DIARMF Process
DIARMF Process Defense Information Assurance Risk Management Framework (DIARMF Process) DoDI 8510.01, Defense Information Assurance Risk Management Framework Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk Risk is the likelihood that a threat will compromise the weakness of an asset. The U.S. Department of Defense has moved to a more quantitative approach to analyzing and managing the risk to its resources. The DoD has chosen risk management to managing Information Assurance (Information Security). They are adopting the process developed by the National Institute of Standards and Technology (NIST) which presented the framework in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. NIST Risk Management Framework was developed by the Joint Task Force Transformation Initiative Working Group which consists of the NIST itself, the DOD and Office of the Director of National Intelligence. DoDI 8510.01, Defense Information Assurance Risk Management Framework is a revamped DIACAP that is basically NIST SP 800-37 + CNSS information system categorization. Documentation wise, the DoD is pushing to have the process be completed  using Enterprise Mission Assurance Support Service (eMASS) which is the Department of Defense’s (DoD) recommended tool for information system Certification and Accreditation (C&A). In a perfect world, a DoD organization will be able to easily access eMASSS and complete the DIARMF Process with no problems. Regardless of the specific tools and or products recommended, you should understand how to minimize risk to your assets using DIARMF then the tools and products become interchangeable and superficial. Products and tools change and evolve daily but the equation: Risk = Threat * Vulnerability * Asset is here to stay. Like the NIST RISK Management Framework, the DIARMF Process will consist of a 6 step process: DIARMF Process – Step 1. Categorize The security categorization of your system will determine the level of work. Its like a domino effect. Essentially, you want to figure out how important is your system and what is the impact if its data is stolen, information manipulated or becomes unavailable. What is the impact to your organization, to the nation and/or end user. What you will learn: Introduction to Categorization What is FIPS 199 & NIST SP 800-60? The first step is to categorize the information systems information. How important is the information system and its data? What kinds of protection does it need? How much confidentiality, integrity and availability does it need? The importance of the resource will determine its level of protection. The Federal Information Processing Standard Publication (also known as FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, breaks down the different categories of federal information systems. Additionally, the NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories allows you to come up with a more indepth categorization of the system and information. DIARMF Process – FIPS 199 & NIST 800-60 Essentially FIPS 199 allows you to be more granular and specific to your systems security categorization. If, for example, you have a system that needs HIGH confidentiality, but low availability like a classified intranet web server, Risk Management framework allows you to customize the security categorization accordingly: Classified Intranet Web Server SC information type = {(confidentiality, HIGH), (integrity, LOW), (availability, LOW)} sc = security classification, impact = low, medium or HIGH 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories†was created to help US Federal government agencies to categorize information and information systems. 800-60 consists of 2 Volumes. The first volume identifies the process of Mapping types of information and information systems to security categories and the second volume contains references, glossary and other documents. Its part of the family of essential documents on which DIARMF is based. Those documents include: NIST SP 800-30, Risk Management Guide for Information Technology Systems  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems; NIST Draft SP 800-39, Managing Risk from Information Systems: An Organization Perspective; NIST SP 800-53, Recommended Security Controls for Federal Information Systems; NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems NIST SP 800-59, Guideline for Identifying an Information System as a National Security System Need to know More about DIARMF Categorization? What is Categorization? Who Categorizes the system? Why does it need to be Categorized? What is a “Water Mark†Learn more in DIARMF Process Categorize image from: http://blog.eircomforbusiness.com/profile/Andy (andy O’Kelly, eircomforbusiness.com) DIARMF Process – Step 2. Select What you will learn: Why you need all stakeholders for Step 2 What are FIPS 200 & NIST SP 800-53? Once you know the security categorization of your system, the next steps is the Select the security controls that will be applied to your system. The security categorization gives you a baseline of security controls that are needed. This takes a lot of strategizing among Information System Security Officer, System Administrators, and possibly the system owner. You need in depth consolation with your technical peers and system administrators who know what the system can and cannot tolerate. Security controls are necessary but you don’t want to restrict the functionality of the system. If the system does not work security is irrelevant. DIARMF – FIPS 200 & NIST SP 800-200 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems is a bridge between the FIPS 199 and the security controls documented in NIST SP 800-53. It sets forth the initial set of baseline security controls for your system based on the system impact level and minimum security requirements. FIPS 200 is a very short document that explains the levels of impact that your system has based on your systems security categorization and how the security controls will be selected. NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, contains all the controls prescribe to the security categorization of your system. After selecting the initial set of baseline security controls from Appendix D, the organization initiates the tailoring process to appropriately modify and more closely align the