Commercial organizations may wish to utilize existing frameworks to implement IT Security best practices. NIST’s Risk Management Framework is among the options available. As a C-level official or security professional, you may choose to use this framework or require compliance in response to gaining federal business partnerships and contracts. Below is a little background, followed by the recipe for success in a commercial implementation of NIST’s Risk Management Framework.
NIST gained the role of providing cyber security guidelines and standards from the Federal Information Security Management Act of 2002 (FISMA). These guidelines and standards extend to all Federal organizations and contractors with theexception of National Security Systems. National Security Systems require additional security measures to ensure confidentiality of classified data. If you are looking for answers to classified data security, you are in the wrong cookbook.
If you are not looking for a narrative version of the process, a copy of FISMA can be located here:http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/content-detail.html. Having worked under FISMA guidance for many years, I recommend avoiding the dry reading and stick with the narrative recipe here.
Preparation: 6 months Cook Time: Indefinite
- NIST Special Publication 800-37 Revision 1
- FIPS Publication 199
- NIST Special Publication 800-53 Revision 3
- NIST Special Publication 800-53A
- NIST Special Publication 800-60 Volume I
- NIST Special Publication 800-60 Volume II
- OMB Memorandum M-11-33
Using FIPS 199 and NIST SP 800-60 Volumes I and II, organizations conduct a Security Categorization. This activity allows for an appropriate level of security measures to be utilized based on the sensitivity of the data involved with the system. For those organizations attempting to work with federal customers, this step is a requirement. All others are highly recommended to conduct a security categorization, as it will assist in scoping which controls to select for implementation.
NIST SP 800-53 Revision 3 provides all the controls which may be implemented under NIST. Remember, NIST has been tasked with providing the guidelines and standards per FISMA. Implementing the NIST controls will aid in FISMA compliance. Using the results from Step 1, the appropriate controls can be determined for implementation from NIST SP 800-53 Revision 3.
Regardless of an organization’s FISMA implementation drivers, additional controls may always be added as needed. However, removing controls is throwing caution to the wind. The advised controls for your system are considered a minimum security baseline. Removing controls without a risk analysis could produce disastrous results. Once your controls are selected, the task of implementing those controls should take place.
After establishing your control baseline, it is now time to identify requirements for Continuous Monitoring. A Continuous Monitoring strategy allows an organization to review critical controls on a yearly basis. Your remaining controls are assessed on a rotational basis. This eases the amount of overhead for security implementations while still ensuring the security posture is reviewed regularly. Again, for those organizations working with federal customers, this is a requirement while all others should implement this as a best practice using NIST.
Using the NIST SP 800-53A, your selected controls should now be assessed and validated. Unlike many other frameworks, NIST does not require all controls to be implemented. What is required is documentation and acceptance of risk for those controls not implemented. Again however, the NIST guidance is a minimum control baseline and no control should be overlooked. Any deviance from what NIST recommends and what is actually implemented should be accepted by an Authorizing Official. Many times this person is a senior official with decision making and funding authority over the information system.
Authorization To Operate (ATO) needs to be obtained from the Authorizing Official. To do this, we need to complete some additional documentation prior to considering the process cooked and ready to serve.
1.) A Contingency Plan test needs to be conducted and documented. It has been my experience during spot checks of FISMA compliance, that documentation proving the implementation must be readily available.
2.) A Configuration Management plan needs to exist. If it does not, one needs to be created. For those simply using NIST as a framework, I recommend a Configuration Management Plan. These plans will assist any organization in ensuring a thorough vetting process exists for configuration changes which include security reviews. The overall impact to your security posture will be rewarded by accounting for authorized changes.
3.) Privacy Impact Assessments may need to be completed. If you are in the commercial industry, privacy data is likely already addressed under legal regulations. For government partners however, be prepared to partake in your partnering agency’s privacy requirements.
4.) A System Security Plan (SSP) needs to be constructed. This document typically aligns with the NIST SP 800-53 controls and includes identification of security personnel, locations of systems, a system description, and other items of interest regarding security and the information system.
It’s now time to serve up all the work done in the previous steps. You accomplish this by compiling a group of documents for presentation and acceptance by the Authorizing Official. Those items should be similar to the list shown below.
- System Categorization Record
- Contingency Plan test with a documented test
- Configuration Management Plan
- Privacy Impact Assessment
- System Security Plan
- Security Assessment Results
Once presented, your Authorizing Official can make a determination on whether the risk to operate the system is acceptable. Why is this important? The Authorizing Official is the person legally accountable for the system under FISMA. By providing these materials to the AO, you have provided the information this person needs to make a risk-based decision regarding the security posture of the information system.
As a commercial organization, these documents may be known by other titles. Do not get wrapped up in what they are called, but do understand when dealing with NIST these phrases will arise. Finally, realize NIST simply provides a Risk Management Framework. Unless you are directly working with the federal government, there isn’t much need to follow the NIST processes to the exact letter. Much like a real recipe, this is a process which can be customized and tailored to meet the needs of your organization. Simply document your customizations so the next time in the kitchen, you know how to do what you did before.
Additional information regarding NIST SP 800-53 Revision 3 and the FAR clause can be located here: