Risk Management Framework: A Lab-Based Approach to Securing Information Systems
By James Broad
1.5/5
()
About this ebook
The RMF allows an organization to develop an organization-wide risk framework that reduces the resources required to authorize a systems operation. Use of the RMF will help organizations maintain compliance with not only FISMA and OMB requirements but can also be tailored to meet other compliance requirements such as Payment Card Industry (PCI) or Sarbanes Oxley (SOX). With the publishing of NIST SP 800-37 in 2010 and the move of the Intelligence Community and Department of Defense to modified versions of this process, clear implementation guidance is needed to help individuals correctly implement this process. No other publication covers this topic in the detail provided in this book or provides hands-on exercises that will enforce the topics. Examples in the book follow a fictitious organization through the RMF, allowing the reader to follow the development of proper compliance measures. Templates provided in the book allow readers to quickly implement the RMF in their organization. The need for this book continues to expand as government and non-governmental organizations build their security programs around the RMF. The companion website provides access to all of the documents, templates and examples needed to not only understand the RMF but also implement this process in the reader’s own organization.
- A comprehensive case study from initiation to decommission and disposal
- Detailed explanations of the complete RMF process and its linkage to the SDLC
- Hands on exercises to reinforce topics
- Complete linkage of the RMF to all applicable laws, regulations and publications as never seen before
James Broad
James Broad (CISSP, C|EH, CPTS, Security+, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.
Related to Risk Management Framework
Related ebooks
FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsManaging Information Security Rating: 5 out of 5 stars5/5Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsInformation Protection Playbook Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5The Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Total Information Risk Management: Maximizing the Value of Data and Information Assets Rating: 0 out of 5 stars0 ratingsGovernance and Internal Controls for Cutting Edge IT Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsCybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5The Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsCybersecurity and Third-Party Risk: Third Party Threat Hunting Rating: 0 out of 5 stars0 ratingsBusiness Continuity and Disaster Recovery Planning for IT Professionals Rating: 0 out of 5 stars0 ratingsAuthorizing Official Handbook: for Risk Management Framework (RMF) Rating: 0 out of 5 stars0 ratingsImplementing Digital Forensic Readiness: From Reactive to Proactive Process Rating: 0 out of 5 stars0 ratingsComputer Incident Response and Forensics Team Management: Conducting a Successful Incident Response Rating: 4 out of 5 stars4/5Fundamentals of Adopting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsBuilding an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats Rating: 0 out of 5 stars0 ratingsThe Cloud Security Ecosystem: Technical, Legal, Business and Management Issues Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Cybersecurity Policy A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsNIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsSarbanes-Oxley Compliance Using COBIT and Open Source Tools Rating: 4 out of 5 stars4/5Business Continuity and Disaster Recovery for InfoSec Managers Rating: 5 out of 5 stars5/5Measuring and Managing Information Risk: A FAIR Approach Rating: 4 out of 5 stars4/5
Enterprise Applications For You
Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/53D Concrete Printing Technology: Construction and Building Applications Rating: 0 out of 5 stars0 ratingsCreating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Excel 2019 Bible Rating: 4 out of 5 stars4/5Excel Formulas and Functions 2020: Excel Academy, #1 Rating: 4 out of 5 stars4/5ChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsAccess 2019 For Dummies Rating: 0 out of 5 stars0 ratings101 Ready-to-Use Excel Formulas Rating: 4 out of 5 stars4/5The New Email Revolution: Save Time, Make Money, and Write Emails People Actually Want to Read! Rating: 5 out of 5 stars5/5Notion for Beginners: Notion for Work, Play, and Productivity Rating: 4 out of 5 stars4/5QuickBooks 2024 All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsThe Ridiculously Simple Guide to Google Docs: A Practical Guide to Cloud-Based Word Processing Rating: 0 out of 5 stars0 ratingsLearn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsExcel Tips and Tricks Rating: 0 out of 5 stars0 ratingsCreate Income through Self-Publishing: An Author's Approach on Generating Wealth by Self-Publishing Rating: 5 out of 5 stars5/5Scrivener For Dummies Rating: 4 out of 5 stars4/5Mastering QuickBooks 2020: The ultimate guide to bookkeeping and QuickBooks Online Rating: 0 out of 5 stars0 ratingsQuickBooks 2023 All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsBitcoin For Dummies Rating: 4 out of 5 stars4/5QuickBooks Online For Dummies Rating: 0 out of 5 stars0 ratingsExcel 2016 For Dummies Rating: 4 out of 5 stars4/5Systems Thinking: Managing Chaos and Complexity: A Platform for Designing Business Architecture Rating: 4 out of 5 stars4/5Enterprise AI For Dummies Rating: 3 out of 5 stars3/5
Reviews for Risk Management Framework
2 ratings1 review
- Rating: 1 out of 5 stars1/5Do not purchase this book. The promised labs and additional materials do not appear on the companion website.
Book preview
Risk Management Framework - James Broad
Risk Management Framework
A Lab-Based Approach to Securing Information Systems
James Broad
Aaron (AJ) Mitchneck, Technical Editor
Table of Contents
Cover image
Title page
Copyright page
Dedication
Acknowledgments
About the Author
Technical Editor
Companion Website
Chapter 1: Introduction
Book Overview and Key Learning Points
Book Audience
The Risk Management Framework (RMF)
Why This Book Is Different
A Note about National Security Systems
Book Organization
Part 1
Introduction
Chapter 2: Laws, Regulations, and Guidance
Abstract
Chapter Overview and Key Learning Points
The Case for Legal and Regulatory Requirements
Legal and Regulatory Organizations
Laws, Policies, and Regulations
National Institute of Standards and Technology (NIST) Publications
Chapter 3: Integrated Organization-Wide Risk Management
Abstract
Chapter Overview and Key Learning Points
Risk Management
Risk Management and the RMF
Components of Risk Management
Multi-tiered Risk Management
Risk Executive (Function)
Chapter 4: The Joint Task Force Transformation Initiative
Abstract
Chapter Overview and Key Learning Points
Before the Joint Task Force Transformation Initiative
The Joint Task Force Transformation Initiative
Chapter 5: System Development Life Cycle (SDLC)
Abstract
System Development Life Cycle (SDLC)
Traditional Systems Development Life Cycle (SDLC)
Traditional SDLC Considerations
Agile System Development
Chapter 6: Transitioning from the C&A Process to RMF
Abstract
Chapter Overview and Key Learning Points
C&A to RMF
The Certification and Accreditation (C&A) Process
Introducing the RMF (A High-Level View)
Transition
Chapter 7: Key Positions and Roles
Abstract
Chapter Overview and Key Learning Points
Key Roles to Implement the RMF
Part 2
Introduction
Chapter 8: Lab Organization
Abstract
Chapter Overview and Key Learning Points
The Department of Social Media (DSM)
Organizational Structure
Risk Executive (Function)
Chapter 9: RMF Phase 1: Categorize the Information System
Abstract
Chapter Overview and Key Learning Points
Phase 1, Task 1: Security Categorization
Phase 1, Task 2: Information Systems Description
Common Control Providers
Phase 1, Task 3: Information System Registration
Chapter 9 Lab Exercises: Information System Categorization
Chapter 10: RMF Phase 2: Selecting Security Controls
Abstract
Chapter Overview and Key Learning Points
Selecting Security Controls
Chapter 10 Lab Exercises: Selecting Security Controls
Chapter 11: RMF Phase 3: Implementing Security Controls
Abstract
Chapter Overview and Key Learning Points
Phase 3, Task 1: Security Control Implementation
Phase 3, Task 2: Security Control Documentation
Chapter 11 Lab Exercises: Selecting Security Controls
Chapter 12: RMF Phase 4: Assess Security Controls
Abstract
Chapter Overview and Key Learning Points
Assessing Security Controls
Chapter 12 Lab Exercises: Assessing Security Controls
Chapter 13: RMF Phase 5: Authorizing the Information System
Abstract
Chapter Overview and Key Learning Points
Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)
Phase 5, Task 2: Assembly of the Authorization Package
Phase 5, Task 3: Determining Risk
Phase 5, Task 4: Accepting Risk
Chapter 13 Lab Exercises: Authorizing the Information System
Chapter 14: RMF Phase 6: Monitoring Security Controls
Abstract
Chapter Overview and Key Learning Points
Phase 6, Task 1: Monitoring Information System and Environment Changes
Phase 6, Task 2: Ongoing Security Control Assessment
Phase 6, Task 3: Ongoing Remediation Actions
Phase 6, Task 4: Updating the Security Documentation
Phase 6, Task 5: Security Status Reporting
Phase 6, Task 6: Ongoing Risk Determination and Acceptance
Phase 6, Task 7: System Removal and Decommissioning
Chapter 14 Lab Exercises: Monitoring Security Controls
Chapter 15: The Expansion of the RMF
Abstract
Chapter Overview and Key Learning Points
The Transition to the RMF
Future Updates to the RMF Process
Using the RMF with Other Control Sets and Requirements
Conclusion
Appendix A: Answers to Exercises in Chapters 9 through 14
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Appendix B: Control Families and Classes
Appendix C: Security Control Assessment Requirements
NIST SP 800-53A Assessment Methods
Security Control Baseline Categorization
CNSSI 1253 Baseline Categorization
New Controls Planned in Revision 4
FedRAMP Controls
SP 800-53 Security Controls to HIPAA Security Rule
PCI DSS Standards
Appendix D: Assessment Method Definitions, Applicable Objects, and Attributes
Glossary
Common Acronyms in this Book
References
Index
Copyright
Acquiring Editor: Chris Katsaropoulos
Development Editor: Heather Scherer
Project Manager: Malathi Samayan
Designer: Matthew Limbert
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright © 2013 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Broad, James.
Risk management framework : a lab-based approach to securing information systems / James Broad.
pages cm
Includes bibliographical references and index.
ISBN 978-1-59749-995-8 (alkaline paper) 1. Computer security–Government policy–United States. 2. Information technology–Security measures–United States. 3. Electronic government information–Security measures–United States. 4. Risk management–Government policy–United States. 5. Information technology–United States–Management. I. Title.
QA76.9.A25B72 2013
005.8–dc23
2013016641
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-995-8
Printed in the United States of America
13 14 15 12 11 10 9 8 7 6 5 4 3 2 1
For information on all Syngress publications, visit our website at www.syngress.com
Dedication
This book is dedicated to my family.
To my wife, Dee, and my children, Mike and Temara, thank you for your endless support while I spent too many sunny days in front of a computer.
To my sisters, Mary, Teresa, and Lisa, thank you for helping me become the person I am today.
To my father, thank you for showing me anything is possible.
Loaded logging trucks always have the right of way.
— Ed Broad
Acknowledgments
I would like to thank many people who contributed to the writing and publishing of this book.
To Heather and all of the staff at Syngress, thank you for your patience as this first-time author shifted the delivery dates of his book all over the calendar. Your help and guidance have been truly monumental. I have learned so much from all of you throughout this process.
To Dr. Ron Ross and the staff of the National Institute of Standards and Technology (NIST), the Joint Transformation Task Force, and the Committee on National Security Systems (CNSS), thank you for providing such extensive documentation on this subject. Your publications provided the foundation for this book, and in many instances I have quoted from them. Your devotion to information security and information assurance is remarkable.
To Steven Rodrigo, thank you for all the knowledge you have shared with me. Short conversations over coffee and in the hallways have enlightened and informed me more than you will ever know. Your insights on the topics in this book are remarkable. Keep up the good fight.
To those in my past who set me on the path I am on today, thank you all. Of special note are Charles Parker, an Army executive officer who took a young combat arms NCO off the line and put him in front of a computer, and Derrol Trippet, Deputy Director for Information Management, who set me on a full-time information assurance/security career. Thank you both for giving me a chance.
Thank you to the CAT team. You know who you are, and I could not think of a better group to work with.
About the Author
James Broad (CISSP, C|EH, CPTS, Security +, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.
Technical Editor
Aaron (AJ) Mitchneck (Security +, C|EH, MCT, MCP, CSM), works as a Structured Query Language database administrator (SQL DBA) and Internet technology (IT) security engineer. He is currently contracted in Sierra Vista, Arizona, helping to develop and maintain security policies and standards and ensuring compliance throughout the organization.
As an IT and security professional for more than fifteen years, AJ has experience in security engineering and penetration testing, as well as standards and compliance for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Risk Management Framework (RMF).
Companion Website
This book has companion material including all of the referenced materials, extended exercises for each chapter, templates and examples of the RMF documents, as well as updates to the book. Please visit, www.cyber-recon.com to register and dowload the files.
Chapter 1
Introduction
Table of Contents
Book Overview and Key Learning Points
Book Audience
The Risk Management Framework (RMF)
Why This Book Is Different
A Note about National Security Systems
Book Organization
Information in this Chapter:
• Book overview and key learning points
• Book audience
• Introduction to the risk management framework (RMF)
• How this book is organized
Book Overview and Key Learning Points
This book’s goal is to provide a basic understanding of the Risk Management Framework (RMF) as it pertains to the systems development life cycle (SDLC) of federal IT systems and to provide guidance on how to use this understanding during the development, assessment, and continuous monitoring of those systems. The book discusses the RMF process in terms of its six phases, which allows the reader to develop a full understanding of how each phase influences and leads to the next. This framework provides a structured process that allows organizations to comply with a number of laws, regulations, and policies, including the Federal Information Security Management Act (FISMA).
The information provided in this book is culled from many divergent government documents, including laws, standards, regulations, and other forms of guidance, that support the overall IT security governance structure supporting federal IT systems. The book is designed to be used as a resource for experienced security and assurance professionals as well as to provide awareness and training for those security professionals who are new to the federal information security environment.
The risk management framework represents an evolution in the process of developing secure systems, validating, and ultimately authorizing those systems to operate in a production environment. The RMF consolidates what used to be multiple security frameworks for multiple IT systems into a single security framework. Once fully implemented in an organization, the RMF will enable faster and less expensive information system accreditations through the use of a repeatable process that stresses early identification, engineering, inheritance and implementation of required security controls. By authorizing the RMF framework, senior officials of an organization accept the risks to the overall organization due to the operation of the organization’s IT system. This change from accepting risks as they impact a single system to accepting risks introduced to the overall organization is driven by FISMA and has been guided by the National Institute of Standards and Technology (NIST) as part of the Joint Task Force Transformation Initiative. The mission of this task force was to create a unified framework with which to conduct risk evaluations and authorizations of systems using a unified process, thus reducing the number of processes used to validate the security and compliance of systems and framing the risk of approving a system in the context of risk to the overall organization. The success of this group’s work is evident in the transition of the government away from using several different processes, standards, guidance documents, and frameworks to using the single RMF and its associated support documentation. By enhancing and tailoring the RMF only slightly, it has become possible for the entire federal government to use this single standard for all federal information systems, including those of the Department of Defense (DoD) the intelligence community (IC), groups that, in the past, had separate and distinct processes for validating the security and compliance of a system and for accepting the risks of operating that system.
Book Audience
Correctly implementing the RMF within the federal government requires input and deliverables from people in a number of different professions across a wide range of specialties. This book is designed to provide information to technical, administrative, and management professionals, providing a unique approach to the RMF as it pertains to each of these different types of readers.
Management professionals can use this information to track system development within the RMF, ensuring that systems are developed in compliance with regulatory requirements and security concerns. In every federal organization, members of senior management are now responsible for ensuring the security and compliance of information systems.
Administrative professionals, including mission and business professionals associated with tier 2 of the organizational risk management program, can use their understanding of the RMF to develop more structured and overarching policies and programs. These can then be applied to individual systems as common controls, removing the need for individual system developers to provide controls by providing them at a higher level in the organization. This is less costly than developing and managing multiple versions of these programs and policies.
Technical professionals are required to develop and manage information systems that meet both federal compliance and security requirements. Understanding the RMF will help these individuals build, manage, and dispose of information systems in line with this guidance. By understanding the framework and the controls required for specific systems, technology professionals can ensure that security is built into systems early on in the SDLC rather than added to them as an afterthought. This creates a more secure system and reduces the cost of securing the system and maintaining regulatory compliance.
The Risk Management Framework (RMF)
The risk management framework, or RMF, was developed by NIST and is defined in NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. This publication details the six-phase process that allows federal IT systems to be designed, developed, maintained, and decommissioned in a secure, compliant, and cost-effective manner. The framework provides cost savings by promoting reuse as well as reciprocity of information systems approvals and inheritance of organizationally authorized and approved common controls. The requirement for continuous monitoring is a significant improvement over the older four-phase certification and accreditation (C&A) process, which only looked at a system at a single point in time. The more structured and robust RMF process increases compliance and security by requiring near-real-time monitoring of the IT system over its entire lifetime. Figure 1-1 illustrates the phases of the old C&A process and the phases of the new RMF process.
Figure 1-1
Why This Book Is Different
Some books describe how the RMF is structured and provide general examples of documents, processes, and procedures required at each phase. This book not only covers these basics but also walks the reader through each phase of the RMF using the example of the development of an information system in a fictitious national organization. This gives exceptional insight into how the RMF can best be used to secure systems, ensure compliance, and increase efficiency. Following the development of an organizational system through the book provides the reader with a clear understanding of how each phase links to the next, the needed inputs and outputs, as well as required references. Key points from each phase are reinforced and highlighted. Diagrams, figures, and charts are simplified to provide a solid understanding of the material presented.
A Note about National Security Systems
While the RMF is used as a standard framework for approving an information system’s operational status, some phases are different for those systems that have been identified as national security systems (NSS). These systems are normally operated by members of the IC or DoD. The Guideline to Identifying an Information System as a National Security System, NIST SP 800-59, outlines the process used to determine an NSS and should be consulted to determine whether or not a system is classified as an NSS. Throughout the six phases of the RMF as explained in this book, it is assumed that the systems being processed through the RMF are not NSS. The differences in approving NSS will be covered in greater detail later in the book.
Book Organization
This book is divided into two parts, each of which focuses on different components that support the understanding and use of the Risk Management Framework. Part I covers the basics of compliance, including laws and regulations that mandate the use of security controls, procedures, and processes used by federal IT systems using the RMF, as well as the processes and procedures that led to the development of the RMF. Also covered are the history of certification and accreditation, its evolution to the RMF, and the integration of the RMF into the SDLC for federal IT systems. Readers familiar with these information security topics may want to begin with part 2 and use part 1 as reference.
Chapter 2, Laws, Regulations, and Guidance, provides a high-level overview of the laws and regulations that have been enacted to ensure that federal systems maintain the proper security profile and compliance status for protecting federal government-related information and information systems. It covers FISMA and FISMA2, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act, and the requirements set forth by the Office of Management and Budget (OMB). This chapter also introduces the association of NIST with these laws and requirements. The chapter closes out by presenting systems that must comply with these laws and regulations as well as those systems that may be exempt from fully complying with these requirements or may have different requirements to follow.
One of the major benefits of the RMF is ensuring that risk is addressed at the organizational level. Only by understanding high-level organizational risk can new systems be evaluated to ensure that they do not introduce unnecessary risk to the organization as a whole. The risk executive (agent), a position that is fully explained in Chapter 5, is highlighted in Chapter 3, Integrated Organization-Wide Risk Management, as is the basic process for evaluating information, physical, and personnel security risks introduced by new system implementation. Organizational risk assessments are key tools used by authorizing officials (AO) to determine the authorization decision made for new information systems.
The Joint Task Force Transformation Initiative (JTF TI) is introduced in Chapter 4. This task force is responsible for expanding the RMF into new areas of the federal government, which will reduce unneeded duplication of effort and define a single framework standard. This chapter explains how JTF TI expanded the RMF into the IC and is expanding into the DoD.
Understanding the systems development life cycle is crucial to understanding how the RMF is aligned with and supports the SDLC. Chapter 5, The Systems Development Life Cycle (SDLC), explains the five phases of the SDLC as defined by NIST (initiation, development/acquisition, implementation/assessment, operation and maintenance, and disposal) and how they are consistent with the RMF. The chapter concludes by explaining how this process is used by system developers to ensure that system development is conducted according to the project plan and is consistent with user requirements.
Chapter 6, Transition from the Four-Phase Certification and Accreditation Cycle, covers this outdated life cycle. The C&A process, replaced by the RMF, focused on evaluating the security and compliance of information systems at a single point in time.
Chapter 7, Key Positions and Roles, defines the key positions required to successfully implement the RMF. Each position is clearly defined and responsibilities are delineated and explained. The positions run the gamut from senior executive staff to hands-on technical experts and administrators who ensure that the systems are developed correctly and securely.
Part II delves deeper into the phases of RMF itself, with each of the six phases of the RMF being covered in detail in its own chapter. Part II also introduces the Department of Social Media (DSM), the fictional organization that is used for the exercises in this book. Part II concludes with a summary of the way ahead for the RMF, including proposed changes that expand the use of the RMF throughout the DoD and the IC.
Chapter 8, Lab Organization, introduces the fictitious Department of Social Media (DSM). This organization is used to demonstrate the effective implementation of each phase of the RMF. The chapter explains the mission of the DSM and the organizational chart that defines the leadership and program management teams. The organizational chart is intentionally limited to those positions that normally participate in or provide input for one or more phases of the RMF. This chapter also introduces the system that is being developed, its sponsor, its mission, and the information that will be processed.
Chapter 9, Phase 1: System Categorization, discusses the first phase of the RMF, with a focus on categorizing the information system by investigating the information types that the system is being developed to support. This includes