DIARMF Process

certification & accreditationDIACAPDIARMFDIARMF ProcessRisk Management For DoD IT

DIACAP vs DoD RMF for IT vs NIST RMF

no thumb

There are differences between the old DIACAP (being phased out), DoD RMF for IT and NIST RMF. What is “DIACAP”? It stands for Department of Defense Information Assurance Certification & Accreditation Process and it is based on the old DoDI 8510.01 and DoD 8500 documents. The process was designed to make absolutely sure federal systems have security on them.

With the constant exponential evolution of information technology this process has had to change to keep up with the times. DIACAP is being replaced with DoD Risk Management Framework for Information Technology (DoD RMF for IT). This process has more granularity, more detailed, more frequent and covers many new technology that was not covered by DIACAP. DoD RMF for IT is actually based fundamentally on NIST SP 800-37, Risk Management Framework.

 

 

read more
diarmf assessDIARMF Processrisk management

risk assessment methods

risk management method

Risk assessment methods are covered in NIST SP 800-30, Risk Management and NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.

NIST SP 800-30 covers a high level view framework of risk assessment methods.  As you see in the Risk Assessment Methodology Flowchart.

risk assessment method
risk assessment method

More details on each step in the Risk Assessment method Flow chart.. Its an important aspect of Risk Management as a whole so its talked about over and over on this site.

NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, is are the tasks for assessing security controls so it is an important part of risk assessment methods.  You have to know the characteristics of the system (step one of the NIST 800-30, Risk Assessment methods) to do information security testing and assessment.

Information security testing in 800-115 uses 3 types of assessment methods to analyze the effectiveness on security controls (Step 4 of Risk Assessment Method flow chart) and possibly identify vulnerabilities (Step 3):

testing, examination, and interviewing

Testing = process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors.

Examination = process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.

Interviewing = the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.

–NIST SP 800-115

 

read more
DIARMFdiarmf - authorizediarmf - continuous monitoringdiarmf - implementdiarmf - selectdiarmf assessDIARMF Process

risk management framework steps

risk-management-framework-steps

The risk management framework steps are detailed in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

The DoD has recently adopted the Risk Management Framework steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.

risk management framework steps
risk management framework steps

risk management framework – Step 1. Categorize

The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60.

Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.

 

risk management framework – Step 2. Select

With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system.

More on DIARMF – Select

risk management framework – Step 3. Implement

Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.

More on DIARMF – Implement

risk management framework – Step 4. Assess

The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization.

More on DIARMF – Assess

risk management framework – Step 5. Authorize

Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official.

In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.

 

More on DIARMF – Authorization

risk management framework – Step 6. Continuous Monitoring

After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this. 

More on DIARMF – Continuous Monitoring

read more
DIARMFDIARMF Processrisk management

DIARMF Process

DIARMF Category domino effect

DIARMF Process

Defense Information Assurance Risk Management Framework (DIARMF Process) DoDI 8510.01, Defense Information Assurance Risk Management Framework Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk Risk is the likelihood that a threat will compromise the weakness of an asset. The U.S. Department of Defense has moved to a more quantitative approach to analyzing and managing the risk to its resources. The DoD has chosen risk management to managing Information Assurance (Information Security). They are adopting the process developed by the National Institute of Standards and Technology (NIST) which presented the framework in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. NIST Risk Management Framework was developed by the Joint Task Force Transformation Initiative Working Group which consists of the NIST itself, the DOD and Office of the Director of National Intelligence.

diacap to diarmf
infosecinstitute diagram mapping diacap to diarmf

DoDI 8510.01, Defense Information Assurance Risk Management Framework is a revamped DIACAP that is basically NIST SP 800-37 + CNSS information system categorization. Documentation wise, the DoD is pushing to have the process be completed  using Enterprise Mission Assurance Support Service (eMASS) which is the Department of Defense’s (DoD) recommended tool for information system Certification and Accreditation (C&A). In a perfect world, a DoD organization will be able to easily access eMASSS and complete the DIARMF Process with no problems. Regardless of the specific tools and or products recommended, you should understand how to minimize risk to your assets using DIARMF then the tools and products become interchangeable and superficial. Products and tools change and evolve daily but the equation: Risk = Threat * Vulnerability * Asset is here to stay.

diarmf process: 6 steps
diarmf process: 6 steps

Like the NIST RISK Management Framework, the DIARMF Process will consist of a 6 step process:

DIARMF Process – Step 1. Categorize

The security categorization of your system will determine the level of work. Its like a domino effect. Essentially, you want to figure out how important is your system and what is the impact if its data is stolen, information manipulated or becomes unavailable. What is the impact to your organization, to the nation and/or end user.

DIARMF Category domino effect
DIARMF Category domino effect

What you will learn:

  • Introduction to Categorization
  • What is FIPS 199 & NIST SP 800-60?

The first step is to categorize the information systems information. How important is the information system and its data? What kinds of protection does it need? How much confidentiality, integrity and availability does it need? The importance of the resource will determine its level of protection. The Federal Information Processing Standard Publication (also known as FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, breaks down the different categories of federal information systems. Additionally, the NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories allows you to come up with a more indepth categorization of the system and information. DIARMF Process – FIPS 199 & NIST 800-60 Essentially FIPS 199 allows you to be more granular and specific to your systems security categorization. If, for example, you have a system that needs HIGH confidentiality, but low availability like a classified intranet web server, Risk Management framework allows you to customize the security categorization accordingly:

Classified Intranet Web Server

SC information type = {(confidentiality, HIGH), (integrity, LOW), (availability, LOW)}

sc = security classification, impact = low, medium or HIGH

800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories” was created to help US Federal government agencies to categorize information and information systems. 800-60 consists of 2 Volumes. The first volume identifies the process of Mapping types of information and information systems to security categories and the second volume contains references, glossary and other documents. Its part of the family of essential documents on which DIARMF is based. Those documents include:

  • NIST SP 800-30, Risk Management Guide for Information Technology Systems
  •  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems;
  • NIST Draft SP 800-39, Managing Risk from Information Systems: An Organization Perspective;
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems;
  • NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
  • NIST SP 800-59, Guideline for Identifying an Information System as a National Security System

Need to know More about DIARMF Categorization?

  • What is Categorization?
  • Who Categorizes the system?
  • Why does it need to be Categorized?
  • What is a “Water Mark”
  • Learn more in DIARMF Process Categorize

image from: http://blog.eircomforbusiness.com/profile/Andy (andy O’Kelly, eircomforbusiness.com)

DIARMF Process – Step 2. Select

What you will learn:

  • Why you need all stakeholders for Step 2
  • What are FIPS 200 & NIST SP 800-53?

Once you know the security categorization of your system, the next steps is the Select the security controls that will be applied to your system. The security categorization gives you a baseline of security controls that are needed.

DIARMF Select balance
DIARMF
blog.eircomforbusiness.com/profile/Andy (andy O’Kelly, eircomforbusiness.com)

This takes a lot of strategizing among Information System Security Officer, System Administrators, and possibly the system owner. You need in depth consolation with your technical peers and system administrators who know what the system can and cannot tolerate. Security controls are necessary but you don’t want to restrict the functionality of the system. If the system does not work security is irrelevant. DIARMF – FIPS 200 & NIST SP 800-200 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems is a bridge between the FIPS 199 and the security controls documented in NIST SP 800-53. It sets forth the initial set of baseline security controls for your system based on the system impact level and minimum security requirements. FIPS 200 is a very short document that explains the levels of impact that your system has based on your systems security categorization and how the security controls will be selected. NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, contains all the controls prescribe to the security categorization of your system. After selecting the initial set of baseline security controls from Appendix D, the organization initiates the tailoring process to appropriately modify and more closely align the controls with the specific conditions within the organization (i.e., conditions specific to the information system or its environment of operation). The tailoring process includes: Applying scoping guidance to the initial baseline security controls to obtain a preliminary set of applicable controls for the tailored baseline; Selecting (or specifying) compensating security controls, if needed, to adjust the preliminary set of controls to obtain an equivalent set deemed to be more feasible to implement; and Specifying organization-defined parameters in the security controls via explicit assignment and selection statements to complete the definition of the tailored baseline. Scoping guidance provides organizations with specific terms and conditions on the applicability and implementation of individual security controls in the security control baselines.  Application of scoping guidance helps to ensure that organizations implement only those controls that are essential to providing the appropriate level of protection for the information system based on specific mission/business requirements and particular environments of operation. The better you plan in Step 2, Selecting security controls, the more prepared you will be for Step 3, Implementation.

DIARMF Process – Step 3. Implement

What you will learn:

  • Overview of Step 3, Implementation
  • Where to go for technical help on implementation

After you have determined the security categorization of the system, have selected the security controls and have actually planned how you will implement the security controls, the next step is the Implement! This is the the longest part of the DIARMF process. And the more complex your system is the more help and time you will need to do it. Implementation may involve installing patches, upgrading operating systems, configuring network devices, turning on and configuring security settings like audit logs, screen locks and even installing new systems. You will need someone with technical skills to implement certain security controls. Where you will have to go for guidance on certain technical security controls are actual vendor documentation, online knowledge databases, technical manuals, and even actual support technicians on specific products if necessary. Other places that are helpful are:

  • NSA.gov/ia
  • iase.disa.gov

These are great sites packed with lots of specific information on how to apply DOD level security. Not all implementation is technical. You may also need to create supporting documents such as System Security Plans, User Agreements, and security policies and many other documents. NIST SP 800-53 has not only technical controls, but also administrative controls and physical controls.

DIARMF Process – Step 4. Assess

What you will learn:

  • Overview of Step 4, Assess
  • What is NIST SP 800-53A

After implementation of security controls, you need to make sure the controls are installed properly. Security Assessments are usually done by outside organization to keep the stakeholders honest. Assessments are done usings NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. This document contains all the security controls of 800-53 as well as HOW they should be assessed.

DIARMF Process – Step 5. Authorize

What you will learn:

  • Who can authorize the system
  • What is NIST SP 800-53A

Step 5 of the DIARMF is similar to Phase 4 of DIACAP, Make Certification Determination & Authorization Decision. After each security control is assessed, the system needs to be authorized. Authorization is a formal acceptance of remaining risk from someone in charge. The person taking the risk should be an executive level person who has some ownership of the security of the system. The person authorizing is known as a Authorizing Official. The Authorization Decision is based on data gathered and put into the Authorization Package. The Authorization Package consists of a System Security Plan, a Security Assessment Report, and a Plan of Action and Milestone. After reviewing the Authorization Package the Authorization Officer makes are formal, written acceptance of the system know as an Authorization to Operate.

DIARMF Process – Step 6. Continuous Monitoring

What you will learn:

  • Why do you need continuous monitoring
  • What is continuous monitoring

If you are familiar with DIACAP, then continuous monitoring is similar to Phase 5, Maintain Authorization to Operate, but with automation in near real-time, not just manual periodic reviews of the system. The systems security posture must be maintained after it has been authorized. There should not be any MAJOR security changes without approval, there should not be any major additions to the system without approval. Remember someone is directly responsible for the security of the system. But system change all the time. New vulnerabilities are discovered, new threats emerge and inevitably new risks take shape. That is why continuous monitoring is important. Continuous monintoring means having a process in place to accept or reject changes that affect the risk of the system. It also mean proactively looking for new vulnerabilities, threats and potential risks. In some cases, the system MUST change drastically, which may mean going back to Step 1 or 2 of the DIARMF process to figure out how to maintain the system’s confidentiality, integrity and/or availability. Also, if the system becomes more important and the impact to the system is more dramatic, there may be a need for changing the actual security category of the system. Continuous monitoring is in place to adjust to change. DIARMF focuses more on risk than its predecessor DIACAP which was based on the more process driven qualitative method. In contrast, DIARMF is closer to the international standard, ISO/IEC 27001:2005, Information Security Management System.

read more