In a previous blog “Why Does the Risk Management Framework Still Matter?” we looked at an overview and the first steps of the NIST Risk Management Framework. In this blog we are continuing the discussion as we look into steps focused on Continuous Monitoring of the NIST RMF.
Of the six steps found within RMF, only the last step is focus on cyber operations, whereas steps 1 – 5 are establishing a baseline of controls, policies and accreditation. To enhance cybersecurity me must monitor and illustrate the viability and health of the security standards deployed. Are you, like the majority of organizations, spending 90% of your time on establishing a baseline of controls and 10% of your time on enhancing your cyber posture, or achieving cyber accountability?
- Step 1: Categorize the needs to meet DoD cyber needs (FIPS 199/200)
- Step 2: Design and Implement cyber controls (CNSSI 1253)
- Step 3: Implement the cyber controls in the environment as the “system” (NIST 800-53A)
- Step 4: Assess the implementation of the cyber controls and policies (NIST 800-37)
- Step 5: Authorization of the system which is a collection of cyber controls and policies created for the environment (NIST 800-37)
- Step 6: Providing continuous monitoring of the system (NIST 800-137)
To simplify how you look at the Framework, we have broken down the six steps into 3 steps we call the BAP Cyber Steps:
BAP Cyber Step 2: Validate Controls and Policies
This step brings together steps 4-5 of the RMF. There is no doubt that the most significant collection of cyber controls are found within NIST 800-53. As we discussed in the last blog, using the collection of standards within NIST is extensive, impressive, and a great starting point to implement controls within the requirements of your environment. In Step 2 we focus on validating the implementation language related to the controls before implementing the controls, reducing cyber operations time to adjust existing infrastructure and add new technologies to the environment to meet control needs. The validation criteria can be authored by the cyber policy and cyber operational teams, producing a vetted system security plan (SSP) and a clear path to continuous monitoring and RMF accountability.
Validate the implementation of the controls prior to deployment of any security product and save time and money
USE CASE – RMF and BAP
To begin, the RMF policy cyber professional enters all controls into the BAP software suite, grouping the controls into policies. The cyber operation team modifies the implementation language associated with each control and implements the control within the environment. The RMF policy and cyber operation teams validate the implementation language used for the controls throughout the process. Following successful validation of the implementation language and controls, steps 1 through 5 are satisfied within RMF, while preparing security operations for successful monitoring of the environment, step 6 within RMF. The groundwork has to be completed for RMF, why not complete the work within BAP, knowing that continuous monitoring and accountability are core attributes of BAPsoftware.
Save time and cost. When building your controls, use the correct tool.