Professional Documents
Culture Documents
Final Project
Emmylou Bice
Final Project
Introduction
Company XYZ is a defense contractor with locations all over the world that provides
engineering solutions for the government in an effort to strengthen and protect national security.
Being located across various sites, the company is procuring enterprise cell phones to
disseminate to employees as one of the key assets for remote employees. As a defense contractor,
Company XYZ stores, processes, and transmits sensitive information pertaining to both national
security and the company. Defense contractors are targeted by many different threat actors
including cyber terrorists, insiders, and government sponsored actors. If the company provides
these cell phones to employees, the company must ensure the system is secured at an acceptable
risk level to limit the probably of compromise. This paper discusses the process for assessing and
monitoring the cyber security risk of Company XYZ’s cell phone system throughout the system
lifecycle.
To manage the cyber security risk of systems, including cell phone systems, Company
XYZ uses Risk Management Framework (RMF). RMF is a set of criteria for organizations to
follow to architect, secure, and monitor government-related information systems (Petters, 2021).
With the RMF process, organizations build their systems thoroughly based on mission or
business need and risk tolerance to effectively apply secure implementations of controls and
obtain an authorization to operate (ATO). This framework consists of six main cyclical steps:
categorize, select, implement, assess, authorize, and monitor. At the forefront of all these steps
includes the preparation step. Figure 1 depicts the RMF process or cycle.
FINAL PROJECT 3
The following sections detail the six main steps in detail as well as the applicability to the
System Preparation
The preparation step comes before the main RMF steps. This step is meant to prepare
essential activities of the organization at all three organization-wide risk management approach
organization security and privacy risks (Joint Task Force, 2018). In this step, the organization
identifies their business need for the information system, the authorization boundary to limit the
scope of the effort, and the information system types. Lastly, the organization registers their
system in the RMF workflow tool such as XACTA 360 or Enterprise Mission Assurance Support
Company XYZ identifies the cell phone system as a business need to support remote
employees at various sites. These employees support multiple defense acquisition programs and
store, process, and transmit company and program related information. The authorization
boundary includes two different cell phone information system types, an android (Samsung) and
FINAL PROJECT 4
iPhone. The company will register this system into XACTA to begin the next step in the process,
system categorization.
System Categorization
The first step of the RMF process is system categorization. System categorization is the
related organizations, and the nation with respect to the compromise of the confidentiality,
integrity, and availability of the organization’s systems and the data (Joint Task Force, 2018).
This step is key to determining the right impact level of the system undergoing risk management
framework. In this step, the organization identifies the data types of the information system and
determine the impact values to determine the overall security categorization of the system.
RMF focuses on three main concepts for categorizing systems to include confidentiality,
integrity, and availability. Confidentiality refers to protecting information or data from the view
is accessible to authorized individuals at all times. The impact values are degree of damage to be
Analyzing Company XYZ’s cell phone, three main data types stored, processed, and
information, and employee training and employment information (Bice, 2021). Table 1 identifies
the information types and the impact values for confidentiality integrity and availability for
information begin sensitive in nature capabilities, but may result in serious adverse effects. The user
which could cause severe or adverse effects on the company or nation. could switch to other
catastrophic adverse effects on the options to view the data.
company and nation.
Research and High – The impact of compromised Moderate – The impact of compromised Low – The impact of
Development R&D info with respect to R&D with respect to integrity would be compromised R&D
Information confidentiality would result in “disruptive to the progress of research information with respect to
unauthorized individuals obtaining activities” (Barker, et al., 2008). An availability would result in
company knowledge to do harm to individual that accidently miscalculates or an insignificant delay. This
the interests of the government of makes a typo in research documentation is the equivalent of limited
the United States (Barker, et al., can create delays in the development of adverse effects. The user
2008). The DoD may lose an new technologies. There are serious effects could switch to other
advantage over adversarial nations on the company because more time is options to view the data.
since they may derive insights on needed to fix the error before the research
countermeasures development which is complete. There may be a delay in
could result in severe or catastrophic project development.
adverse effects on the company and
nation. (Barker, et al., 2008).
Training and Moderate – If The impact of Moderate – The impact of unauthorized Low - The impact of
Employment compromised R&D info with respect modification of training or employment compromised training and
Information to confidentiality there would be a information would have serious adverse employment information
serious adverse effect on operations effects on the organization operations or with respect to availability
or individuals. Information may individuals. An example includes would result in an
contain PII of an individual which is modifying the employment start date at a insignificant delay. This is
considered sensitive information company which could delay onboarding of the equivalent of limited
which if compromised could put new employees which could be critical in adverse effects. The user
individuals and the company staffing a program for deployment. could switch to other
reputation in danger. options to view the data.
Table 1: Company XYZ Cell Phone Impact Levels (Bice, 2021)
Overall, the categorization of Company XYZ’s cell phone is high, moderate, low for
confidentiality, integrity, and availability with the overall impact value as high (Bice, 2021).
Following this determination, Company XYZ proceeds to the next step in the RMF process.
Control Selection
The second step of the RMF process is control selection. Once the organization
determines the security categorization and corresponding impact level, baseline controls are
selected, tailored, and documented appropriately for the system that are commensurate with the
organizational risk (Joint Task Force, 2018). Using the NIST SP 800-53 R5 and the CNSSI 1253
in combination with the security categorization and impact level, organizations determine the
baseline security controls and then tailor them according to their information system.
With respect to Company XYZ’s cell phone, Table 2 identifies the HML categorization or
high impact level applicable NIST 800-53 R5 controls in accordance with the CNSSI 1253. For
the purposes of this paper, only a subset of the applicable controls for the cell phone is listed.
FINAL PROJECT 6
Control Short Control Description – See NIST 800-53 r5 for detailed descriptions
AC-7 (2) Unsuccessful Login The information system purges/wipes information after an organization-defined number
Attempts | Purge/Wipe Mobile Device consecutive, unsuccessful device logon attempts.
AC-11 Session Lock The information system initiates a session lock after an organization-defined time period of
inactivity.
AC-18 Wireless Access The organization establishes and authorizes usage restrictions, configuration/connection
requirements, and implementation guidance for wireless access.
AC-19 Access Control for Mobile The organization establishes and authorizes usage restrictions, configuration requirements,
Devices connection requirements, and implementation guidance for organization-controlled mobile devices.
CM-3 Configuration Change Control The organization determines, reviews, documents, implements, retains, and audits the types of
changes to the information system that are configuration-controlled
CM-11 User-Installed Software The organization establishes, enforces, and monitors an organization-defined policy governing the
installation of software by users
RA-5 Vulnerability Scanning The organization scans for vulnerabilities in the information system and hosted applications within
an organization-defined frequency and remediates legitimate vulnerabilities within an organization-
defined response times in accordance with an organizational assessment of risk
SC-8 Transmission Confidentiality The information system protects the confidentiality and integrity of transmitted information.
and Integrity
SC-28 Protection of Information at The information system protects the confidentiality and integrity of information at rest.
Rest
SI-2 Flaw Remediation The organization Identifies, reports, and corrects information system flaws and tests software and
firmware updates related to flaw remediation for effectiveness and potential side effects before
installation
SI-4 Information System Monitoring The organization deploys monitoring devices and monitors the information system to detect attacks
and unauthorized access.
SI-7 Software, Firmware, and The organization employs integrity verification tools to detect unauthorized changes to software,
Information Integrity firmware, and information of the system.
Table 2: Company XYZ Cell Phone Control Selection
(Bice, 2021; Joint Task Force, 2020; Plunkett, 2014)
These controls are appropriate and important for the security of a mobile system because
when implemented appropriately, only authorized individuals would be able to access the device.
Company XYZ would be able to effectively manage and control the security configuration of the
device to limit the probably of device compromise. After the controls are selected, the next step
The third step of the RMF process is security control implementation. Once the
organization identifies the total controls applicable to the system, the organization implements
the controls and documents the baseline configuration (Joint Task Force, 2018). Activities in this
step include engineering specific implementation methods for the applicable controls and
documenting the implementations. Table 3 identifies the control implementations for the
Attempts | Purge/Wipe Mobile reduce the possibility of undisclosed information to unauthorized individuals. For iOS devices, the
Device number of attempts before the wipe is a fixed value of ten failed attempts (Klein, 2016). For Android
mobile devices, an application such as Locker must be installed. IT can then set the value to 10
attempts (Rosenblatt, 2016).
AC-11 Session Lock IT should configure the devices to lock after 15min of inactivity for both iPhones and Androids (STIG
Viewer, 2018, 2020).
AC-18 Wireless Access IT should configure the device to connect to the Enterprise network automatically using Wi-Fi
Protected Access 3 (WPA3). To ensure only authorized users are on the network, IT should configure
the devices to use active directory (CISA, 2019).
AC-19 Access Control for Mobile Company XYZ should develop an Acceptable Use Policy that users sign to acknowledge cell phone
Devices usage restrictions and connection requirements.
CM-3 Configuration Change IT should develop an Enterprise configuration baseline for the cell phone prior to disseminating the
Control phones. IT should restrict users from downloading new applications and establish a service desk with a
configuration change control policy that users can use to request any additional applications or
modifications.
CM-11 User-Installed Software Same as CM-3.
RA-5 Vulnerability Scanning IT should conduct vulnerability scanning every 30 days using vulnerability scanning software like
Tenable’s Nessus to detect vulnerabilities. Nessus’s “Mobile” tab can be used to enter credentials for
Apple and Microsoft authentication applications to deep scan the device and gather information
(Asadoorian, 2012).
SC-8 Transmission Confidentiality IT should configure the firewall to prevent other devices on the network from finding other devices and
and Integrity filter both inbound and outbound traffic to only authorized traffic using authorized ports, protocols, and
services (STIG Viewer, 2013).
SC-28 Protection of Information at IT should configure encryption of data on the mobile devices to include data at rest encryption which is
Rest configurable for both iOS and android.
SI-2 Flaw Remediation IT should install a Mobile Device Management (MDM) Solution which would allow IT to monitor,
manage, and secure mobile devices (Manage Engine, n.d.). IT admins would be able to add and
remove applications, configure the devices, and monitor the devices on the server from a remote
location (Manage Engine, n.d.).
SI-4 Information System Same as SI-2.
Monitoring
SI-7 Software, Firmware, and Same as SI-2.
Information Integrity
Table 3: Company XYZ Cell Phone Control Implementation (Bice, 2021)
After the organization applies all the applicable control implementations to the system as
The fourth step of the RMF process is security control assessment. Once the controls
have been implemented, a security control assessor (SCA) assesses the controls to determine if
they are “implemented correctly, operating as intended, and producing the desired outcome” to
meet the required level indicated by organization and system (Joint Task Force, 2018). The
outcome of this step includes the security assessment report (SAR), documenting findings in the
Plan of Actions and Milestones (POA&M), developing remediation actions. The POA&M
captures and tracks the remediation status of all non-compliant controls identified during the
FINAL PROJECT 8
security assessment (Bice, 2021). For Company XYZ’s cell phone system, Table 4 identifies
MDM Solution as originally identified in the control implementations. The MDM would allow
IT admins to monitor and manage the security configurations on mobile devices to include
monitoring for non-compliant devices, and configuring remote wipe (Mixon, 2020). For
(DMUC) is the enterprise MDM solution which provides an application store, Public-Key
content management, and app vetting services (DISA, 2018, n.d.). After the assessment and
FINAL PROJECT 9
findings are documented in both the SAR and POA&M, the system goes to the next step in the
RMF process.
System Authorization
The fifth step of the RMF process is system authorization. After the SCA conducts an
assessment, the results are passed on to the authorizing official. The AO reviews the assessment
results and overall authorization package to determine if the security risk to the organization
operations, individuals, assets, other organizations, or the nation is acceptable (Tipton, 2019). A
deployed in the field. A system with unacceptable risk can be granted either a Denial ATO
(DATO), conditional ATO, or Interim Approval to Test (IATT). With a DATO, the system is not
allowed to deploy. With a conditional ATO, the system can be deployed for a fixed amount of
time, typically for six months to a year while the organization fixes POA&M items. With an
IATT, the organization has temporary authorization to test within a specific time period (NIST,
n.d.). In all three cases, the organization must fix or mitigate POA&M findings prior to obtaining
a full ATO.
For Company XYZ, the AO originally granted the cell phone system a DATO due to the
lack of an MDM solution which caused the overall risk to be high. After remediating these
critical POA&M liens, the AO would grant an ATO. Once granted an ATO, the system moves
Continuous Monitoring
The last step of the RMF process is continuous monitoring. Once a system obtains an
awareness about the security posture of the system and organization in support of risk
FINAL PROJECT 10
management decisions (Joint Task Force, 2018). Organizations conduct system impact analysis
(SIA) for ongoing changes in the environment, ongoing assessments to verify control
implementations, update the authorization package, and develop a system disposal strategy to
plan for future system decommission. This paper focuses on the continuous monitoring process
For Company XYZ’s cell phone system, IT admins had to had to upgrade the Operating
System (OS) due to security vulnerabilities in an old version. The process to address this
situation includes conducting an SIA, testing within a test environment, and then deploying to
the field. Table 5 details the SIA for this OS system change.
Once the SIA is conducted, Company XYZ identifies and follows a security checklist or
otherwise known as hardening checklist to ensure the OS change does not affect the overall
security posture of the system (NIST, 2011). This checklist is detailed in Table 6.
Additionally, with these changes, Company XYZ should verify the security status of
previously implemented controls on a periodic basis, if applicable. These controls and their
Company XYZ will continue to monitor the security posture of the cell phone system
throughout the system lifecycle. After three years, however, the system will be required to
undergo a full RMF reassessment where the AO will determine if Company XYZ is maintaining
Conclusion
As Company XYZ develops information systems to support business and mission needs,
security should be a top priority especially with many threat actors targeting defense contractors.
Company XYZ is developing a cell phone system for dissemination to employees. To ensure
these systems are secure and reduce the risk as much as possible, Company XYZ should follow
the risk management framework. RMF will allow the company to accurately, thoroughly, and
effectively implement secure solutions for many security controls. This paper discusses the full
RMF cycle with respect to the Company XYZ cell phone system.
FINAL PROJECT 12
References
Asadoorian, P. (2012, July 19). Detecting Mobile Device Vulnerabilities Using Nessus. From
https://www.tenable.com/blog/detecting-mobile-device-vulnerabilities-using-
nessus#:~:text=The%20new%20%22Mobile%22%20tab%20in,it%2C%20and%20mobile
%20device%20vulnerabilities.
Barker, W., Fahlsing, J., Kissel, R., Lee, A., Stine, K. (2008, August). NIST SP 800-60 Volume II:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf
CISA (2019, November 20). Security Tip (ST18-003): Securing Enterprise Wireless Networks.
From https://us-cert.cisa.gov/ncas/tips/ST18-247
DISA (2018, August 1). DISA expands mobility offering to organizations not using DOD
mobility-Enterprise-Email
https://disa.mil/-/media/Files/DISA/Fact-Sheets/180918-Fact_Sheet-DMUC.ashx
FINAL PROJECT 13
FedRAMP (2018, April 4). FedRAMP Continuous Monitoring Strategy Guide. From
https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strate
gy_Guide.pdf
Joint Task Force. (2018, December). NIST SP 800-37 R2: Risk Management Framework for
Information Systems and Organizations: A System Life Cycle Approach for Security and
Joint Task Force. (2020, September). NIST SP 800-53 Rev 5: Security and Privacy Controls for
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
Joint Task Force Transformation Initiative (JTFTI). (2012, September). NIST SP 800-30r1:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Klein, M. (2016, July 28). How to Erase Your iOS Device After Too Many Failed Passcode
too-many-failed-passcode-attempts/
https://www.manageengine.com/mobile-device-management/what-is-mdm.html
https://searchmobilecomputing.techtarget.com/definition/mobile-device-management
NIST. (2011, September). NIST Special Publication 800-137 Information Security Continuous
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
FINAL PROJECT 14
https://csrc.nist.gov/glossary/term/interim_authorization_to_test
Petters, J. (2021, January 29). Risk Management Framework (RMF): An Overview. From
https://www.varonis.com/blog/risk-management-framework/
Plunkett, D. (2014, March 27). CNSSI No. 1253: Security Categorization and Control Selection
https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf
Rosenblatt, S. (2016, March 11). How to FBI-proof your Android. From https://the-
parallax.com/2016/03/11/how-to-fbi-proof-your-android/
STIG Viewer. (2013, January 24). Mobile Device Manager Security Requirements Guide. From
https://www.stigviewer.com/stig/mobile_device_manager_security_requirements_guide/20
13-01-24/
STIG Viewer. (2018, November 28). Apple iOS must be configured to lock the display after 15
11-28/finding/V-81759
STIG Viewer. (2020, February 24). Samsung Android must be configured to lock the display
https://www.stigviewer.com/stig/samsung_os_9_with_knox_3.x_cobo_use_case_kpeae_de
ployment/2020-02-24/finding/V-92879
Tipton, S. (2019, December 10). How to Apply the Risk Management Framework (RMF). From
https://www.tripwire.com/state-of-security/featured/applying-risk-management-
framework/