diarmf - continuous monitoring

diarmf - continuous monitoringRisk Management For DoD IT

Chinese phone comes preloaded with spyware (Seattle Times, 6/17/14)

no thumb
Star N9500
Star N9500

from Seattle Times, (6/17/14)

A cheap brand of Chinese-made smartphones carried by major online retailers comes preinstalled with espionage software, a German security firm said Tuesday.

G Data Software said it found malicious code hidden deep in the propriety software of the Star N9500 when it ordered the handset from a website late last month. The find is the latest in a series of incidents where smartphones have appeared preloaded with malicious software.

G Data spokesman Thorsten Urbanski said his firm bought the phone after getting complaints about it from several customers. He said his team spent more than a week trying to trace the handset’s maker without success. “The manufacturer is not mentioned,” he said. “Not in the phone, not in the documentation, nothing else.” he Associated Press found the phone for sale on several major retail websites, offered by an array of companies listed in Shenzhen, in southern China. It could not immediately find a reference to the phone’s manufacturer. More

One of the things that G Data discovered was Android.Trojan.Uupay.D trojan masquerading as the “Google Play Store”!  This may be the Chinese governments attempts to spy on its own people which is what most governments are trying to do lately each for their own interests.  

Hopefully, individuals will get smarter about protecting their own privacy and stay informed about cyber security.

read more
DIARMFdiarmf - authorizediarmf - continuous monitoringdiarmf - implementdiarmf - selectdiarmf assessDIARMF Process

risk management framework steps


The risk management framework steps are detailed in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

The DoD has recently adopted the Risk Management Framework steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.

risk management framework steps
risk management framework steps

risk management framework – Step 1. Categorize

The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60.

Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.


risk management framework – Step 2. Select

With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system.

More on DIARMF – Select

risk management framework – Step 3. Implement

Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.

More on DIARMF – Implement

risk management framework – Step 4. Assess

The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization.

More on DIARMF – Assess

risk management framework – Step 5. Authorize

Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official.

In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.


More on DIARMF – Authorization

risk management framework – Step 6. Continuous Monitoring

After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this. 

More on DIARMF – Continuous Monitoring

read more
DIARMFdiarmf - continuous monitoring

DIARMF – Continuous Monitoring

DIARMF – Continuous Monitoring

DIARMF Continuous Monitoring

What is DIARMF continuous monitoring?

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.  It is described in NIST SP 800-137.  Continuous monitoring is the last and very important ON-GOING 6th step in the DIARMF Security life cycle.

 The DoD’s current method of continuous monitoring (2014) is use of Continuous Monitoring and Risk Scoring (CMRS).  Its is a web based visual method of watched DoD Enterprise security controls that cover software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), (IAVM) vulnerability and patch compliance.  CMRS displays risk dashboards based on published HBSS and ACAS (more info at DISA).

HBSS (host based system security) is a DoD implemented suite of applications:

  • (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred
  • Asset Configuration Compliance Module (ACCM) – version 2, but is preferred
  • McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred
  • McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred
  • McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred
  • McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred
  • Antivirus (AV) – McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9
  • Operational Attribute Module (OAM) – version 2.0.1, but is preferred
  • Asset Publishing Service (APS) – version 2.0.1 or, but 2.0.3 is preferred – configured to publish to CMRS
  • ACAS (Assured Compliance Assessment Solution) is Tenable Nessus an enterprise level vulnerability scanner.

These systems are implemented in accordance with United States Strategic Command (USSTRATCOM) Communications Tasking Order (CTO) 05-19 & 07-12 (Deployment of Host Based Security System (HBSS)).  The products and tools need for continuous monitoring change constantly but what is important is the concept.  Within a month of publishing this, the products listed will be different and new CTOs will be released, but the need for Continuous monitoring will remain.  KNOW the CONCEPT.

If you know DIACAP, then this Step is similar to Phase 5, Maintain Authorization to Operate except there is a HUGE focus on automation in real-time.  Automation is done with tools like security information & event management systems (SIEM) and security dashboards.

If the other steps of DIARMF are planning and building and checking the engine than continuous monitoring is keeping it running.  Continuous monitoring is part of the day to day tasks of security professionals.

Continuous monitoring has everything to do with the visibility of your network:

Configuration Management – track and manage changes with a configuration management or assets.  The organization monitors the security baseline my managing its inventory and only allowing approved major changes to the network.

Vulnerability monitoring – awareness vulnerabilities and response with a patch management program.

Network monitoring – incident handling & response of advanced persistent threat & active research of ongoing threats

Key Component of DIARMF Continuous Monitoring

Security Content Automation Protocol (SCAP)

 According to Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, March 2013, “A key component to this work is the NIST Security Content Automation Protocol (SCAP) and related programs, which are developed through close collaboration between government and industry partners”.

 SCAP is a common protocol that vulnerability, scanning and patching software can use to communicate vulnerability & technical controls information to each other quickly.  This protocol is used internationally, federally and commercially.

 Continuous Monitoring as a Service (CMaaS)

The Department of Homeland Security is coordinating a continuous monitoring service.  They want to create a Continuous Diagnostics and Mitigation (CDM) program for providing continuous monitoring sensors, diagnosis, mitigation tools, and Continuous Monitoring as a Service (CMaaS).

 With dashboards and automated crystal reports the data is visualized and in real-time to allow information security professionals to respond quickly to the highest priority incidents.

Continuous Monitoring Products

Federal law encourages the use of tools like security information & event managers (SIEM) that brings all the security information to one place into a security dashboard that allows graphs and visual imagery to quickly detect patterns across lots of data in real-time.  See the new FISMA and NIST SP 800-137 for more information.

 Tools like SIEMs, IPSs, IDSs, APT systems are what are used in the industry.  DoD units create partnerships with security companies like HP, McAfee, Symantec, Tenable, Ready7, Metasploit, Mandiant and others to create continuous monitoring solutions for their organizations.

 HP Enterprise Security Products

HP Enterprise Security address the following categories when looking at continuous monitoring:

  • Manage Assets

  • Manage Accounts

  • Manage Events

  • Security Lifecycle Management

The HP products covering this Items include, but are not limited to:

  • ArcSight Enterprise Security Manager
  • ArcSight Logger
  • HP Tipping Point


McAfee has a suite of products to address continuous monitoring
  • McAfee Vulnerability Manager
  •  McAfee Enterprise Security Manager
  • McAfee Enterprise Log Manager
  • McAfee Global Threat Intelligence
  • McAfee ePO


  • Symantec Control Compliance Suite
  • Symantec Control Compliance Suite
  • Virtualization Security Manager

Continuous monitoring controls

Realistically, all implemented and assessed controls are important to continuous monitoring since it is the process of actively checking all security controls.  But, there are some security controls families that are notable when it comes to continuous monitoring implementation.  These include “Security Assessment and Authorization”, “Configuration Management”, “Risk Assessment” and “Incident Response”.

 CA-7 Specifically mentions continuous monitoring:


Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:

a. A configuration management process for the information system and its constituent components;

b. A determination of the security impact of changes to the information system and environment of operation;

An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision making at the organization level (Tier 1), the mission/business processes level (Tier 2), and the information systems level (Tier 3).

Why is DIARMF Information Security Continuous Monitoring (ISCM) important?

For federal systems, continuous monitoring is not just important, it is the law.  DIARMF system MUST have continuous monitoring.

Continuous Monitoring is part of federal law Continuous monitoring is considered one of three top priority areas identified for improvement within Federal cybersecurity (Trusted Internet Connections, Continuous Monitoring and HSPD-12)

But what is continuous monitoring good for from a purely security perspective?

ISCM is having enhanced monitoring capabilities that allow information owners to have near real-time security awareness.  That means they know the status of on-going system changes, they know many of the systems vulnerabilities, and the status of security controls that have been implemented.

 DIARMF looks at Risk Management from the perspective of the entire organization, from upper management (Tier 1), to administration (Tier 2), to automation (Tier 3).

Tier 1, Upper management – endorses and/or delegate the creation of policies and strategies that mandates continuous monitoring from the top down.  Upper management should be involved with decisions regarding major configuration management review boards, high level/high risk security incidents.

Tier 2, Administration – works on the mission and business processes of continuous monitoring.  Administrators do correlation, analysis and reporting.

Tier 3, Automation – Information systems collects, and consolidates the data feeds needed for incident handling, correlation and analysis.

DIARMF – Re-Authorizations & Updates to documentation

During the course of configuration changes, security upgrades of operating systems and detection of security incidents it is necessary to have ongoing authorizations.

Continuous monitoring done correctly and actively will discover new threats, weakness and system infrastructure because these things constantly change and so the security posture changes.  Adjusting the system may require re-authorizations

Updates to Data & Documentation

With or without re-authorizations, the changes to the system detected by continuous monitoring require and update to the systems security controls documentation, vulnerability documentation and risk documentation.  This means System Security Plan together with Risk Assessment Report, Security Assessment Report, and POA&M should be tweaked.

read more