Running head: Final Project 1

Final Project

Justin R. Cook

University of San Diego, CSOL-530

Final Project 2

Cybercrime is growing at a rapid pace, damages resulting from cybercrime are estimated

to cost the world around $6 trillion annually by 2021 (Morgan, 2020). To limit risk, our

organization must take a proactive approach to ensure the security of our information systems

and data. NIST outlines a seven-step risk management framework that the US federal

government uses to promote the development of security capabilities into its systems throughout

the system development lifecycle (NIST SP 800-37, 2018). Although this framework is used by

the federal government, the steps outlined in the RMF can be tailored to fit an organizational

environment of any size. The seven steps of the risk management framework include the

categorization of the system, selection of security controls, implementation of controls,

assessment of the control’s effectiveness, authorization decision for the system, and finally

continuous monitoring of the system. The seven steps of the RMF are followed before and after a

system is authorized for use. This ensures that the system remains secured when changes occur

that affect the organization’s environment, personnel, or hardware/software.

The first step of the RMF is preparation, where an organization carries out activities to

ensure they are ready to manage its security and privacy risks using this framework (NIST SP

800-37, 2018). For our organization, the most important aspect of this step is to identify and

assign individuals to certain roles that will be required in subsequent RMF steps. For example,

an authorizing official must be determined and this is the individual who will authorize systems

for use in step 6 of the RMF. Business leaders must determine the level of risk tolerance that our

organization and create a risk management strategy. Although having zero risk is ideal,

budget/resource limitations will require us to make key decisions regarding the amount of risk

we can endure at any given time. Lastly, a risk assessment should take place during this step to

create a baseline of where the organization currently stands. After this step is completed,
Final Project 3

organizational leaders should be on board with using the risk management framework to manage

risk, and any production system should be assessed using this framework.

The categorize step assesses the system and information that is processed, stored, and

transmitted by that system based on an analysis of the impact of loss (NIST SP 800-37, 2018).

Security categorization is vital because it is the basis for developing an initial baseline set of

security controls for the information system (NIST SP 800-60, 2008). Federal Information

Processing Standards (FIPS) are standards and guidelines that the United States federal

government uses when securing their computer systems. Specifically, FIPS Publication 199 lays

out standards for categorizing information and information systems, and the private sector is

encouraged to these standards as well (FIPS, 2004). Part of the initial security categorization of

an information system is establishing provisional impact levels which are the impact levels

assigned to the confidentiality, integrity, and availability (CIA) security objectives of an

information type (NIST SP 800-60, 2008). Every system will store, process, or transmit multiple

information types, and each is categorized. The CIA triad is defined below:

1. Confidentiality – Only authorized users and processes should be able to access or modify

data

2. Integrity - Data should be maintained in a correct state and nobody should be able to

improperly modify it, either accidentally or maliciously

3. Availability - Authorized users should be able to access data whenever they need to do so

(Fruhlinger, 2020).

Once each of the information types is categorized the overall security category of the information

system is expressed as the maximum potential impact value for each security objective. The three

categorization levels include low-impact, moderate-impact, and high-impact.

Final Project 4

After an information system has been successfully categorized, the next step in the RMF

is to select, tailor, and document security controls that are required to protect the system.

Security controls are the safeguards or countermeasures that can be implemented to protect the

confidentiality, integrity, and availability of the system and its information (NIST SP 800-53,

2017). NIST SP 800-53 defines twenty families of security controls which amounts to hundreds

of baseline controls that are applied to systems at any categorization level. An example of a

security control is the PE-3 control which enforces physical access authorizations at the facility

where the information system resides (NIST SP 800-53, 2017). It is impractical from both a

budget and an implementation standpoint to implement each control from the baseline.

Therefore, the initial tailoring of the baseline controls is to select the control families that are

most critical to our system. The selected security controls can be further tailored so that they fit

our specific operating environment. The selected/tailored security controls must then be

documented and an implementation plan created that describes the intended application of each

control in the context of the system (NIST SP 800-37, 2018). The implementation plan must then

be approved by the authorizing official before reaching the next step.

Once approved, the next step in the RMF is to implement the controls that were laid out

in the implementation plan and to document the specific details of the control implementation

(NIST SP 800-37, 2018). In the previous step, the example of a PE-3 control was mentioned, and

the implementation step is where the control is put into action. For the PE-3 control, an

implementation example would be using access control software that grants access to the

buildings if key fobs are swiped at the entrances. NIST recommends using best practices when

implementing security controls and that the controls adhere to federal and organizational policies

(NIST SP 800-37, 2018). As controls are implemented, sometimes things do not always go
Final Project 5

according to plan. Therefore, it is important to update the security and privacy plans with any

details or changes that occurred while the implementation took place (NIST SP 800-37, 2018).

Following the implementation of security controls, our organization then has to assess

them to determine if the controls are operating as intended and meeting the desired security

needs (NIST SP 800-53, 2014). NIST provides examples for how to assess different security

controls, but the security control assessments can also be tailored to fit the organization’s needs.

For the example of assessing the PE-3 control, the assessment could test gaining access to the

building without a key fob or with a key fob that does not have the correct access levels. The

results from the assessment are documented in a security assessment report which is reviewed to

assess risk, determine appropriate response actions, and update the Plans of Action and

Milestones (NIST SP 800-53, 2014). For example, if the security assessment report showed that

access to the building was incorrectly granted then a remediation action would be warranted.

Remediation actions address deficiencies in the controls that were implemented in the system

based on the assessment results (NIST, SP 800-37, 2018). The remediation actions are placed

into a document referred to as the plan of action and milestones (POA&M) which is included as

part of the authorization package that is used in the next step.

The next step of the RMF is the authorization step, where a senior management official

determines if the security and privacy risk to the information system is acceptable and makes a

final decision authorizing the system for use in production (NIST SP 800-37, 2018). Security

authorization is one of the most important steps of the RMF because the decision is based on all

of the information gathered and developed from the previous steps. The authorization tasks

include

 Developing an authorization package for review by the authorizing official

Final Project 6

 A risk determination being made by the authorizing official

 Developing risk responses to the determined risks

 The authorization of the system is approved or denied and the decisions/risks are reported

to officials in the organization (NIST SP 800-37, 2018).

Any risks that were found and documented in the authorization package are analyzed and applied

against the risk management strategy that was drafted in step one of the RMF. Like previously

mentioned, the levels of risk tolerance vary between organizations and the authorizing official

takes this into account when making the final decision. The authorization decision can be

expressed as an Authorization to Operate (ATO), Interim Approval to Test (IATT), or a Denial of

Authorization to Operate (DATO) (NIST SP 800-37, 2018). This decision is made by the

authorization official and dictates whether the determined risks are acceptable to allow the

information system to operate in production.

The final step of the RMF is the monitor step which takes place to maintain an ongoing

awareness of the security/privacy posture of the system and to account for any changes that

occurred in the operating environment (NIST SP 800-37, 2018). Although a system may have

received an ATO, if a change is made to the system or to the environment around that system

then the security posture must be verified. NIST defines seven different tasks during the monitor

step of the RMF:

• System and environment changes – monitor following a continuous monitoring strategy

• Ongoing assessments – continuously assess the effectiveness of security controls

• Ongoing risk response – analyze and respond to the results of the ongoing assessments

• Authorization package updates – risk management documents are updated as needed

Final Project 7

• Security and privacy reporting – reports the security/privacy posture to organizational

leaders on an ongoing basis

• Ongoing authorization – authorizing officials to review the results of previous tasks and

conduct ongoing authorizations

• System disposal – strategy is developed and implemented as required (NIST SP 800-37,

2018).

Our organization must adhere to a change management protocol that will require any change

made to the production environment to be assessed to determine if this will impact the security

posture of any system. Relevant changes that do impact a system’s security posture will require

that system to go through the steps of the RMF once again. This procedure will ensure that the

implemented security controls continue to do their job.

The seven steps of NIST’s risk management framework aim to promote the development

of security capabilities into its systems throughout the system development lifecycle (NIST SP

800-37, 2018). Our organization first prepares to begin using the RMF by delegating

roles/responsibilities and developing an organizational risk strategy. Production systems are first

categorized based on their impact levels that correspond to the level of risk that exists. To secure

the systems, security controls are selected, tailored, and implemented per NIST’s best practices.

The implemented controls must then be assessed to determine if they are functioning as intended

in the implementation plan. The results of the assessment are documented in an authorization

package that is given to the authorized official. That official analyzes the authorization package

against the organization’s risk management strategy to determine if the system can operate in a

production environment. To account for inevitable changes to the operational environment, a

continuous monitoring procedure is put into place to validate the effectiveness of the security
Final Project 8

controls. By utilizing the seven-step risk management framework outlined by NIST, our

organization will be doing our due diligence to ensuring our production systems remain secure as

growing threats emerge in cyberspace.

Final Project 9

References

FIPS PUB 199. (February, 2004). Standards for Security Categorization of Federal Information

and Information Systems. Retrieved from

https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples.

Retrieved from https://www.csoonline.com/article/3519908/the-cia-triad-definition-

components-and-examples.html

Morgan, S. (2020, March 29). Top 5 Cybersecurity Facts, Figures, Predictions, And Statistics For

2020 To 2021. Retrieved from https://cybersecurityventures.com/top-5-cybersecurity-

facts-figures-predictions-and-statistics-for-2019-to-2021

National Institute of Standards and Technology (NIST). (2018, December). Special Publication

800-37 Revision 2: Risk Management Framework for Information Systems and

Organizations. Retrieved from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

National Institute of Standards and Technology (NIST). (2008, August). Special Publication 800-

60: Guide for Mapping Types of Information and Information Systems to Security

Categories. Retrieved from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

National Institute of Standards and Technology (NIST). (2017, August). Special Publication 800-

53 Revision 5. Security and Privacy Controls for Information Systems and Organizations.

Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-

53r5.pdf