DIARMF Process

Defense Information Assurance Risk Management Framework (DIARMF Process) DoDI 8510.01, Defense Information Assurance Risk Management Framework Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk Risk is the likelihood that a threat will compromise the weakness of an asset. The U.S. Department of Defense has moved to a more quantitative approach to analyzing and managing the risk to its resources. The DoD has chosen risk management to managing Information Assurance (Information Security). They are adopting the process developed by the National Institute of Standards and Technology (NIST) which presented the framework in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. NIST Risk Management Framework was developed by the Joint Task Force Transformation Initiative Working Group which consists of the NIST itself, the DOD and Office of the Director of National Intelligence.

DoDI 8510.01, Defense Information Assurance Risk Management Framework is a revamped DIACAP that is basically NIST SP 800-37 + CNSS information system categorization. Documentation wise, the DoD is pushing to have the process be completed  using Enterprise Mission Assurance Support Service (eMASS) which is the Department of Defense’s (DoD) recommended tool for information system Certification and Accreditation (C&A). In a perfect world, a DoD organization will be able to easily access eMASSS and complete the DIARMF Process with no problems. Regardless of the specific tools and or products recommended, you should understand how to minimize risk to your assets using DIARMF then the tools and products become interchangeable and superficial. Products and tools change and evolve daily but the equation: Risk = Threat * Vulnerability * Asset is here to stay.

Like the NIST RISK Management Framework, the DIARMF Process will consist of a 6 step process:

DIARMF Process – Step 1. Categorize

The security categorization of your system will determine the level of work. Its like a domino effect. Essentially, you want to figure out how important is your system and what is the impact if its data is stolen, information manipulated or becomes unavailable. What is the impact to your organization, to the nation and/or end user.

What you will learn:

• Introduction to Categorization
• What is FIPS 199 & NIST SP 800-60?

The first step is to categorize the information systems information. How important is the information system and its data? What kinds of protection does it need? How much confidentiality, integrity and availability does it need? The importance of the resource will determine its level of protection. The Federal Information Processing Standard Publication (also known as FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, breaks down the different categories of federal information systems. Additionally, the NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories allows you to come up with a more indepth categorization of the system and information. DIARMF Process – FIPS 199 & NIST 800-60 Essentially FIPS 199 allows you to be more granular and specific to your systems security categorization. If, for example, you have a system that needs HIGH confidentiality, but low availability like a classified intranet web server, Risk Management framework allows you to customize the security categorization accordingly:

Classified Intranet Web Server

SC information type = {(confidentiality, HIGH), (integrity, LOW), (availability, LOW)}

sc = security classification, impact = low, medium or HIGH

800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories” was created to help US Federal government agencies to categorize information and information systems. 800-60 consists of 2 Volumes. The first volume identifies the process of Mapping types of information and information systems to security categories and the second volume contains references, glossary and other documents. Its part of the family of essential documents on which DIARMF is based. Those documents include:

• NIST SP 800-30, Risk Management Guide for Information Technology Systems
•  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems;
• NIST Draft SP 800-39, Managing Risk from Information Systems: An Organization Perspective;
• NIST SP 800-53, Recommended Security Controls for Federal Information Systems;
• NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
• NIST SP 800-59, Guideline for Identifying an Information System as a National Security System

Need to know More about DIARMF Categorization?

• What is Categorization?
• Who Categorizes the system?
• Why does it need to be Categorized?
• What is a “Water Mark”
• Learn more in DIARMF Process Categorize

image from: http://blog.eircomforbusiness.com/profile/Andy (andy O’Kelly, eircomforbusiness.com)

DIARMF Process – Step 2. Select

What you will learn:

• Why you need all stakeholders for Step 2
• What are FIPS 200 & NIST SP 800-53?

Once you know the security categorization of your system, the next steps is the Select the security controls that will be applied to your system. The security categorization gives you a baseline of security controls that are needed.

This takes a lot of strategizing among Information System Security Officer, System Administrators, and possibly the system owner. You need in depth consolation with your technical peers and system administrators who know what the system can and cannot tolerate. Security controls are necessary but you don’t want to restrict the functionality of the system. If the system does not work security is irrelevant. DIARMF – FIPS 200 & NIST SP 800-200 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems is a bridge between the FIPS 199 and the security controls documented in NIST SP 800-53. It sets forth the initial set of baseline security controls for your system based on the system impact level and minimum security requirements. FIPS 200 is a very short document that explains the levels of impact that your system has based on your systems security categorization and how the security controls will be selected. NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, contains all the controls prescribe to the security categorization of your system. After selecting the initial set of baseline security controls from Appendix D, the organization initiates the tailoring process to appropriately modify and more closely align the controls with the specific conditions within the organization (i.e., conditions specific to the information system or its environment of operation). The tailoring process includes: Applying scoping guidance to the initial baseline security controls to obtain a preliminary set of applicable controls for the tailored baseline; Selecting (or specifying) compensating security controls, if needed, to adjust the preliminary set of controls to obtain an equivalent set deemed to be more feasible to implement; and Specifying organization-defined parameters in the security controls via explicit assignment and selection statements to complete the definition of the tailored baseline. Scoping guidance provides organizations with specific terms and conditions on the applicability and implementation of individual security controls in the security control baselines.  Application of scoping guidance helps to ensure that organizations implement only those controls that are essential to providing the appropriate level of protection for the information system based on specific mission/business requirements and particular environments of operation. The better you plan in Step 2, Selecting security controls, the more prepared you will be for Step 3, Implementation.

DIARMF Process – Step 3. Implement

What you will learn:

• Overview of Step 3, Implementation
• Where to go for technical help on implementation

After you have determined the security categorization of the system, have selected the security controls and have actually planned how you will implement the security controls, the next step is the Implement! This is the the longest part of the DIARMF process. And the more complex your system is the more help and time you will need to do it. Implementation may involve installing patches, upgrading operating systems, configuring network devices, turning on and configuring security settings like audit logs, screen locks and even installing new systems. You will need someone with technical skills to implement certain security controls. Where you will have to go for guidance on certain technical security controls are actual vendor documentation, online knowledge databases, technical manuals, and even actual support technicians on specific products if necessary. Other places that are helpful are:

• NSA.gov/ia
• iase.disa.gov

These are great sites packed with lots of specific information on how to apply DOD level security. Not all implementation is technical. You may also need to create supporting documents such as System Security Plans, User Agreements, and security policies and many other documents. NIST SP 800-53 has not only technical controls, but also administrative controls and physical controls.

DIARMF Process – Step 4. Assess

What you will learn:

• Overview of Step 4, Assess
• What is NIST SP 800-53A

After implementation of security controls, you need to make sure the controls are installed properly. Security Assessments are usually done by outside organization to keep the stakeholders honest. Assessments are done usings NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. This document contains all the security controls of 800-53 as well as HOW they should be assessed.

DIARMF Process – Step 5. Authorize

What you will learn:

• Who can authorize the system
• What is NIST SP 800-53A

Step 5 of the DIARMF is similar to Phase 4 of DIACAP, Make Certification Determination & Authorization Decision. After each security control is assessed, the system needs to be authorized. Authorization is a formal acceptance of remaining risk from someone in charge. The person taking the risk should be an executive level person who has some ownership of the security of the system. The person authorizing is known as a Authorizing Official. The Authorization Decision is based on data gathered and put into the Authorization Package. The Authorization Package consists of a System Security Plan, a Security Assessment Report, and a Plan of Action and Milestone. After reviewing the Authorization Package the Authorization Officer makes are formal, written acceptance of the system know as an Authorization to Operate.

DIARMF Process – Step 6. Continuous Monitoring

What you will learn:

• Why do you need continuous monitoring
• What is continuous monitoring

If you are familiar with DIACAP, then continuous monitoring is similar to Phase 5, Maintain Authorization to Operate, but with automation in near real-time, not just manual periodic reviews of the system. The systems security posture must be maintained after it has been authorized. There should not be any MAJOR security changes without approval, there should not be any major additions to the system without approval. Remember someone is directly responsible for the security of the system. But system change all the time. New vulnerabilities are discovered, new threats emerge and inevitably new risks take shape. That is why continuous monitoring is important. Continuous monintoring means having a process in place to accept or reject changes that affect the risk of the system. It also mean proactively looking for new vulnerabilities, threats and potential risks. In some cases, the system MUST change drastically, which may mean going back to Step 1 or 2 of the DIARMF process to figure out how to maintain the system’s confidentiality, integrity and/or availability. Also, if the system becomes more important and the impact to the system is more dramatic, there may be a need for changing the actual security category of the system. Continuous monitoring is in place to adjust to change. DIARMF focuses more on risk than its predecessor DIACAP which was based on the more process driven qualitative method. In contrast, DIARMF is closer to the international standard, ISO/IEC 27001:2005, Information Security Management System.