Theo. Welcome back to the D. O D risk management framework. Siri's In this section. We're going to take a look at some of the cyber security policies, regulations and the overall framework itself.
The goal is to be able to describe the evolution and interaction of security laws, policies and regulations and information security
list of the D o D cyber security policy drivers access to correct documents for cybersecurity guidance and describe assessment and authorization transformation goals.
For those of you studying for the S C Square cap exam, this section will identify the relationship between the risk management framework and the system development Lifecycle. However, remember, you need to study the contents of the essential documents listed
in the tables of this chapter. So every great story has a beginning. How did these policies come to be? Well, they started very independently. The Department of Defense had their set of guidance, and the federal agencies had their sets of guidance
for the Department of Defense back in the 19 seventies and for
both the Defense Department and federal agencies. By time the 19 eighties rolled around. It started with the 5200 Siri's, some of you more seasoned veterans will remember the Rainbow Series,
a series of books, all color coded to tell us exactly how to do specific items
on the federal side. We dealt with the Ownby circular a 1 30 As time progressed, Video D's cybersecurity initiative became more complex and needed Maur direction approximately this same time. Right there in
1997 might be six or so.
We have the introduction of the Clinker Cohen act. Remember, anything that ends with him? Act means that it's a law that means that it came out of Congress. Fast forward to 2002 and Congress introduces Fisma, the Federal Information Security
Management Act. On the other side, we have the d. O. D. And they finally introduced a standard control set within the accreditation process
2000. For we see the introduction of the Nest 837 and 5 4006 the 853 and the accompanying Phipps 200 Now on the deal decide we have video D 85 10. This was the original introduction of Di cap
better process than ditz cap, but still not quite perfect. However, looking at the two documents side by side, the 853 Siri's and the 8500 dot to which was the control set document for Did Die Cap. There is striking similarities.
We'll get into a little more of that later.
So remember I told you that fisma it's It's a law and all federal systems now, including the Department of Defense, must report back to OA and be at the end of each calendar year no later than December 31st.
So who is Owen being? What do they do? Well, some of the main functions of on B
include maintaining the government budget, federal finance management and data collection. Now, when it comes to missed, the computer security division has several documents that you must be familiar with is starting with, of course, the Fisma implementation project.
Then the standards for categorizing that is
50 more. 99. The standards for minimum security requirements. Phipps 200. Guidance for selecting security controls, which would be special Publication 53. And guidance for assessing those controls would be 853 a
a kind of tricky right guidance for security authorization. The original 837. And how to set up your continuous monitoring? 800 won 37. So what are the policy drivers that got us to this point?
Well, one of the most important drivers is the integration with the other federal agencies.
Networks have grown up and out there no longer self contained little boxes. At some point in time, every system is going to connect to another within the federal government.
Also, increased network growth and globalisation increased the threat, sophistication and increase speed and connective ity. All of these are ventricle drivers as to why the entire federal system had to get on one standard set of guidance now,
you'll notice here that I crossed out compliance.
Why Risk management framework is not about compliance. It's not a series of checklists. It's It's designed to be what is best for the system. It's not like Die Cap. We're gonna get into this in a little more detail, but
you'll notice that I will keep crossing out the word compliance and
just in your mind, insert the word security posture.
Understand? What we're looking for is efficiency for riel security enforcement, not just a documentation drill. So what is the individual benefit to the individual stakeholders. Well, the C I O, for instance, standardizes the eye language across the entire federal government. Finally,
we're all talking the same language.
Where is the war fighters? They can get more rapid development of solutions that they need to go fight the fight for business system owners. You find more consistent and assured protection of individual privacy and data supporting the D o D business systems themselves
and four system developers, and increased coordination and integration off security
into the systems development and acquisition process. At the end of the day, it's all about efficiency. Everything you see here is efficiency driven. Now I know it.
It does take a long time, and we're gonna walk through the timeline on how to start with our meth package from start to finish.
But you only have to do it once. Once that system has been properly categorized. Once the controls air selected, the overlays air worked, you're done. All you have to do at that point is maintained.
So some of our transformation goals as we move into the framework or to define a common set of trust levels and to adopt and apply them using the C. N. S s I 12 53 across all intelligence community's duties and other federal agencies
reciprocity. No need to continuously reauthorize systems just because they're moving from the Air Force to the Marine Corps to the Army and maybe to the Department of Energy. Next is to define document and adapt
common security controls.
This is done using beaten this Special Publications 853 as the baseline adopt a common lexicon. Get us all talking the same language so we can approach the mountain of cybersecurity issues. All speaking the same language. Do
institute a senior risk executive function.
Now it's important to understand that this is a function. It takes the whole family. It takes intelligence. It takes your classic six element. Whether it's G six or insects or Essex, it's going to take the two and the three and the four and the eight.
The whole family. Everyone that has a security function
must be an integral steak order. End the risk management framework and next to Abel, a common process consistency. The easiest, strongest systems are ones that are predictable with the predictable baseline.
You have a predictable outcome.
Being able to manage the system throughout its entire life cycle is paramount. So the director of national intelligence approach to Policy and standards was to establish the icy D 503
and they will continue to develop the intelligence community standards as appropriate for those required systems. However, they will be leveraging the existing this special publications
bring the intelligence community Maurin line with fisma, and it assigns the inspector general audits, which are based on the list standards, consistency and align with the rest of the federal government to support overall reciprocity.
Remember, the optimum goal here is to ensure that all key policies for the intelligence community are either in an official C. M. S s publication or in a mist special publication.
So as we continue to move and now talk about the implementation goals, here is the desired outcome. First, moving away from what we called Max or mission assurance category levels.
We don't address the systems. Is Mac one or Mac to or Mac free anymore? We also will not be referring to them
with classifications. Levels like classified, it's sensitive or public way move to addressing them with impact levels such as low, moderate and high and security objectives to meet the confidentiality, integrity and availability.
This ensures the D. O. D is synchronized with the rest of the federal systems using neatness standards.
Next, reciprocity inside the d. O d I 85 10 01 Next, the deal the will use the list 853 Security Control catalogue with beauty, specific assignment, values, implementation, guidance and valuation process is
Remember, the goal here is to ensure that the deer, the security catalog, categorization
and control processes are in sync with fitness standards.
Next, continue to incorporate new structure and other new risk management framework terms into the CNS i 4009 and continue its juices. The official glossary of terms throughout the 8500 Siri's
Next on the list is to continue the duty enterprise governance structure and strengthen the interfaces to the intelligence community Enterprise Governance. This is implemented through the d. O. D. I. 8500.1 and 85 10.1
Next to continue Vico evolution of security control, categorization
and selection. The risk management framework, a component of the gig integration, architecture alignment framework for gig I A and other supporting elements off the gig, Technical Framework and Gig I A portfolio.
And lastly, to incorporate transformation concepts into duty policies that adopt new concepts being enterprise, governance and propagate via knowledge service as well. Let's continue to influence the Gig I, A portfolio
for configuration management, automated monitoring and other enablers.
Next, let's take a look at how the risk management framework integrates with the system development life cycle. You'll see that there is a specific step to do at every piece of the classic system development life cycle. So let's walk through the steps one by one.
Next development and acquisitions.
fourth Operation Maintenance and fifth Disposal.
Now let's take a look at which step of the risk management framework fits with which step of this system. Development lifecycle initiation, Step one. Development and acquisitions
Step one. Step two. Step three. Step four and Step six. Implementation
Operation and maintenance, Step six and disposal
There is an action for security to take in every step of the system development Lifecycle. This is where we get the bumper sticker baked in, not bolted on so How has the process changed? Well, let's take a look.
So from die Kathy old 85 10
to risk management framework, the new 85 10 Really, that's just a change in language. There's Ah lot of similarity here. Way used to address systems as Mac and confidentiality level and now simply impact level and sensitivity objectives. Way
used to have some rigid information system definitions.
Those definitions have been expanded to a line better with the CNS I 4000 mine,
the D. O. D. Had their own defined set of security controls. Now we have a universal set of security controls across all federal systems.
We used to have the c n A process or certification and accreditation. Now we have the process assess and authorized so paying close attention to the proper guidance documents where we had the 85 10 01
The nightcap instruction. The CNS I 12 53 has been condensed to the 85 10 itself, which point you to the 853 Siri's and the CIA NSS 12 53.
For the intelligence community we used principally in the D C i. D 53
as well as the deal. The instruction 8500 02 for the controls the protection levels implemented within the CNS s 12. 53 documents that has now been condensed to the I C D 503 and the revised CNS s 12. 53
for all other government agencies where we were using the common controls the I S O standards, the Mist 837 the CNS s 12 53 wth e Mitzi and the NY app has been greatly reduced has been greatly reduced to simply
the list of special publication
837 30 39 53 53 A and 1 37
Here's a complete list of what would be considered critical guidance. You have the Phipps, Siri's 1 99 and fits 200 thes special publication. Siri's, the CNS s and the Owen be circular. Now, the only thing really to watch out for
is for Deal D systems. Instead of using defects 200. We simply used the C n s s swell 53
for the baseline controls.
All other federal systems will continue to use the Phipps 1 99 and fits 200. As part of this transition, the Doody has taken the opportunity to continue to align it's information management and I T policies,
including a cyber security policies, into the 8000 Siri's under the sole responsibility of the duty chief information officer.
Here you see the base 8000 Capstone, the 8100 where you will find the new anyone 40 that replaced the 85 70
the 8200 for Mission Elin functional processes wth E 8300 for information infrastructure design wth E 8400 for information technology
and the 8500 for cyber Security. Now the only really tricky one is that the D. O. D. Has published under the 8100 Siri's, the Cyber Security Policy as part of the 8500 Siri's. When I went and took a look at, why would they do that? Well,
more general. It applies to everyone, whereas Theeighty 500 Siri's was very specific to I A or cyber security people. This will help better align for proper education, training and awareness across the environments.
In our next chapter, we're going to take a look at some of the arm F roles and responsibilities