Key activities in managing enterprise-level risk resulting from the operation of an information system:

  • Categorize the information system
  • Select set of minimum (baseline) security controls
  • Refine the security control set based on risk assessment
  • Document security controls in system security plan
  • Implement the security controls in the information system
  • Assess the security controls
  • Determine agency-level risk and risk acceptability
  • Authorize information system operation
  • Monitor security controls on a continuous basis

DODI 8500.01 Cybersecurity

Provides the foundation for establishing a DOD Cybersecurity program for defense of networks, systems and information technology to include definitions of terms, security controls guidance, and enterprise governance.

 

DODI 8510.10 DoD Risk Management Framework

Establishes a policy governing DoD cybersecurity, assigns responsibilities, and details execution of the RMF process.

 

FedRAMP

The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework

 

FIPS Publication 199 Security Categorization

Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels.

 

FIPS Publication 200 Minimum Security Controls

Specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.

 

NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.

 

NIST SP 800-39 Managing Information Security Risk

Documents a program for understanding and assessing information security risk within an organization.

 

NIST SP 800-37 Risk Management Framework

Provides guiding principles for implementing RMF on federal information systems to ensure consistency, full integration, and more secure configuration of security controls on a system.

 

NIST SP 800-30 Risk Assessment

Documents a strategy for conducting risk assessments on information systems and organizations as a part of an overall risk management process.

 

NIST SP 800-53 Cybersecurity Controls and Enhancements

Establishes guidelines for assigning security controls for the purposes of achieving secure operations of information systems.

 

NIST SP 800-53A Cybersecurity Control Assessment

Procedures Initial point for defining assessment procedures for applicable security controls for a given system.

 

NIST SP 800-115  Technical Guide to Information Security Testing and Assessment

Provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies.

 

NIST SP 800-137 Information Security Continuous Monitoring

Assists organizations in the implementation of a continuous monitoring strategy.

 

NIST SP 800-60 Mapping Types of Information to Security Categories

Supports organizations in the process of aligning information and information systems with the appropriate security category in a consistent manner.

 

NIST SP 800-160 Systems Security Engineering

Provides a comprehensive guideline of the principles and concepts of security engineering for federal information systems.

 

OMB-130 Management of Federal Information Resources

This Circular establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices."

 

CNSSP 22 Policy on Information Assurance Risk Management Policy for NSS

 Serves as the requirement for establishing an organizational Information Assurance policy for National Security Systems.

 

CNSSI 1253 Security Categorization and Control Selection for National Security Systems

Provides a foundation for selecting and applying security controls from NIST SP 800-53 for implementation on a National Security System.

 

CNSSI 1253A Implementation and Assessment Procedures

Establishes a guideline for assessing compliance with applicable security controls on a National Security System.

 

CNSS 4009 National Information Assurance Glossary

Documents a detailed glossary of Information Assurance related terms to minimize differences in terminology to ensure consistency and standardization.

 

 

 

 

 

 

 

"The objective of RMF is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence". National Institute of Standards and Technology, 2014

 

© 2017 Secure Manged Instruction Systems, LLC 3350 Riverwood Pkwy  Ste 1900 |  Atlanta, Georgia 30339  | Email: semais@semais.net