Our site will be undergoing maintenance from 6 a.m. - 6 p.m. ET on Saturday, May 20. During this time, Bookshop, checkout, and other features will be unavailable. We apologize for the inconvenience.
Cookies must be enabled to use this website.
Book Image Not Available Book Image Not Available
Book details
  • Genre:COMPUTERS
  • SubGenre:Internet / Online Safety & Privacy
  • Language:English
  • Pages:74
  • eBook ISBN:9781626757981

Authorizing Official Handbook

for Risk Management Framework (RMF)

by Keith Frederick

Book Image Not Available Book Image Not Available
Overview
This book provides an overview of the Authorizing Official (AO) role in the Risk Management Framework (RMF) process, discusses implications of performing AO duties and emphasizing RMF as a continuous process. In addition, it provides guidance for analyzing the Security Authorization Package (SAP) and making the authorization decision. It provides a means to protect the information system (IS), the information it processes, and thus, the Authorization Official from civil prosecution (or if appropriate military prosecution) by providing evidence of the AO’s intentions to manage the system’s risk. WHY CERTIFY AND ACCREDIT? The Authorization Official is professionally accountable and responsible for: • Securing the operations and system under their jurisdiction. • Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented. • Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes. Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from: • Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.), • If appropriate court martial (dereliction of duty) and/or • Financial hardship (due to loss of job and private defense expenses).
Description
This book provides an overview of the Authorizing Official (AO) role in the Risk Management Framework (RMF) process, discusses implications of performing AO duties and emphasizing RMF as a continuous process. In addition, it provides guidance for analyzing the Security Authorization Package (SAP) and making the authorization decision. It provides a means to protect the information system (IS), the information it processes, and thus, the Authorization Official from civil prosecution (or if appropriate military prosecution) by providing evidence of the AO’s intentions to manage the system’s risk. WHY CERTIFY AND ACCREDIT? The Authorization Official is professionally accountable and responsible for: • Securing the operations and system under their jurisdiction. • Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented. • Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes. Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from: • Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.), • If appropriate court martial (dereliction of duty) and/or • Financial hardship (due to loss of job and private defense expenses). AUTHORIZING OFFICIAL’S LIABILITY. It is imperative that the Authorizing Official (AO) understands the ramifications of signing the authorization document. It is the duty of the AO of the system, to see that the appropriate security measures, documentation, and a RMF process have been implemented and maintained throughout the life cycle of the system in their charge. This means that the AO must ensure that the level of security employed and maintained on the system is adequate to protect the people, technology, and its information from unauthorized access, unauthorized changes, and unavailability. When the AO grants approval for the system to operate, he is accepting the ultimate responsibility for the operation of a system and officially declares (1) the specified system adequately protects the system and the information on that system, and (2) accepts the residual risks involved in operating that system. Further, the AO must be able to show sufficient documentation to support his authorization decision as well as to verify the ongoing implementation and operational maintenance of designated security controls, which also shows the AO’s intent to provide adequate protection. "Breach of Duty, Standards of Due Care, Proximate Cause, Negligence Per Se, and Res Ipsa Loquitor (i.e. the thing speaks for itself) are but a few of the concepts affecting litigation. Litigation that you may find yourself facing should the security mechanisms validated by your authorization plan fail to prevent, for example, unauthorized access to, modification of, or dissemination of sensitive or classified information.” (Ref. NCSC-TG-032, Version 1, 6 March 1997) The organization’s system operations failures due to insufficient implementation and verification of adequate security controls should be viewed as a breach of fiduciary duty or dereliction of duty. Additionally, an individual who fails to follow applicable computer security laws (i.e. Computer Security Act of 1987, Privacy Act of 1974, Freedom of Information Act, FISMA, HIPAA…etc.) may be criminally liable and may face additional civil prosecution.
About the author
Keith Frederick, BS EE, MBA, CISSP, CAP, CRISC, Author completed more than 35 years of information systems assessment experience to include over 25 years of information assurance, Certification and Accreditation (C&A), Risk Management Framework (RMF), and Federal Information Security Management Act (FISMA). Keith has with a proven record of success as a Security Control Assessor (SCA) and an information system security engineer. Hands-on experience includes hundreds of systems’ security control assessments, information systems development, systems analysis and design, key management services, programming, program design, as well as preparation in resource planning, programming, and budgeting. • Authored “Independent Testing for Risk Management Framework (RMF), Assessment Test Plan (ATP)” ISBN: 9781626755963. • Developed and taught numerous Information Assurance classes from RMF, Network Security, to Practical Information Assurance and many others. • Invented, developed and implemented: o The RMF Security Lifecycle tool Cyber Profile ™ (CP™) that automates the continuous monitoring throughout a system’s lifecycle and accomplishes the Security Authorization Package (SAP) documents and reports. (5th Generation) o The C&A tool Risk Management System™ (RMS™) that helps users with the C&A workflow and documentation. Made standard throughout Department of Homeland Security. (4th Generation) o The vulnerability management tool Enterprise Vulnerability Management™ (EVM™). Made standard throughout the Federal Government by Office of Budget and Management (OMB). (3rd Generation) o The C&A tool Security Analyst Workbench™ (SAW™) that helps users with the C&A workflow and documentation. (2nd Generation) o The security databases tool Total Enterprise Security Service™ (TESS™), which sold to security professionals. (1st Generation) • Supports NIST’s security working group providing reviews and comments on the development of NIST Special Publications (SP) (i.e., NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems and NIST SP 800-37 Rev 1, Guide for Security Authorization of Federal Information Systems, A Security Life Cycle Approach). • Member of the task group that reviewed and committed on the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and the DoD Information Assurance Certification and Accreditation Process (DIACAP). • Authored Air Force System Security Instruction (AFSSI) 5024, Volume 1-4 "The Certification and Accreditation (C&A) Process". This is the first official government document that standardized the RMF/C&A Process. • Authored and presented a paper published nationally on an approach for accomplishing certification and authorization (C&A) on information systems at the 16th National Computer Security Conference hosted by National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and again at the Standard System Center Conference hosted by Air Force Standard System Center.