Log in

Learn Government Risk Management

Unlike some other parts of IT, risk management has very little learning curve. So its great if you love IT but have very little technical background. It also pays very well.

RMF for DoD IT sometimes called DIARMF, is actually a modification to DIACAP that is definitely derived from the NIST 800-37 put together with CNSS. The Department of Defense is hoping to move away from the pure paperwork of C&A.

At its core, RMF is focused on risk management:

Risk = Threat * Vulnerability * Asset

Risk Management Framework For DoD IT is really a 6 step process: Categorization, Select, Implementation, Assess, Authorization, Continuous Monitor.


DIARMF - Step 1. Categorize

During categorization of one's system you'll see how important your system is. You must know what's the impact should the the system is destroyed, information is lost or otherwise unavailable. What is the impact for the business unit.

DIARMF FIPS 199 & NIST 800-60

FIPS 199 is a short guide to help systems security categorization:

SC information type = ((confidentiality, HIGH), (integrity, LOW), (availability, LOW))

sc = security classification, impact = low, medium or HIGH

NIST 800-60 can be a Guide for Mapping Types of Information and Information Systems to Security Categories.

DIARMF Step 2. Security Control Selection

 The “Select” step is just choosing appropriate security controls that suit the system you've categorized. The actual categorization allows you select the right security controls. The Information System Security Officer and others combined efforts to figure out which set of security controls ought to be implemented.

Documents which help in the “Select” step are: FIPS 200, Minimum Security Requirements for Federal Information and Information Systems & NIST SP 800-53. FIPS 200 are the initial pair of baseline security controls which are based on the security level your system has become categorized with.

DIARMF Step 3. Implement

After you've selected the security controls you will have to begin implementation of the security controls. That is by far the hardest part of the process as some security controls might actually break functionality and must be dialed back or eliminated entirely.

Implementation is a mixture of patches, hotfixes, setting up network devices, turning on security features like authentication and in some cases installing another system or using different software.

This process requires someone with technical ability. System security could be counterintuitive and damaging if done improperly.

DIARMF - Step 4. Assess

Assessment is essential after implementation of the security controls. Not just to find out if they were actually implemented but for assurance that they're done properly. Implementation is so difficult and critical that it takes ANOTHER step to check it.

Assessing security controls is detailed in NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations.

DIARMF - Step 5. Authorize

Once security controls are implemented and assessed someone has to take the risk of the system being damaged. That is where the “Authorize” step comes into play. The individual accepting the risk ought to be an executive level manager who has some ownership on the security of the system this role is referred to as Authorizing Official.

DIARMF - Step 6. Continuous Monitor

The last step is known as an on-going step. The security implemented has to be maintained after it has been accepted by the authorizing official.

Continuous Monitor is an on-going, daily process in place to accept or deny changes that affect the risk of the system. Its about proactively looking for new vulnerabilities, threats and potential risks.

for more visit: http://diarmfs.com