Dod 8510, RMF for DoD IT 6 steps to success

DoD Risk Management Framework IT also known as DIARMF, is really a change to Department of Defense Information Assurance Certification & Accreditation Process that is taken from the NIST SP 800-37 combined with CNSS. The DOD is hoping to escape from the pure documentation of C&A.

Basically, RMF for DoD IT concerns risk management:

Risk = Threat * Vulnerability * Asset

   

<a href=”http://diarmfs.com” DIARMF] - Step 1. Categorize

During categorization of your system you will figure out how important the system is. You need to understand what is the impact if ever the your systemis actually destroyed, details are lost or otherwise unavailable. What is the impact towards the business unit.

DIARMF FIPS 199 & NIST 800-60

FIPS 199 is a short guide to help systems security categorization:

SC information type = ((confidentiality, HIGH), (integrity, LOW), (availability, LOW))

sc = security classification, impact = low, medium or HIGH

NIST 800-60 is a Guide for Mapping Kinds of Information and Information Systems to Security Categories.

DIARMF Step 2. Security Control Selection

The “Select” step is just selecting the appropriate security controls that fit the system you've categorized. The actual categorization allows you select the right security controls. The Information System Security Officer and others come together to discover which group of security controls needs to be implemented.

Documents that help in the “Select” step are: FIPS 200, Minimum Security Requirements for Federal Information and Information Systems & NIST SP 800-53. FIPS 200 are the initial set of baseline security controls which are in line with the security level your system has become categorized with.

DIARMF Step 3. Implementation

After you have selected the security controls you will have to begin implementation of the security controls. This really is by far the particular hardest part of the process as some security controls may actually break functionality and should be lessened or eliminated entirely.

Implementation is a mixture of patches, hotfixes, setting up network devices, turning on security features like authentication and in some cases installing a whole new system or using different software.

This process requires someone with technical ability. System security can be counterintuitive and damaging if done improperly.

DIARMF - Step 4. Assess

Assessment is essential after implementation from the security controls. Not only to see if these folks were actually implemented however for assurance that they're done properly. Implementation is so difficult and demanding that it requires ANOTHER step to check it.

Assessing security controls is detailed in NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations.

DIARMF - Step 5. Authorize

Once security controls are implemented and assessed someone needs to take the likelihood of the system being damaged. That is where the “Authorization” step is available in. The individual accepting the risk really should be an executive level manager who has some ownership on the security of the system this role is termed Authorizing Official.

   

DIARMF - Step 6. Continuous Monitoring

The final step is known as an on-going step. The security implemented has to be maintained once it has been accepted by the authorizing official.

Continuous Monitoring is definitely an on-going, daily process in place to simply accept or reject changes that affect the risk of the system. Its exactly about proactively looking for new vulnerabilities, threats and potential risks.