center (NAESOC) Overview

National Access Elsewhere Security Oversight Center (NAESOC) Overview

umair
Understanding Risk Mitigation Functions in Vehicle Control Systems

Understanding Risk Mitigation Functions in Vehicle Control Systems

deva
Ensuring Business Security: Cybersecurity Webinar Insights

Ensuring Business Security: Cybersecurity Webinar Insights

amelia
Cybersecurity Career Path Overview

Cybersecurity Career Path Overview

rusty
Enhancing California's Election Cybersecurity Readiness

Enhancing California's Election Cybersecurity Readiness

mallory
C2M2 Version 2.1 Cybersecurity Model Overview

C2M2 Version 2.1 Cybersecurity Model Overview

giana
Cybersecurity and Supply Chain Risk Management Best Practices

Cybersecurity and Supply Chain Risk Management Best Practices

crew
Understanding Risk Management in Environmental Geography and Disaster Management

Understanding Risk Management in Environmental Geography and Disaster Management

duke
Comprehensive Overview of Security Risk Analysis and Management

Comprehensive Overview of Security Risk Analysis and Management

toula
Which and How of Cybersecurity Frameworks

Which and How of Cybersecurity Frameworks

castor
Project Risk Management Fundamentals: A Comprehensive Overview

Project Risk Management Fundamentals: A Comprehensive Overview

franky
Cybersecurity Risks for Remote CISTAR Facilities Study

Cybersecurity Risks for Remote CISTAR Facilities Study

regulus
Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

yousef
Overview of VA Research Support Division Program

Overview of VA Research Support Division Program

ariyah
Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

betsy
Comprehensive Overview of Information Security Risk Assessment

Comprehensive Overview of Information Security Risk Assessment

hereward
Challenges in Cybersecurity Implementation: A Philippine Perspective

Challenges in Cybersecurity Implementation: A Philippine Perspective

shona
Lower Your Patients' Risk of Type 2 Diabetes with CDC's National DPP Lifestyle Change Program

Lower Your Patients' Risk of Type 2 Diabetes with CDC's National DPP Lifestyle Change Program

timur
Comprehensive Overview of Market Risk Management Framework in Financial Institutions

Comprehensive Overview of Market Risk Management Framework in Financial Institutions

anahi
Cybersecurity Entrepreneurship Workshop Highlights

Cybersecurity Entrepreneurship Workshop Highlights

flint
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

hari
Understanding LXI Network Security in Industrial Environments

Understanding LXI Network Security in Industrial Environments

renae

More Related Content

Risk Management Strategies in Organizational Security
Risk Management Strategies in Organizational Security
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses
Cybersecurity Expert Shiva V. Parasram - Profile and Advice
Cybersecurity Expert Shiva V. Parasram - Profile and Advice
Exploring Adversarial Machine Learning in Cybersecurity
Exploring Adversarial Machine Learning in Cybersecurity
Citizen Security and Justice Programme: Case Management for Violence Prevention
Citizen Security and Justice Programme: Case Management for Violence Prevention
Enhancing Cybersecurity in University Research: Insights from SouthEast SECURE Program
Enhancing Cybersecurity in University Research: Insights from SouthEast SECURE Program
Understanding Digital Transformation in the Age of Cybersecurity Insight
Understanding Digital Transformation in the Age of Cybersecurity Insight
Principles of Risk Management in Therapeutic Innovation
Principles of Risk Management in Therapeutic Innovation
Cybersecurity Tabletop Exercise Overview
Cybersecurity Tabletop Exercise Overview
Comprehensive Overview of E-Commerce Application Development and Computer Security
Comprehensive Overview of E-Commerce Application Development and Computer Security
Understanding the Roles of a Security Partner
Understanding the Roles of a Security Partner
National Industrial Security Program Policy Updates April 2021
National Industrial Security Program Policy Updates April 2021
CYBERSECURITY AWARENESS MONTH 2023
CYBERSECURITY AWARENESS MONTH 2023
Instrument human capital cybersecurity mkb bedrijven
Instrument human capital cybersecurity mkb bedrijven
Cybersecurity Industry Call for Innovation (CyberCall)
Cybersecurity Industry Call for Innovation (CyberCall)
REWIRE Cybersecurity Skills Alliance
REWIRE Cybersecurity Skills Alliance
Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics
Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics
Empowering Women in Cyber: CyberFirst Girls Competition
Empowering Women in Cyber: CyberFirst Girls Competition
Cybersecurity and Personal Finance: A Tale of Appily Ever After
Cybersecurity and Personal Finance: A Tale of Appily Ever After
New Risk Management and Internal Audit Framework for Local Councils in NSW
New Risk Management and Internal Audit Framework for Local Councils in NSW
Understanding the Role of Security Champions in Organizations
Understanding the Role of Security Champions in Organizations
Comprehensive Guide to Data Security, Business Continuity, Risk Management, and Disaster Recovery
Comprehensive Guide to Data Security, Business Continuity, Risk Management, and Disaster Recovery
Introduction to Flood Risk Assessment with HEC-FDA Overview
Introduction to Flood Risk Assessment with HEC-FDA Overview