FISMA, NIST and the Risk Management Framework - Part 1

Video Activity

In this lesson, Subject Matter Expert (SME) Kelly Handerhan discusses why a risk management system is important and what documents are used to establish it. She explains the relationships of the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the Risk Management Framework (RMF). Th...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 27 minutes
Video Description

In this lesson, Subject Matter Expert (SME) Kelly Handerhan discusses why a risk management system is important and what documents are used to establish it. She explains the relationships of the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the Risk Management Framework (RMF). Then Handerhan presents some of the reasons that a risk-based approach to information security is so important. The RMF answers the need to look to the current laws and threat landscape and determine what is needed to manage risk as effectively as possible. Risk management is the same thing as information security and information security is the same thing as risk management. RMF looks at information security in the context of a risk management system. Handerhan discusses the E-Government Act of 2002, which established FISMA, and explains that the E-Government Act was a direct result of the 9-11 terrorist attacks. The Act highlighted the fact that information security is as relevant as anything to our national security, and we must protect our secrets in a manner that is directly related to today's threats. Under the Act, NIST was charged with coming up with standards and guidelines to protect the nation by creating standards that apply to all federal agencies. This resulted in the RMF. NIST's goal is to set standards that are easy to work with and that provide consistency and a platform-independent approach to systems. Handerhan explains that, although NIST is non-regulatory, their guidelines may be mandated through several means. Handerhan presents a thorough discussion of significant NIST documents that pertain to the RMF: - the Federal Information Processing Standards (FIPS) that discuss guidelines for categorizing systems and that provide the minimum necessary security requirements - NIST Special Publications (SPs) THE DISCUSSION OF THE RELATIONSHIP BETWEEN FISMA, NIST, AND RMF and RMF IMPORTANT DOCUMENTS CONTINUES IN LESSON 2.

Video Transcription
All right, So let's go ahead and take a look at the material that you were gonna cover today as you'll notice I've broken this down into two sections. The first section. We're going to talk about some of the reasons that a risk based approach to information security is so important and what will look to its will to some of the legislative drivers
and some of the documentation that gives us the directives
on how to approach the risk management framework and in part to we're going to get into the framework itself. And as you can see, there are six pieces off the risk management framework. Six steps, if you will, Categorizing the information systems, selecting our controls, implementing the controls,
assessing those controls,
getting the system authorized, monitoring the security controls. And then we're going to wrap things up by tying it all together. And, of course, talking about how we would look at this from a practical standpoint, out about specifically implementing the risk management framework into the system development life cycle.
All right, so part one, let's go ahead and get started, and let's talk about why or in F
usually, as is the case for most organizations. Most agent sees, we look to the current laws. We d'oh look at the current threat landscape, and we determine what do we need to do in order to meet and manage risks as effectively and efficiently as possible. And one of the things you'll hear me talk about today is
risks in information security
but quite honestly, risks risk management is exactly the same thing is information, security and information securities. The same thing is risk management, right? When you think about it and we do information security, what are we trying to do? We figure out what we're protecting, what it's worth. We figure out what the threats and vulnerabilities are
the cost of mitigating strategies, and we make a good business decision on
how to mitigate those risks. So it makes perfect sense that when we talk about information security, we would look at that in the context of a risk based approach, which is exactly what the framework is. All right, so on this particular chapter will start by addressing the E Government Act of 2002
which gave us fisma, the Federal Information Security Management Act,
and then we'll look at some significant documents from missed. They have the Phipps federal information processing standards, and then they also have several special publications. Now these air by no means all the NIST documents and elements that would, uh,
guide us with information security. But these are the ones that are most relevant to the risk management framework.
So when we look at the E government act, this came out in 2002 and was a direct result of the terrorist attacks of 9 11
And at that point in time, you know if if you can remember, and I think most of us can if you go back to that period of time, it was a really obviously very tragic event. But it was also really eye opener
for Americans to realize that, yes, we are indeed vulnerable, and we're vulnerable in ways that we never even dreamt.
And so that led us very quickly as a nation to start looking at all the ways that we are vulnerable and then to start thinking about how do we shore up some of those vulnerabilities?
Well, The E Government Act, which became law in 2000 to George W. Bush, signed it. It was officially made law in 2000 to the end of the end of the year.
Essentially says our information security is as relevant as anything to our national security. And if we don't start protecting our secrets
in a manner that is, um
directly related to the threats that exist today, not those that existed yesterday, then we're gonna become very vulnerable and we're going to see compromise after compromise after compromise. So essentially, this was pretty much saying, We better get serious about how we protect our national secrets
because the threat environment has changed very much so and that's very true.
And in many ways we're still playing ketchup. And I think sometimes we don't always were not always as proactive as we could be in there. Many reasons this isn't a criticism really per se, but their many reasons were not as proactive. We're playing catch up in some cases
and we are dealing with the current threats. You know, if we're just focusing on the threats of today,
we're already behind because the Attackers are already looking to the next latest greatest attack.
So what the E government act essentially said is we've got to get serious about information security
Now. Title three of the E Government Act gave us what's called fisma. The Federal Information Security Management Act again of 2002 part of the e government asked Act essentially put the responsibility on mist
essentially saying, Missed. It is your job to come up with standards and guidelines for sufficiently protecting our information. Basically, one of the big responsibilities or several of the responsibilities of mist were listed here. So ultimately, one of the things that they were tasked with
is creating standards for all federal agencies.
Now, off course, when we talk about standards for all federal agencies, Maur essential more critical, more sensitive agencies would have additional controls, additional regulations and standards. But n'est also is responsible for just a generic. For every federal agency, certain standards must be addressed and adhere to,
uh, essentially that applied to all federal agencies. They had to categorise their information.
That's a big first step of the risk management framework. And when we talk about categorizing information, essentially what we're doing is we're looking at it. We're figuring out its value, tow us. We'll talk about all the different ways that we decide values,
Um, making sure that all of this is categorized for any information that's collected, whether it's from agencies, whether it's from contractors. Uh, however, that information is gathered collected. If it's pertinent to a federal systems, the standards have to adhere.
Uh, the guidelines are going to recommend certain types of information systems be included in each category.
So essentially, we're going to categorize based on value and threat level in those ideas. And then ultimately, what we're going to figure out is baseline security controls for each of those categories. So if you think about it, what we're kind of getting down to is
we're gonna figure out how to categorize our system again. This is part of fisma.
We're gonna use, uh, various published standards to determine that categorization, and then we're gonna figure out minimum security controls for each of those categories. Fisma defines three security objectives for our information and for our information systems. So this is a very important piece
when it comes to categorizing a system.
We've got to think about three elements. We've got to think about the confidentiality of the information or the information system itself,
and of course, confidentiality means we're concerned about preventing unauthorized disclosure of information. We want to protect our secrets. We wanna have privacy, secrecy, privacy, confidentiality. All of those go together. Okay? The next element would be a integrity.
We want to make sure that our files are central pieces of information
don't get modified in a way that's not consistent with security policy. So essentially, we want to make sure unauthorized users don't modify our information. We also want to make sure our authorized users don't make unauthorized modifications. And we want to ensure
internal and external consistency those air, three important rules of integrity.
So when you talk about internal and external consistency, it could be as basic as when you're thinking about a database. Maybe that takes stock. And if my database says I should have three widgets on the shelf, that I better be able to go to the shelf on count three widget. So
internal and external consistency means that the database is essentially accurate with what's going on in the real world. So those air integrity goals
and then, of course, the final element is availability with availability. Our goal is to ensure timely access to resource is as appropriate. So these air the three elements that have been specified,
and Mr is gonna address thes and help us apply that to categories in just a few minutes.
Now, who is NIST? Because we keep referring back to them. Let's just go ahead and get this out of the way. So, of course, NIST is the National Institute for Standards and Technologies. They were originally known as the National Bureau of Standards back in the day, so to speak,
but have been renamed n'est somewhat recently.
Ah, in the last 20 years,
Mist is non regulatory, so the standards and technologies, as documented by risk n'est are not necessarily mandatory. However, they can be mandated
by the Office of Management Budget war by federal directives or in other means. So by default, the standards aren't mandatory. However, often whether it's through fisma or through an executive directive, some other means they can be mandated.
All right, now, what is mists job? How did they even get involved in this in the first place? Well, their mission statement and all of this could be found that n'est ce website ms dot gov fascinating reading, of course, their mission statement. So they want to promote US
innovation and industrial competitiveness
by advancing measurement science standards and technologies in ways that enhance economic security and improve our quality of life.
Very lofty goal. The heart and soul and the rial essence of this is standards are easier to work with. We like standards. So by promoting standards we promote interoperability. We promote mechanisms that can work well within each other.
We get away from the proprietary devices as much as possible. The proprietary configurations,
uh, we leave little up to chance, or at least that's the idea behind these standards. So ultimately, when we talk about n'est CE input into information, security with the goal here is to have a consists, consistent,
platform, independent approach to securing the information technology and systems that we have available to us. So very, very important. And that's why The's directives reference missed and tasked n'est with these responsibilities
several different types of mist publications, their three main ones that you would hear
First of all, Phipps, which we'll talk about in just a few minutes. Actually, we'll talk about it now. Federal information processing standards. This comes from the secretary of Commerce
and Phipps again. Just what it says specifically with processing federal information processing standards. The two Phipps documents that will look at are gonna be Phipps 1 99 and 200. Those air very, very essential to risk management. And then n'est also publishes special publications.
They'll be referenced by S P in caps.
And ultimately, their job is to advise government agencies on how to implement the technology
again, not mandatory, but can be mandated. And then we also have n'est into a inter agency. Reports will not be looking at any n'est. I are documents today, but certainly there are many that are out there. Ah, here is another location again, where you can get a breakdown on these different elements.
Let's go ahead and take a look at the standards and the guidelines that we're gonna look at
in relation to the risk management framework. Now, what I want to make clear is sometimes you know, when you have somebody going over 50 standards this special publications, it can be a little dull, and it can feel like alphabet soup and a lot of numbers to memorize.
So what, I'm gonna try to do a streamline and just focus on the ones that we specifically need.
I'm not gonna read out the publications to you, but again, the NIST documents can be found that ms dot gov if you want to go a little bit deeper. But what I want to do in this first part is I want to give you an understanding of the documents that are gonna be big and significant inputs into the risk management framework. So you can see
I've only included a few here.
There are a couple of others that will surface a little bit later down the line, but these would be the ones that I would primarily focus on. So when it comes to Phipps, I just mentioned earlier fits 1 99 and Phipps 200. These go hand in hand because 1 99 is gonna tell us or give us some guidelines
on categorizing systems.
Phipps 200 is gonna tell us minimum security requirements again. Two very important steps that are gonna be part of the risk management framework.
Then we're gonna have the special publications n'est 800-30
risk assessments. Huge, huge, huge. So very important. And I would strongly strongly recommend that if you are gonna work within the risk management framework, I would certainly recommend very strongly that you have a background in risk management or that you've done some additional study.
Ah, one of the things that I can recommend for you is cyber. Eri has a C risk
lesson or series of lessons that I think would be very, very helpful to anybody that doesn't have a strong risk management approach. So that's a recommendation for you, but missed 800 Special publication 800-30 deals specifically with addressing risk in the context of information security.
How do we assess that risk? What would are the risks?
Let's talk about threats and vulnerabilities. Let's talk about probability and impact and how we approach it. So that's 800-30 now 800-37 itself is how we apply the risk management framework. And again, that's gonna be the second part of our discussion. So we're not gonna get to in depth there
but ultimately again
figuring out how we take this risk based approach and apply it to the systems that were developing the software that we're developing systems or software already in place. How do we make this? How do we stay current with the threats and vulnerabilities that are out there today?
All right. Ah, And again, Same thing. 800. Dash 39. Managing information security risk. Very important idea in risk management is you cannot eliminate risks.
Now, there are some risks you can eliminate. For instance, um, I'm concerned about crime in a specific portion region of the world. And I'm worried about opening up a new location in that region,
so I decide the risks are too great. I just won't open a location in that region. Well, I've eliminated that risk, but I certainly cannot eliminate all risks. Associate it with our information. Right? So what we look to do is we look to manage risks
instead of eliminating. And when we talk about managing, you know what exactly does that mean? How do we manage a risk? What does it even mean?
And we're gonna talk a little bit about the idea off, making sure that the amount of risk that were left over with, you know, we're gonna put mitigating strategies in place, but you will always have a little risk left over
so making sure that that's within our level of tolerance. And again, we don't do a huge in depth discussion on risk management in this particular class. Go back and look at the sea risk.
All right. Now, another huge, huge, huge document that has a big impact on what we're doing and helping meet the requirements of specified in Cisma is Mr 800-53 then also 53 a. Those air, both closely related A does not overwrite
Ah, 53 or 53 A. Does not overwrite 53.
It is simply an enhancement document to that. And this is where we talk about the security controls and assessment procedure so very helpful and again numerous others for guidance on how we're going to implement these operational and technical controls.
Up Next
Risk Management Framework

The National Institute of Standards and Technology (NIST) established the Risk Management Framework (RMF) as a set of operational and procedural standards or guidelines that a US government agency must follow to ensure the compliance of its data systems.

Instructed By