Welcome back to cyber is it's of course. I'm your instructor, Brad Roads 20 to pause here for just a second. So we're still in the implementation slash assessment phase of the system development life cycle. So we're gonna talk specifically about three processes that you should know to that air dead and one that you really ought toe
have some good familiarity with
as an ISI and for the S IP exam.
So we're gonna talk about debts Cap on dia cap. We're gonna talk about the risk management framework. We're gonna talk about risk levels in this video.
So did scab and die a camp. So, back in the day, I'm gonna date myself a little bit. I used to be certified to accredit technologies for the for the Department of Defense For these two things. Ditz cap the original D O d. Information technology security certification and accreditation process. Ditz cap. Say that eight times fast.
And then, of course, the D o D
information assurance, certification and accreditation process. So this cap was first came out in the nineties, was eventually replaced by Dia Cap, and then it was eventually replaced. Dia cap was eventually replaced by the risk management framework, which we're going to touch on.
both did scab on Diet Copper dead.
They're gone right now. Will you, as an ISI, potentially run across systems that were certified and accredited, So see an aid right before the risk management framework came out. And that's Onley documentation. You will have. Yes,
absolutely. 100% correct. That is what you're going to find. Okay. Now the D o. D. And the U. S. Government are working very, very fast and hand in glove with the National Institute for Standards and Technologies to actually move to the risk management framework. And let's
talk about that real quick. So that's what's shown here
on the left hand side. And so you see these steps for the RMF? Categorized the system, select controls, implement, assess authorized monitor and prepares in the middle. You need to memorize this dialogue for the soup exam. I'm just telling you, you need to know that, right? We're going to talk about many of these
special publications from this in our next module,
so don't worry about that. Don't freak out like, Oh, my gosh. You know that we're gonna talk about that super important. But you need to memorize these steps because these are very important. And so there's some really key differences between the risk management framework, the RMF and this gap and die account.
It's on the left hand side. Here is arm F on the right hand side of the key differences is what it used to be.
So we go from static, uh, every few years, annual checks patching and you know, on Leah D o d standard for dis Captain Dia cap to on the left hand side with RMF where we have a dynamic process because we know things change. We do. It's continuous, right? We're not just
that's where poems come in, right? We're not just
doing controls for the sake of doing controls and the checking of every once in a while. No, no. This is a continuous cyclical process that we've talked about everything in this up to this point.
Will you calm on here? Continuous monitoring. We don't just do annual reviews of our systems anymore. We look at it all the time and those air
looking at the technical controls, the non technical controls, preventative and detective, all that stuff right. We do real time updates to our systems, right? We know
that in today's world of super complex systems, patching is not going to necessarily solve all the world's problems and then its nest. And so the National Institutes of Standard Technology is the purveyor, if you will, of the risk management framework. And, oh, by the way, it doesn't just apply to the u. S. D o. D. It applies to all federal
government organizations and organizations that receive,
in many cases, funding or support from the U. S. Federal government. They've got to be rmf certified.
So remember when we talked about these risk level? So you've seen this chart before? Uh, in our previous is of domain discussions, there are three levels in an organization. You have the organization of the enterprise. You have mission business process, and you have information systems. Right?
Um, the farther down you go, the more detailed and granular perspective you're gonna have on risk when you're talking about that level three system level.
That's where the rubber meets the road. That's the hands on keyboard folks, right? They are going to have the best view of risk from from that perspective. When you get up to the enterprise of the organization level one, they have that Broadview, right? And keep in mind that as we look at risk management across the levels, right again, more grand, they're going down, right?
And communication reporting going up gets less right. So keep that in mind. Remember this chart? You'll see it
So in this video, we looked at this cap and die cap. Remember, Dis captain Dye cap are dead
right now. You will probably run across systems that still have that documentation.
It has been replaced by the risk management framework er rmf. And it's not just for the Department of Defense anymore. It applies to all U. S. Federal government systems and those that received funds from the federal government. They have to follow in this guidelines in the standards. And then again, we talked about those risk levels were at that system level.
That's where we got the best view, the most granular view of risk.
When we get up the organization level. That's what we're looking at. That visionary, that strategic perspective.
We'll see you next time