Authorizing Official Handbook: for Risk Management Framework (RMF)

By Keith Frederick

This book provides an overview of the Authorizing Official (AO) role in the Risk Management Framework (RMF) process, discusses implications of performing AO duties and emphasizing RMF as a continuous process. In addition, it provides guidance for analyzing the Security Authorization Package (SAP) and making the authorization decision. It provides a means to protect the information system (IS), the information it processes, and thus, the Authorization Official from civil prosecution (or if appropriate military prosecution) by providing evidence of the AO’s intentions to manage the system’s risk.


WHY CERTIFY AND ACCREDIT?
The Authorization Official is professionally accountable and responsible for:
• Securing the operations and system under their jurisdiction.
• Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented.
• Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes.
Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from:
• Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.),
• If appropriate court martial (dereliction of duty) and/or
• Financial hardship (due to loss of job and private defense expenses).

• Language: English
• Publisher: BookBaby
• Release date: May 1, 2013
• ISBN: 9781626757981

Book preview

Copyright © 2013 Keith Frederick

All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the prior written permission of the copyright holder.

ISBN: 9781626757981

Trademarks

Cyber Profile™ (CP™) is a registered trademark of Computer Network Assurance Corporation.

Risk Management System™ (RMS™) is a registered trademark of SecureInfo Corporation.

Security Analyst Workbench™ (SAW™) is a registered trademark of SecureInfo Corporation.

Enterprise Vulnerability Management™ (EVM™) is a registered trademark of SecureInfo Corporation.

Total Enterprise Security Service™ (TESS™) is a registered trademark of SecureInfo Corporation.

Keith Frederick is the Founder of both Computer Network Assurance Corporation and SecureInfo Corporation and the inventor of all products list above.

Warning and Disclaimer

The information provided is on an as is basis. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book.

Acknowledgment

A special thanks goes to Jacalyn Bowen for her outstanding editing.

To stay as close to and not misquote any of the Laws, Policies, Directives, Regulations, Memoranda, Standards, and Guidelines, the pertinent writings were copied into this book where appropriate. The Laws, Policies, Directives, Regulations, Memoranda, Standards, and Guidelines that were copied are listed in Appendix H: References.

About the Author

Keith Frederick, BS EE, MBA, CISSP, CAP, CRISC, Author completed more than 35 years of information systems assessment experience to include over 25 years of information assurance, Certification and Accreditation (C&A), Risk Management Framework (RMF), and Federal Information Security Management Act (FISMA). Keith has with a proven record of success as a Security Control Assessor (SCA) and an information system security engineer. Hands-on experience includes hundreds of systems’ security control assessments, information systems development, systems analysis and design, key management services, programming, program design, as well as preparation in resource planning, programming, and budgeting.

Authored "Independent Testing for Risk Management Framework (RMF), Assessment Test Plan (ATP)" ISBN: 9781626755963.

Developed and taught numerous Information Assurance classes from RMF, Network Security, to Practical Information Assurance and many others.

Invented, developed and implemented:

The RMF Security Lifecycle tool Cyber Profile ™ (CP™) that automates the continuous monitoring throughout a system’s lifecycle and accomplishes the Security Authorization Package (SAP) documents and reports. (5th Generation)

The C&A tool Risk Management System™ (RMS™) that helps users with the C&A workflow and documentation. Made standard throughout Department of Homeland Security. (4th Generation)

The vulnerability management tool Enterprise Vulnerability Management™ (EVM™). Made standard throughout the Federal Government by Office of Budget and Management (OMB). (3rd Generation)

The C&A tool Security Analyst Workbench™ (SAW™) that helps users with the C&A workflow and documentation. (2nd Generation)

The security databases tool Total Enterprise Security Service™ (TESS™), which sold to security professionals. (1st Generation)

Supports NIST’s security working group providing reviews and comments on the development of NIST Special Publications (SP) (i.e., NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems and NIST SP 800-37 Rev 1, Guide for Security Authorization of Federal Information Systems, A Security Life Cycle Approach).

Member of the task group that reviewed and committed on the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and the DoD Information Assurance Certification and Accreditation Process (DIACAP).

Authored Air Force System Security Instruction (AFSSI) 5024, Volume 1-4 The Certification and Accreditation (C&A) Process. This is the first official government document that standardized the RMF/C&A Process.

Authored and presented a paper published nationally on an approach for accomplishing certification and authorization (C&A) on information systems at the 16th National Computer Security Conference hosted by National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and again at the Standard System Center Conference hosted by Air Force Standard System Center.

TABLE OF CONTENCE

CHAPTER 1: INTRODUCTION

Purpose

Why Certify and Accredit?

Relevant Laws That Must Be Adhered To

Authorizing Official’s Liability.

Security Authorization Package

Roles and Responsibilities

Authorizing Official (AO)

Authorizing Official (AO) Designated Representative

Common Control Provider

System Owner (SO)

Senior Information Security Officer [or Chief Information Security Officer (CISO)]

Information Systems Security Officer (ISSO)

Security Control Assessor (SCA)

CHAPTER 2: Risk Management Framework (RMF) Process

Phase I: Implementation

Step 1 – Categorize Information System.

Step 2 – Select Security Controls

Step 3 – Implement Security Controls

Phase II: Assessment

Step 4 – Assess Security Controls

Phase III: Authorization

Step 5 – Authorization Information System

Phase IV: Continuous Monitoring

Step 6 – Monitor Security Controls

Appendix

Appendix A: AO Authorization Letter

Appendix B: AO Denial Authorization Letter

Appendix C: Acronyms, Abbreviations, and Definitions

Appendix D: Security Authorization Package (SAP)

Appendix E: Chart of NIST SP 800-37 Rev 1

Appendix F: Cyber Profile™ Feature Sheet

Appendix G: Security Laws, Executive Orders, and Directives

Appendix H: References

CHAPTER 1: INTRODUCTION

An authorization of the system is a requirement of the Federal Information Security Management Act of 2002 (FISMA) as