NIST SP 800-37 Rev 1 and SDLC

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> As we continue talking
00:00
about frameworks for risk management,
00:00
it seems quite appropriate we would talk
00:00
about the risk management framework.
00:00
The risk management framework comes to us from
00:00
NIST and it's in special publication 800-37.
00:00
There's a Revision 1 and Revision 2,
00:00
it cracks me up.
00:00
The difference between Revision 1 and Revision 2
00:00
and you'll see that in just a minute, why?
00:00
Now, as we've talked about risk management,
00:00
what we've talked about is starting
00:00
with the context, framing,
00:00
understanding the environment which we're in,
00:00
goals, business objectives,
00:00
really starting with understanding our environment
00:00
and then understanding the system
00:00
or the asset we're working with.
00:00
Same thing here in 800-37.
00:00
The RMF is generally geared towards the development,
00:00
let me back up and say the secure
00:00
development of a system.
00:00
It should make sense that Step 1 is to categorize
00:00
the information system, that means,
00:00
think about the environment
00:00
that the system is going to operate within,
00:00
think about data, it's going to store,
00:00
what's the value of that data,
00:00
and based on the value of the data,
00:00
what will be the security category of the system?
00:00
Now this is not testable but I know I'm going to have
00:00
some government military folks that
00:00
do follow NIST standard,
00:00
so I'm just going to mention for categorizing
00:00
the system we have FIPS 199 and
00:00
FIPS 200 to help us figure out
00:00
what security category for
00:00
the system based on the confidentiality,
00:00
integrity, and availability of the system.
00:00
I'm going to once again emphasize you don't need
00:00
to know FIPS 199 and 200,
00:00
but that's just fun trivia for parties,
00:00
so just something you know if
00:00
you're going to be working with RMF.
00:00
Now, Step 2,
00:00
so based on the value of
00:00
the assets what it comes down to,
00:00
based on the security category of
00:00
the system which is driven by its value,
00:00
we then select security controls.
00:00
Again, not testable but that's where NIST
00:00
800-53 A would come in,
00:00
where we tried to figure out how to secure
00:00
a system appropriately based on its category.
00:00
But we select our security controls.
00:00
As a matter of fact, you can really
00:00
focus on the purpose of
00:00
categorization of a system is to
00:00
determine what security controls are appropriate,
00:00
just like classification of the system.
00:00
The purpose of classifying
00:00
a system is so that we know how to protect it.
00:00
Step 2, we select the appropriate security controls.
00:00
Now, Step 3,
00:00
we implement the security controls,
00:00
so we build them into the system.
00:00
Now, Step 4 means we
00:00
assess and this is where vulnerability assessments
00:00
and penetration tests and
00:00
if the system meets the assessment process,
00:00
if it meets the technical evaluation
00:00
then we have a certified system,
00:00
and certification is always about
00:00
a technical evaluation of
00:00
the security elements of a product.
00:00
If everything goes great, it's certified.
00:00
If everything doesn't go great,
00:00
then we get something called a POAM,
00:00
which is a plan of action and milestones,
00:00
and that basically is a plan to how we get
00:00
that system back on track so
00:00
that we can meet the security assessments,
00:00
so that we can get certified.
00:00
Now once the system gets certified,
00:00
then senior leadership authorizes,
00:00
ideally authorizes the system and it's
00:00
that point in time where they assume
00:00
all risks associated with the product.
00:00
They say, we're going to move
00:00
this product into implementation,
00:00
we're ready to go,
00:00
we will take full responsibility
00:00
for the product from this point forward.
00:00
Then of course we monitor and control,
00:00
so that just simply meaning we continue to monitor,
00:00
we may have patches or updates that need to go out,
00:00
and those patches may need to go back
00:00
through some or all of this process again,
00:00
but we continue to monitor and
00:00
ensure that the system is behaving as it should,
00:00
the security controls are meeting their objectives,
00:00
and that we're able to move on.
00:00
Now, as I promised you,
00:00
NIST 800-37 has a second revision,
00:00
and if you think about all the committees that met,
00:00
the money that was spent,
00:00
the brainpower that was
00:00
brought together in meeting rooms to
00:00
enhance the risk management framework
00:00
, and what do we get?
00:00
Revision 2 puts a square for preparation in the middle.
00:00
Now, I'm not disputing in any way
00:00
the importance of preparation
00:00
throughout all these projects, of course,
00:00
or all these steps,
00:00
and that's why I referenced a couple of the documents
00:00
that we have to go to so that
00:00
we can make these decisions.
00:00
We have to research,
00:00
we have to truly
00:00
understand the value of what we're protecting,
00:00
understand the security options,
00:00
but it does amuse me that they had
00:00
to create an entirely new publication to say,
00:00
don't forget to prepare.
00:00
Now, the last thing I want to show you
00:00
is we talked about
00:00
that the risk management framework was
00:00
designed for system development,
00:00
where you can take the RMF and match
00:00
it up to the system development life cycle.
00:00
The system development life cycles is
00:00
the circular diagram in the middle where we initiate,
00:00
design, implement, operate,
00:00
and maintain, and then dispose.
00:00
You can see that's
00:00
the steps that we go through with systems,
00:00
but what we're going to do is combine it with
00:00
the risk management life cycle so that
00:00
we can have secure system design.
00:00
At the beginning with initiation where
00:00
we begin our project
00:00
usually we get a project charter so that we can
00:00
begin this and manage this development as a project,
00:00
right there we have to categorize our system,
00:00
and that becomes part of our original risk assessment,
00:00
our feasibility study before we
00:00
even decide to undertake this product.
00:00
Feasibility study, business case,
00:00
project charter are all being developed at
00:00
initiation before we say,
00:00
yes, we're going to move forward,
00:00
here's the project charter, we're going to move on.
00:00
Right there in design we've got to
00:00
select the security controls and of course,
00:00
an implementation where we're
00:00
designing the actual product itself,
00:00
we're going to build-in
00:00
the security controls, and you notice,
00:00
assess and authorize also happen during implementation.
00:00
Implementation does not mean
00:00
we're rolling out the product,
00:00
implementation means we're taking
00:00
our plans that we came up within
00:00
design and we're building the system.
00:00
We have to at the very final stages of
00:00
implementation is where we certify and authorize.
00:00
Step 4 leads us into certification and authorization,
00:00
Step 5, and then we continue
00:00
to monitor throughout operations and maintenance.
00:00
Now one piece that the RMF really didn't talk
00:00
about was secure disposal of a product.
00:00
But if you think about databases for instance,
00:00
a lot of data and a lot of
00:00
sensitive data can be stored in our databases.
00:00
How do we dispose off that data securely?
00:00
Do we migrate it to a new database?
00:00
How do we transfer that information?
00:00
How do we remove the contents of the older database?
00:00
How do we make sure
00:00
that once the products end of life has come,
00:00
making sure that we securely
00:00
dispose of the product and any data with them.
Up Next