1
1

00:00:00,510  -->  00:00:01,343
<v ->You've heard us call</v>
2

2

00:00:01,343  -->  00:00:06,343
special publication 800-37 a framework, right?
3

3

00:00:06,600  -->  00:00:10,050
It's the Risk Management Framework, RMF.
4

4

00:00:10,050  -->  00:00:14,820
So why isn't it called the Risk Management Checklist?
5

5

00:00:14,820  -->  00:00:17,700
After all, aren't organizations expected to complete
6

6

00:00:17,700  -->  00:00:21,210
all the steps and tasks in the RMF
7

7

00:00:21,210  -->  00:00:24,990
apart from the ones that are clearly labeled as optional?
8

8

00:00:24,990  -->  00:00:25,823
Well, yes.
9

9

00:00:25,823  -->  00:00:28,680
However, organizations have significant flexibility
10

10

00:00:28,680  -->  00:00:33,090
in how each of the RMF steps and tasks are carried out
11

11

00:00:33,090  -->  00:00:34,620
as long as organizations are meeting
12

12

00:00:34,620  -->  00:00:37,110
all applicable requirements
13

13

00:00:37,110  -->  00:00:40,740
and effectively managing security and privacy risk.
14

14

00:00:40,740  -->  00:00:45,740
That's why 800-37 is a risk management framework
15

15

00:00:45,870  -->  00:00:48,450
and not a risk management checklist.
16

16

00:00:48,450  -->  00:00:52,440
The intent is to allow organizations to implement the RMF
17

17

00:00:52,440  -->  00:00:56,100
in the most efficient, effective and cost effective manner
18

18

00:00:56,100  -->  00:00:58,380
to support mission and business needs
19

19

00:00:58,380  -->  00:01:01,500
in a way that promotes effective security and privacy.
20

20

00:01:01,500  -->  00:01:03,870
Ultimately, however you tailor RMF
21

21

00:01:03,870  -->  00:01:07,650
you've got to accomplish your mission, whatever that is.
22

22

00:01:07,650  -->  00:01:11,250
Flexible implementation may include completing tasks
23

23

00:01:11,250  -->  00:01:13,350
in a non-sequential order,
24

24

00:01:13,350  -->  00:01:16,230
emphasizing certain tasks over other tasks
25

25

00:01:16,230  -->  00:01:20,400
or combining certain tasks wherever appropriate.
26

26

00:01:20,400  -->  00:01:23,910
You can also use the Cybersecurity Framework
27

27

00:01:23,910  -->  00:01:28,910
to enhance RMF task execution, particularly step seven
28

28

00:01:29,460  -->  00:01:31,440
which is called monitoring.
29

29

00:01:31,440  -->  00:01:35,130
The flexibility of implementation can also be applied
30

30

00:01:35,130  -->  00:01:38,160
to control selection, control tailoring
31

31

00:01:38,160  -->  00:01:41,730
to meet organizational security and privacy needs
32

32

00:01:41,730  -->  00:01:44,670
or conducting control assessments.
33

33

00:01:44,670  -->  00:01:47,190
For example, the selection, tailoring,
34

34

00:01:47,190  -->  00:01:50,070
implementation, and assessments of controls
35

35

00:01:50,070  -->  00:01:54,540
can be done incrementally as a system is being developed
36

36

00:01:54,540  -->  00:01:58,920
rather than all at one time before it goes into production.
37

37

00:01:58,920  -->  00:02:02,310
But this flexibility can also present a great challenge
38

38

00:02:02,310  -->  00:02:05,850
to people who are inexperienced or have been taught
39

39

00:02:05,850  -->  00:02:09,210
a very rigid interpretation of RMF,
40

40

00:02:09,210  -->  00:02:12,450
or people who just simply have not been trained
41

41

00:02:12,450  -->  00:02:15,030
as to how to do the tailoring.
42

42

00:02:15,030  -->  00:02:16,980
And some people are just simply more comfortable
43

43

00:02:16,980  -->  00:02:18,540
following a checklist.
44

44

00:02:18,540  -->  00:02:21,600
After all, checklists are great tools
45

45

00:02:21,600  -->  00:02:24,900
especially when safety is concerned.
46

46

00:02:24,900  -->  00:02:29,280
Also, there's a risk with the flexibility of implementation
47

47

00:02:29,280  -->  00:02:32,640
as people try to tailor RMF for their situation
48

48

00:02:32,640  -->  00:02:34,830
that they might make some big mistakes.
49

49

00:02:34,830  -->  00:02:36,330
Maybe they leave out things
50

50

00:02:36,330  -->  00:02:38,760
that they really shouldn't leave out.
51

51

00:02:38,760  -->  00:02:42,210
Now, this kind of error could actually increase the risk
52

52

00:02:42,210  -->  00:02:44,760
to the system rather than decrease it,
53

53

00:02:44,760  -->  00:02:46,770
which is what we really want.
54

54

00:02:46,770  -->  00:02:50,010
Be sure to send big tailoring decisions
55

55

00:02:50,010  -->  00:02:53,190
to the authorizing official to help make sure
56

56

00:02:53,190  -->  00:02:55,173
it's the best choice for the system.
57

57

00:02:56,370  -->  00:02:59,010
Now, even though I've just spent time during this lesson
58

58

00:02:59,010  -->  00:03:01,410
telling you that RMF is flexible,
59

59

00:03:01,410  -->  00:03:05,130
there are some real challenges to using it in the real world
60

60

00:03:05,130  -->  00:03:09,510
because it lacks enough flexibility in the right places.
61

61

00:03:09,510  -->  00:03:12,750
For example, RMF can be difficult to use
62

62

00:03:12,750  -->  00:03:16,230
with legacy systems, and that's because RMF
63

63

00:03:16,230  -->  00:03:19,110
inherently assumes that the system is new
64

64

00:03:19,110  -->  00:03:23,040
or that it's still being actively enhanced.
65

65

00:03:23,040  -->  00:03:26,550
But many of the systems in the federal government are legacy
66

66

00:03:26,550  -->  00:03:31,350
and are only being changed when absolutely necessary,
67

67

00:03:31,350  -->  00:03:35,310
and that means it's very difficult or even impossible
68

68

00:03:35,310  -->  00:03:37,710
to make engineering and design changes
69

69

00:03:37,710  -->  00:03:40,170
to support the RMF requirements.
70

70

00:03:40,170  -->  00:03:43,590
For example, there are systems in the Department of Defense
71

71

00:03:43,590  -->  00:03:48,330
that were designed and deployed in the 1960s and 1970s
72

72

00:03:48,330  -->  00:03:53,330
that can only accept a six character password.
73

73

00:03:53,400  -->  00:03:56,550
And so when you take something that can only
74

74

00:03:56,550  -->  00:04:00,330
store a six character password, and you try to say,
75

75

00:04:00,330  -->  00:04:02,880
well you have to put a 14 character password
76

76

00:04:02,880  -->  00:04:07,880
on that account, how much development expense is reasonable
77

77

00:04:07,890  -->  00:04:11,670
to change the system so that it can handle
78

78

00:04:11,670  -->  00:04:14,553
the increased character length of a password?
79

79

00:04:15,780  -->  00:04:19,440
Another RMF assumption that's actually quite rigid
80

80

00:04:19,440  -->  00:04:23,670
is that the system is not currently breached.
81

81

00:04:23,670  -->  00:04:26,670
Much of our current cybersecurity concerns
82

82

00:04:26,670  -->  00:04:31,377
really need to focus on an assumed breach scenario,
83

83

00:04:31,377  -->  00:04:35,100
but of course, in practice an advanced persistent threat
84

84

00:04:35,100  -->  00:04:38,280
might have silently gained access to a system
85

85

00:04:38,280  -->  00:04:41,040
that's already operating and unfortunately,
86

86

00:04:41,040  -->  00:04:44,100
RMF is silent on this problem.
87

87

00:04:44,100  -->  00:04:48,120
But the cybersecurity framework isn't silent on that issue
88

88

00:04:48,120  -->  00:04:50,220
because it assumes breach.
89

89

00:04:50,220  -->  00:04:52,680
So here's another justification
90

90

00:04:52,680  -->  00:04:57,100
to use the cybersecurity framework with RMF.