The next step in the NIST RMF (Step 5) concludes with an authorization decision102 for the information system to operate (or continue to operate, for legacy systems).
This section will present the tasks outlined in Table 5.9, with primary emphasis being placed on planning corrective actions and the authorization process.
Corrective Action Planning
The POA&Ms103 receive input from the SAR, and is one of three key documents presented in the authorization package to the authorizing official. The POA&Ms include a set of tasks focused on correcting weaknesses or deficiencies discov-ered during the security controls assessment,104 or security testing (e.g., periodic vulnerability scanning, penetration testing, etc.). In addition, POA&Ms docu-ment corrective actions for security weaknesses and deficiencies found during other types of reviews done by, for, or on behalf of the federal agency, including GAO audits, financial system audits, and critical infrastructure vulnerability assessments [18].
101From Cloud Security Alliance (CSA), CloudAudit Working Group [Internet]. Washington: Cloud Security Alliance [cited 2011 Dec 19]. Available from: https://cloudsecurityalliance.org/wp-content/
uploads/2011/12/GRC-Stack-CSA-Congress-2011-part-1.pptx. Automated emerging specifications such as CloudAudit can be used to provide “a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.”
102From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “The security authorization decision indicates to the information system owner whether the system is: (i) authorized to operate; or (ii) not authorized to operate.”
103From Daniels, M. Office of Management and Budget (OMB) Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington: Executive Office of the President, Office of Management and Budget; 2001. “A plan of action and milestones (POA&M) is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones.”
104From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “All security weaknesses and deficiencies identified during the security con-trol assessment are documented in the security assessment report to maintain an effective audit trail.”
149 NIST RMF Process
Developing a Risk Mitigation Strategy
A strategy for risk mitigation105 planning is important when prioritizing corrective actions as part of an organization-wide risk management function. The prioritiza-tion106 should take input from other activities within the NIST RMF, such as security categorization. In addition, other inputs can also influence the risk mitigation strat-egy, such as the security controls (i.e., where the security weaknesses or deficiencies exist), impacts of the weaknesses and deficiencies on the overall security state of the information system, and the risk mitigation approach used by the organization to address weaknesses and deficiencies [3].
105From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. Maryland: National Institute of Standards and Technology; 2011. “Prioritizing, evaluat-ing, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.”
106From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “A risk assessment guides the prioritization process for items included in the plan of action and milestones.”
Table 5.9 NIST RMF Step 5 Activities [3]
Task Name Activities References
5-1 Plan of action and milestones
• Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation action taken
• OMB M-02-01
• NIST SP 800-30
• NIST SP 800-53A
5-2 Security
authori-zation package • Assemble the security authorization package
• Submit the package to the authorizing official for adjudication 5-3 Risk
determination • Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation
• NIST SP 800-30
• NIST SP 800-39
5-4 Risk acceptance • Determine if the risk to organizational operation, organizational assets, individuals, other organizations, or the Nation is acceptable
• NIST SP 800-53A
150 CHAPTER 5 Applying the NIST Risk Management Framework
Documenting POA&Ms
The authorizing official uses POA&Ms as an oversight management tool for tracking corrective actions for a specific information system. In addition, the organization can also use consolidated POA&Ms from across all of the information system to identify common weaknesses and deficiencies to effectively allocate resources for organiza-tion-wide security improvements. Therefore, POA&Ms should provide enough details107 to enable the organization to identify, assess, prioritize, and monitor the correction of weaknesses and deficiencies both in federal and contractor systems.108 POA&M details109 should include:
• Brief description of the weakness.110
• Identity of the organization held responsible for resolving the weakness.
• Estimated funding resources required to resolve the weakness.
• Scheduled completion date for resolving the weakness.
• Key milestones111 with completion dates.
• Milestone changes.
• The source of the weakness.
• Status.112
107From Daniels, M. Office of Management and Budget (OMB) Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington: Executive Office of the President, Office of Management and Budget; 2001. OMB has developed POA&M guidance which provides specific instructions and examples for the POA&Ms.
108From Bolten, J. Office of Management and Budget (OMB) Memorandum 04-25, FY 2004 Report-ing Instructions for the Federal Information Security Management Act. WashReport-ington: Executive Office of the President, Office of Management and Budget; 2004. The agency is responsible for ensuring the contractor corrects weaknesses discovered through self-assessments and independent assessments.
Any weaknesses are to be reflected in the agency’s POA&M.
109From Bolten, J. Office of Management and Budget (OMB) Memorandum 04-25, FY 2004 Report-ing Instructions for the Federal Information Security Management Act. WashReport-ington: Executive Office of the President, Office of Management and Budget; 2004. The exact format prescribed in the POA&M examples in M-04-25 are no longer required, but, all of the associated data elements must be included in the POA&Ms.
110From Daniels, M. Office of Management and Budget (OMB) Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington: Executive Office of the President, Office of Management and Budget; 2001. “Description of the weaknesses. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity.”
111From Daniels, M. Office of Management and Budget (OMB) Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington: Executive Office of the President, Office of Management and Budget; 2001. A milestone will identify specific requirements to correct an identified weakness.
112From Daniels, M. Office of Management and Budget (OMB) Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones. Washington: Executive Office of the President, Office of Management and Budget; 2001. Ongoing or completed. “Completed” should be used only when a weakness has been fully resolved and the corrective action has been tested.
Include the date of completion.
151 NIST RMF Process
Security Authorization Approaches
The security authorization process is based on three different approaches.113 The first, and most commonly used, is the traditional approach, which involves only one authorizing official. In this approach, a single authorizing official has both the responsibility and accountability for accepting security risks.
Next is the joint authorization114 approach, which includes a shared interest, usually between multiple authorizing officials because the information system ties directly into the strategic mission or business processes. In this approach, the authorizing officials are collectively responsible and accountable for accepting the security risks.
The final approach is used when the mission or business processes are supported by more than one federal agency. This approach is known as the leveraged authoriza-tion approach and can be used to authorize an informaauthoriza-tion system, commonly a shared service,115 that can be used by more than one agency based on the original authoriza-tion package without requiring reauthorizaauthoriza-tion by the leveraging organizaauthoriza-tion.
Due to the complexity in implementing the leveraged authorization approach, it is the one used least often of the three, but offers the most cost savings.116 The lever-aging organization, usually through an assigned authorizing official, leverages the original authorization117 by accepting the risks, and assesses only those additional
113From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. Organizations can choose from three different approaches when planning for and conducting security authorizations to include: (i) an authorization with a single authorizing official;
(ii) an authorization with multiple authorizing officials; or (iii) leveraging an existing authorization.
114From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. Collaborating on the security categorization, selection of security controls, plan for assessing the controls to determine effectiveness, plan of action and milestones, and continuous monitoring strategy, is necessary for a successful joint authorization.
115From Office of Management and Budget (OMB). Federal Information Technology Shared Services Strategy. Washington: Executive Office of the President, Office of Management and Budget; 2012. “A function that is provided for consumption by multiple organizations within or between Federal Agencies.”
116From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology;
2010. “The leveraged authorization approach provides opportunities for significant cost savings and avoids a potentially costly and time-consuming authorization process by the leveraging organization.”
117From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “When reviewing the authorization package, the leveraging organization considers risk factors such as the time elapsed since the authorization results were produced, the environment of operation (if different from the environment of operation reflected in the authorization package), the criticality/sensitivity of the information to be processed, stored, or transmitted, as well as the overall risk tolerance of the leveraging organization.”
152 CHAPTER 5 Applying the NIST Risk Management Framework
requirements beyond the original security control baseline established by the origi-nal.118 For example, if the leveraging organization determines there is insufficient information in the authorization package or inadequate security measures in place for establishing an acceptable level of risk, the leveraging organization may negotiate for additional security measures119 and/or security-related information [3].
Another option that may be used by an organization when multiple instances of the same information system (or subsystem) are deployed in a number of different operational environments is the application of a type authorization [3]. In a type authorization a single authorizing package is used to reflect a common view for all of the instances deployed across all locations where the information system is hosted (also known as site-specific controls120).
Security Authorization Process
The security authorization process is the most involved step in the NIST RMF (Step 5) because it requires the direct or indirect input from each of the previous steps in the NIST RMF (categorization, security control selection, security control implementation, and security control assessment) to make the authorization deci-sion. This process begins with the assembly of the authorization package, where the key and supporting documents needed to make the authorization decision are prepared. After the security authorization package has been assembled, the determination of risk involves an analysis of information gathered from across the organization to provide the authorizing official with enough credible information to support a risk-based decision.
The authorization package includes both key and supporting documents.121 Figure 5.13 illustrates the three key minimum documents that are required by the
118From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “The term owning organization refers to the federal agency or subordinate organi-zation that owns the authoriorgani-zation package.”
119From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Additional security measures may include, for example, increasing the number of security controls, conducting additional assessments, implementing compensating controls, or estab-lishing constraints on the use of the information system or services provided by the system.”
120From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publica-tion (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal InformaPublica-tion Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology;
2010. “Site-specific controls are typically implemented by an organization as common controls.”
121From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “The authorizing official determines what additional supporting documentation or references may be required to be included in the authorization package.”
153 NIST RMF Process
authorizing official: security plan, SAR, and POA&Ms. These three documents are considered the most accurate representation of the security state of the information system and are based on information derived from activities performed throughout the execution of the NIST RMF.
For security controls inherited in whole or in part by another organization (com-mon control provider) or an external service provider, security risk–related informa-tion122 may be shared with the authorizing official to supplement the authorization package and assist in making an authorization decision. For all of the key documents included in the authorization package, the owner of the information system or pro-vider of common controls generally has the responsibility of the packaging and sub-mitting the security authorization package.
Risk determination is a critical activity in the authorization process that involves reviewing the documents in the security authorization package. During this activity, the authorizing official will likely place significant importance on the security assessment report [22], but will also use information gathered through other risk management activities to understand the organization’s overall risk exposure123 from operating the information system. In addition, the authorizing official will likely rely upon additional input from the other parts of the organization such as the
122From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Risk-related information includes the criticality of organizational missions and/
or business functions supported by the information system and the risk management strategy for the organization.”
123From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Risk exposure is the degree to which an organization is threatened by the poten-tial adverse effects on organizational operations and assets, individuals, other organizations, or the Nation.”
FIGURE 5.13 Security Authorization Package [3]
154 CHAPTER 5 Applying the NIST Risk Management Framework
organization’s risk executive124 and other organizational assessments of risk to assist in making the final determination, in addition to the documents in the security authorization package. “The information system-related security risk information derived from the execution of the NIST RMF is available to the risk executive (function) for use in formulating and updating the organization-wide risk manage-ment strategy” [3].
The risk determination concludes in a final determination of an authorization decision as defined in Table 5.10. The authorization decision is achieved through a balance of the security considerations identified through the execution of the NIST RMF, with mission and operational needs for the information system [3]. The security considerations are based on the contents of the authorization package, input from the risk executive, and any other supporting information as determined by the authorizing official.
After the final authorization decision has been made, the decision is communi-cated to the system owner or common controls provider. The authorization decision document includes not only the authorization decision, but may also include any applicable terms and conditions125 and a termination date. As an alternative, instead of establishing a termination date (time-drive reauthorizations126), the organization could also require the implementation of a continuous monitoring program (event-driven reauthorization127) that provides the capability to continuously make risk
124From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. Maryland: National Institute of Standards and Technology; 2011. “An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.”
125From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “The terms and conditions for the authorization provide a description of any limita-tions or restriclimita-tions placed on the operation of the information system or the implementation of com-mon controls that must be followed by the system owner or comcom-mon control provider.”
126From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Time-driven reauthorizations occur when the authorization termination date is reached.”
127From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “Event-driven reauthorizations can occur when there is a significant change to an information system or its environment of operation.”
155 NIST RMF Process
determinations and acceptance. For example, “if the maximum authorization period
determinations and acceptance. For example, “if the maximum authorization period