The Risk Management Framework (RMF) set by the National Institute of Standards and Technology (NIST) was our main focus in CSOL 530. The RMF is a commonly used and accepted cybersecurity infrastructure implemented by government-affiliated organizations because of its steps to assess and mitigate risk. 1. Prepare We start to identify the key risk management roles and common controls. The risk management strategy is established and determines the risk tolerance that will be accepted. 2. Categorize Determine the impact concerning confidentiality, integrity, and availability (CIA). We utilize the NIST publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categorize and FIPS 199 Standards for Security Categorization of Federal Information, and Information Systems are guidelines to categorize the system. Miscategorization of your system will result in over-protecting or under-protecting your system. 3. Select The security and privacy control baseline is selected and tailored to protect the system. We utilize the NIST publication 800-53 rev 5 Security and Privacy Controls for Information Systems and Organizations and its eighteen different security controls that may be implemented. 4. Implement Implement controls and document how the controls are used. For example, the baseline Access Control (AC) can be further defined as Account Management (AC-2) or Separations of Duties (AC-5) base controls. Both security controls fall under Access Control; however, it specifies even more about what is needed to be controlled. 5. Assess The security controls are reviewed with a security assessment report (SAR). The security control assessor (SCA) is overall responsible for executing, managing, and planning the SAR. 6. Authorize Prepares a plan of action and milestone (POA&M) detailing the remediation plan for the noncompliant security controls. An authorization package is assembled to be submitted to the authorizing official for an Authority to Operate (ATO). 7. Monitor Continuously monitor the system and update the POA&M as new vulnerabilities are discovered.
Your browser does not support viewing this document. Click here to download the document.
Reflection
Learning Risk Management Framework (RMF) throughout CSOL 530 was challenging but beneficial because you learn how to adjust and overcome challenges. Going through all the steps was a valuable learning lesson because I had to do in-depth research on each identified asset. The asset I identified to implement RMF was a payroll system. Although a payroll system may not be as critical as PowerGrid or national security, it provides the fundamentals to understand each step. Once I learned how to use RMF, I was fortunate to earn a position that uses RMF. I would implement it onto multiple systems and assets at work and ensure I complete all the steps. I would review each asset and utilize the NIST publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categorize and FIBS 199 Standards for Security Categorization of Federal Information and Information Systems are guidelines to categorize the system. When selecting the control baseline, I would utilize the NIST publication 800-53 rev 5 Security and Privacy Controls for Information Systems and Organizations, including eighteen different security controls. Once I have thoroughly selected each security control and explained the reasoning, I will submit it to my Information System Security Manager (ISSM). The information I learned in this course has benefit my line of work directly because of usage to improve the organization level of security.