Full Program »
T6. Integrating Cybersecurity into the System Lifecycle Using the Risk Management Framework (RMF)
Tuesday, 8 December 2015
08:30 - 12:00
Salon 8
[This is a full day session.]
The Risk Management Framework developed by NIST and documented in NIST SP 800-37 Revision 1 has become the standard across the entire US Government – both National Security Systems (NSS) and non-NSS -- for determination of security requirements, assessment of security requirements, and authorization for operation. This tutorial provides a detailed introduction to the Risk Management Framework, explores how to integrate it into the acquisition lifecycle, and stresses the importance of doing so early as part of the process of system security engineering. This tutorial examines the set of security controls defined for Federal systems in NIST SP 800-53 Revision 4, as well as the process for selecting, tailoring, and supplementing those controls. It also discusses how this process is adapted for use in National Security Systems through CNSS Instruction No. 1253 and goes through the tasks involved in the Risk Management Framework. The tutorial provides an overview of the applicable NIST documents (NIST SP 800-53 Revision 4, NIST SP 800-37 Revision 1, NIST SP 800-30, NIST SP 800-39), and the corresponding application to National Security Systems (CNSSI No 1253, DODI 8500.01, DODI 8510.10, and ICD 503).
Prerequisites. None.
Outline:
- Background: A Paradigm Shift
- Where We Were
- The Realizations Hits
- Realization One: Its Part of the Mission
- Realization Two: There’s Only So Much Money
- Realization Three: Techniques Invariant Among Applications
- Joint Taskforce Transformation Initiative
- The Unified Framework
- The Risk Management Framework
- Understanding Risk in the Enterprise
- Using the RMF to Engineer Security
- The Cybersecurity Control Catalog
- Control Selection, Supplementation, and Tailoring
- Reviewing The Control Catalog
- RMF and System Security Engineering
- RMF Steps 1-3: Categorize, Select, Implement
- Using the RMF to Ensure and Maintain Effective Cybersecurity
- RMF Steps 4-6: Assess, Authorize, Maintain
- Transitioning to the RMF
- Conclusion
About the Instructor:
Mr. Daniel Faigin has been involved with computer security since 1985, when he was one of the architects on the BLACKER program at System Development Corporation (SDC). Since joining Aerospace in 1988, he has been closely involved with both the commercial product evaluation programs of the NCSC/CCEVS (i.e., TCSEC, Common Criteria), as well as acquisition, assessment, and authorization efforts on a number of space programs. He is the author of a number of reports providing information assurance guidance, including in-depth analysis of both the 8500.02 controls and the 800-53 controls, exploring how these controls are applied to space systems. The current version of his analysis of NIST SP 800-53 controls is captured in the soon to be published Aerospace report “Exploding 800-53 Revision 4”, and serves as the basis for the Aerospace CSI:53 (Categorize, Select, and Implement for NIST SP 800-53 and CNSSI 1253) tool. He is a contributor to the development of the space platform and launch vehicle overlays, and is one of the authors of the cybersecurity section of the Mission Assurance Guide.
Mr. Faigin has an M.S. and B.S. degrees from UCLA, and is a CISSP. He has been the education chair of the Annual Computer Security Applications Conference since 1990, was general chair of the conference between 2001-2004, and is doing his second stint as Local Arrangements Chair (2008-Anaheim, 2015-2016-Los Angeles). He is the current secretary of ACSA, the sponsoring organization of the ACSAC conference. In his spare time, he is President of his synagogue’s mens club, maintains the California Highway pages, and produces a blog that includes weekly reviews of live theatre in Southern California.