Authorizing Official Handbook: for Risk Management Framework (RMF)
()
About this ebook
WHY CERTIFY AND ACCREDIT?
The Authorization Official is professionally accountable and responsible for:
• Securing the operations and system under their jurisdiction.
• Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented.
• Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes.
Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from:
• Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.),
• If appropriate court martial (dereliction of duty) and/or
• Financial hardship (due to loss of job and private defense expenses).
Related to Authorizing Official Handbook
Related ebooks
FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsOperationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Security Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsThe Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsNIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsCyber Security Consultants Playbook Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsCISSP For Dummies Rating: 4 out of 5 stars4/5Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsInformation Protection Playbook Rating: 0 out of 5 stars0 ratingsCybersecurity Jobs & Career Paths: Find Cybersecurity Jobs, #2 Rating: 0 out of 5 stars0 ratingsRisk Management and Information Systems Control Rating: 5 out of 5 stars5/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents Rating: 0 out of 5 stars0 ratingsStay Safe!: A Basic Guide to Information Technology Security Rating: 0 out of 5 stars0 ratingsPhysical Security Strategy and Process Playbook Rating: 0 out of 5 stars0 ratingsStart-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratings(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests Rating: 5 out of 5 stars5/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5The Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsCASP+ CompTIA Advanced Security Practitioner Study Guide: Exam CAS-003 Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5
Business For You
Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Financial Words You Should Know: Over 1,000 Essential Investment, Accounting, Real Estate, and Tax Words Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5High Conflict: Why We Get Trapped and How We Get Out Rating: 4 out of 5 stars4/5Ask for More: 10 Questions to Negotiate Anything Rating: 4 out of 5 stars4/5Robert's Rules of Order: The Original Manual for Assembly Rules, Business Etiquette, and Conduct Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Summary of Eve Rodsky's Fair Play Rating: 2 out of 5 stars2/5Capitalism and Freedom Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Reviews for Authorizing Official Handbook
0 ratings0 reviews
Book preview
Authorizing Official Handbook - Keith Frederick
Copyright © 2013 Keith Frederick
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the prior written permission of the copyright holder.
ISBN: 9781626757981
Trademarks
Cyber Profile™ (CP™) is a registered trademark of Computer Network Assurance Corporation.
Risk Management System™ (RMS™) is a registered trademark of SecureInfo Corporation.
Security Analyst Workbench™ (SAW™) is a registered trademark of SecureInfo Corporation.
Enterprise Vulnerability Management™ (EVM™) is a registered trademark of SecureInfo Corporation.
Total Enterprise Security Service™ (TESS™) is a registered trademark of SecureInfo Corporation.
Keith Frederick is the Founder of both Computer Network Assurance Corporation and SecureInfo Corporation and the inventor of all products list above.
Warning and Disclaimer
The information provided is on an as is
basis. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book.
Acknowledgment
A special thanks goes to Jacalyn Bowen for her outstanding editing.
To stay as close to and not misquote any of the Laws, Policies, Directives, Regulations, Memoranda, Standards, and Guidelines, the pertinent writings were copied into this book where appropriate. The Laws, Policies, Directives, Regulations, Memoranda, Standards, and Guidelines that were copied are listed in Appendix H: References.
About the Author
Keith Frederick, BS EE, MBA, CISSP, CAP, CRISC, Author completed more than 35 years of information systems assessment experience to include over 25 years of information assurance, Certification and Accreditation (C&A), Risk Management Framework (RMF), and Federal Information Security Management Act (FISMA). Keith has with a proven record of success as a Security Control Assessor (SCA) and an information system security engineer. Hands-on experience includes hundreds of systems’ security control assessments, information systems development, systems analysis and design, key management services, programming, program design, as well as preparation in resource planning, programming, and budgeting.
Authored "Independent Testing for Risk Management Framework (RMF), Assessment Test Plan (ATP)" ISBN: 9781626755963.
Developed and taught numerous Information Assurance classes from RMF, Network Security, to Practical Information Assurance and many others.
Invented, developed and implemented:
The RMF Security Lifecycle tool Cyber Profile ™ (CP™) that automates the continuous monitoring throughout a system’s lifecycle and accomplishes the Security Authorization Package (SAP) documents and reports. (5th Generation)
The C&A tool Risk Management System™ (RMS™) that helps users with the C&A workflow and documentation. Made standard throughout Department of Homeland Security. (4th Generation)
The vulnerability management tool Enterprise Vulnerability Management™ (EVM™). Made standard throughout the Federal Government by Office of Budget and Management (OMB). (3rd Generation)
The C&A tool Security Analyst Workbench™ (SAW™) that helps users with the C&A workflow and documentation. (2nd Generation)
The security databases tool Total Enterprise Security Service™ (TESS™), which sold to security professionals. (1st Generation)
Supports NIST’s security working group providing reviews and comments on the development of NIST Special Publications (SP) (i.e., NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems and NIST SP 800-37 Rev 1, Guide for Security Authorization of Federal Information Systems, A Security Life Cycle Approach).
Member of the task group that reviewed and committed on the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and the DoD Information Assurance Certification and Accreditation Process (DIACAP).
Authored Air Force System Security Instruction (AFSSI) 5024, Volume 1-4 The Certification and Accreditation (C&A) Process
. This is the first official government document that standardized the RMF/C&A Process.
Authored and presented a paper published nationally on an approach for accomplishing certification and authorization (C&A) on information systems at the 16th National Computer Security Conference hosted by National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and again at the Standard System Center Conference hosted by Air Force Standard System Center.
TABLE OF CONTENCE
CHAPTER 1: INTRODUCTION
Purpose
Why Certify and Accredit?
Relevant Laws That Must Be Adhered To
Authorizing Official’s Liability.
Security Authorization Package
Roles and Responsibilities
Authorizing Official (AO)
Authorizing Official (AO) Designated Representative
Common Control Provider
System Owner (SO)
Senior Information Security Officer [or Chief Information Security Officer (CISO)]
Information Systems Security Officer (ISSO)
Security Control Assessor (SCA)
CHAPTER 2: Risk Management Framework (RMF) Process
Phase I: Implementation
Step 1 – Categorize Information System.
Step 2 – Select Security Controls
Step 3 – Implement Security Controls
Phase II: Assessment
Step 4 – Assess Security Controls
Phase III: Authorization
Step 5 – Authorization Information System
Phase IV: Continuous Monitoring
Step 6 – Monitor Security Controls
Appendix
Appendix A: AO Authorization Letter
Appendix B: AO Denial Authorization Letter
Appendix C: Acronyms, Abbreviations, and Definitions
Appendix D: Security Authorization Package (SAP)
Appendix E: Chart of NIST SP 800-37 Rev 1
Appendix F: Cyber Profile™ Feature Sheet
Appendix G: Security Laws, Executive Orders, and Directives
Appendix H: References
CHAPTER 1: INTRODUCTION
An authorization of the system is a requirement of the Federal Information Security Management Act of 2002 (FISMA) as