Cybersecurity and Risk Management Framework
The official definition of cybersecurity is, “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” – DoDI 8500.01
- Prevent damage, protect, restore
- Cyber Items
- Computers, electronic communications and services, wire communications, electronic communication info
- To Ensure
- Confidentiality, integrity, availability (non-repudiation and authentication)
DoDI 5000.90 requires that program protection planning include cybersecurity. It also identifies two cybersecurity activities, Assess and Authorize, that are applicable within the Defense Acquisition System. DoDI 8500.01, Cybersecurity, defines cybersecurity and describes types of DoD information technology (IT). The DoD IT descriptions are used to determine the scope and applicability of the two cybersecurity activities identified by DoDI 5000.82. A Cybersecurity Strategy is required for all acquisitions of systems containing IT and is included as an appendix to the Program Protection Plan (PPP). The cybersecurity risk management framework for DoD systems, referred to as “the RMF,” is required for all acquisitions containing IT.
DoDI 8510.01, Risk Management Framework (RMF) for DoD Systems, details policies and procedures for implementing the RMF.
Foundational Pillars of Cybersecurity
Cybersecurity has five foundational pillars. The key triad is known as “CIA” – Confidentiality, Integrity, and Availability.
Information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
The property whereby an entity has not been modified in an unauthorized manner.
Being accessible and usable upon demand by an authorized entity.
Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.
Verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data.
According to DoDI 8510.01, the RMF consists of seven steps for assessing and authorizing DoD information systems and Platform Information Technology (PIT) systems. Each step feeds into the program’s cybersecurity risk assessment that should occur throughout the acquisition lifecycle process. It should be noted that there is an organizational-level RMF step, Prepare, that precedes execution of the RMF at the system-level that sets organization-wide, organizationally-tailored risk management roles, risk management strategy, risk assessment, control baselines, cybersecurity framework (CSF) profiles, common controls, impact level prioritization, and continuous monitoring strategy.
Step 1: Prepare
to execute the RMF from the system-level perspective by leveraging the organizational-level Prepare step to set the context and priorities for privacy and security risk management at the mission and business process and system level of the organization. At the system-level, this step includes:
- Identifying the mission and business functions and processes that the system is intended to support
- Identifying the stakeholders that have an interest in the system
- Identifying and prioritizing the stakeholders’ assets
- Determining the system’s authorization boundary
- Identifying the types of information processed, stored, and transmitted by the system as well as the stages of their information life cycle
- Conducting or updating the system-level Mission-Based Cyber Risk Assessment
- Defining and prioritizing the system security and privacy requirements
- Placing the system within the enterprise architecture
- Allocating system security and privacy requirements to the system and to the environment that the system operates in
- Registering the system for the purposes of management, accountability, coordination, and oversight
Step 2: Categorize
the system in accordance with CNSSI No. 1253
based on the information analyzed, stored, and relayed by the system and an analysis of the impact of potential loss of confidentiality, integrity, and availability to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems. This step includes:
- Documenting the system’s characteristics
- Conducting the system security categorization and documenting its results in the security, privacy, and supply chain risk management plans in a manner that is consistent with the enterprise architecture and the organization’s risk management strategy
Step 3: Select
an initial set of system security and privacy controls
and tailor the controls as necessary to reduce risk to the system to an acceptable level based on a risk assessment. This step includes:
- Selecting, baselining, tailoring, and allocating controls as required to protect the system commensurate with risk
- Controls are allocated to the specific system elements, i.e., machine, physical, or human elements
- Documenting the controls in the system’s security and privacy plans or equivalent documents, which are reviewed and approved by the Authorizing Official (AO)
- Developing a continuous monitoring strategy for the system that reflects the organizational risk management strategy
Step 4: Implement
the controls and describe how the controls are employed within the system and its operating environment. This step includes implementing and changing the controls in the system’s security and privacy plans as required, using applicable systems security and privacy engineering methodologies, and updating those plans as required to reflect the implementation
Step 5: Assess
the controls to determine whether they are being correctly implemented, operating as intended, and producing the desired outcomes in meeting the requirements for security and privacy. This step includes:
- Selecting an security control assessor (SCA) or assessment team with an appropriate level of independence to conduct control assessments
- Developing Security Assessment Plans (SAPs) and providing those plans to the SCA or assessment team in support of the conduct of test events, security, privacy, and supply chain risk assessments
- SAPs should be coordinated with developers and the developmental and operational testers and aligned with, and documented in, the T&E strategy
- SAPs are reviewed by the SCA and approved by the AO
- Conducting control assessments in accordance with the security and privacy assessment plans using automation, previous assessment results, and planned developer, engineering, developmental, and operational test events to the maximum extent possible
- Documenting assessment results, findings, and recommendations in system assessment reports (SARs)
- Taking remediation actions to address deficiencies in the controls implemented in the system and environment of operation and updating the related security and privacy plans for those actions
- Developing a plan of action and milestones (POA&M) detailing remediation plans for unacceptable risks identified in security and privacy assessment reports
Step 6: Authorize
the system based on a determination of whether the risk to organizational operations and assets, individuals, agencies, commands, and the Nation is acceptable, and cyberspace operational commanders’ requirements are met. Final risk determination and authorization decision definitions, e.g., interim authorization to test (IATT), authorization to operate (ATO), ATO with conditions, and denial ATO, and examples are on the RMF Knowledge Service (KS)
. This step includes:
- Developing an authorization package, i.e., SAPs, SARs, POA&Ms, and the authorization decision document (RMF KS provides additional detail)
- A risk determination by the AO that reflects the risk management strategy
- Risk responses for determined risks
- An authorization decision for the system or the common controls is either approved or denied
- Reporting of authorization decisions, significant vulnerabilities, and risk to organizational officials
Step 7: Monitor
the system and associated controls on an ongoing basis in accordance with the continuous monitoring strategy, including monitoring the effectiveness of controls and ongoing testing, documenting system and operating environment changes, conducting control and risk assessments and impact analyses, and reporting on system security, privacy and supply chain risk management posture to the AO and other senior leaders and executives. This step also includes:
- Updating risk management documents based on continuous monitoring activities
- Developing and implementing a system disposal strategy as needed
Cybersecurity RMF Conclusion
As noted above, there are specific documents that are required to support RMF decisions that are in addition to those required by program protection, e.g., Program Protection Plan, Cybersecurity Strategy, etc. However, the analysis supporting the RMF must be aligned to the analysis done by the system security engineer (SSE) and all the SSE specialists, e.g., software and hardware assurance, supply chain risk management, anti-tamper, defense exportability features, physical security, personnel security, etc., for technology and program protection.
Per DoDI 5000.02, cybersecurity applies to all six acquisition pathways of the Adaptive Acquisition Framework (AAF). According to DoDI 5000.90, cybersecurity activities should be initiated as early as possible and fully integrated into the DoD acquisition process, including requirements management, systems engineering, and test and evaluation.
As the integrating process for managing all security risks to a program, technology and program protection and cybersecurity must be aligned. The system security engineer leading program protection efforts must ensure that the security controls that are selected and implemented to fulfill the RMF requirements have a strong engineering basis and are implemented as part of the program's overall technology and program protection program.
For more information about cybersecurity for DoD systems, please consult the DAU Cybersecurity and Acquisition Lifecycle Integration Tool (CALIT).
DoD Main Governing Instructions for Cybersecurity
- WSS 001, Cybersecurity and Acquisition Integration"
- WSS 003, Information System Security Manager (ISSM)
- WSS 004, Strengths, Weaknesses, Opportunities, and Risks
- WSS 005, Program Protection
- WSS 007, Cyber Table Top"
- WSS 008, Controlled Defense Information
- WSS 010, Cyber Training Range
Navigate to the DAU Tools Catalog, then under Topic Area select Cybersecurity then Apply Filters for latest tools.