Continuous Monitoring Plan

RMF Phase 2

James Broad , in Risk Management Framework, 2013

Task 3, Phase 2: Developing a Monitoring Strategy

The organization must develop a continuous monitoring plan, for each control, that will detail the volatility and vulnerability of the control, which will in turn determine the frequency and level of effort that each control's implementation and effectiveness will be reviewed. This task ensures that the system developers have planned for changes that will happen to a system over time throughout the life of the information system. To be effective, the organization should develop an organizational continuous monitoring program that monitors security controls in an ongoing manner to ensure that they remain effective across the enterprise. The system developers should build upon this organizational continuous monitoring plan by developing a continuous monitoring strategy for those controls that the system is responsible for entirely, or in the case of hybrid controls, the portion of the control that the system is responsible for maintaining. Common control providers should also use the organizational plan as a base for the control set's continuous monitoring strategy. In this way, the overarching organizational continuous monitoring program is supplemented and reinforced by the common control provider and information systems owner's plans, while the common control provider and information system owner gain structure and guidance from the organization's plan.

Many people are confused about continuous monitoring and incorrectly believe the continuous monitoring strategy and plan should only cover technical controls. Not only is this incorrect, but it could also leave systems and programs unprotected from a full range of threats and reduce the RMF's ability to reduce reauthorization timelines. To be effective, the organization's continuous monitoring strategy and the CCP/information system's continuous monitoring program should monitor all of the controls that are listed in the system's SCTM and the organization should monitor all of the controls as required across the enterprise technical, operational, and managerial classes of controls. NIST has developed a publication, titled Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, SP 800-137, that describes how to develop a continuous monitoring program for a system or organization.

The system owner and common control provider, with help from the risk executive (function), authorizing official, chief information officer, senior information security officer, information owner, and information systems security officer, develop a plan to monitor the security controls employed within or inherited by the information system. The common control provider is responsible for continuously monitoring those controls that they have been approved to be offered for inheritance and the information owner is responsible for monitoring those controls that have not been inherited or are inherited and reinforced (hybrid controls) on a continuous basis. To be most effective, this plan should be developed early in the system's development life cycle, normally in the design phase or the COTS procurement process. System development decisions should be based on the overall cost of developing and maintaining the system over time. For the decisions to be effective, organizational decision-makers and budget officials must know not only the cost of developing the system, but also the cost of operating and maintaining (O&M) the system over time, including developing and monitoring security controls. This O&M must include the cost of security control monitoring in order to provide a full picture of the system's overall cost to the organization. In some cases, the cost alone of correctly implementing a continuous monitoring program can make a system too costly to justify continued development.

The continuous monitoring program can give system managers and organizational leadership a view of the state of evolving vulnerabilities and threats, as well as changes in the system's mission or technology as they relate to the system's implementation of the required security controls. The information provided by the continuous monitoring program allows leadership, including the authorizing official, to remain aware of the risk posture of the information system as it impacts the risk status for the organization. Updates can be done with output from the continuous monitoring program and input from the risk executive (function).

According to NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, an effective continuous monitoring program includes: "(i) configuration management and control processes; (ii) security impact analyses on proposed or actual changes to the information system and its environment of operation; (iii) assessment of selected security controls employed within and inherited by the information system (including controls in dynamic subsystems); and (iv) security status reporting to appropriate organizational officials."

The program should define how each control in the SCTM will be monitored and the frequency of the monitoring. This frequency should be based on the security control's volatility, or the amount of time the control can be assumed to be in place and working as planned between reviews. A security impact analysis can help organizations to determine the monitoring strategy and frequency between the control's review. Additionally, organizational historical documentation, including documentation of past security breaches or security incidents, can assist in developing the frequency that each control will be monitored.

Many times, organizational leadership, including the agency or organizational leader, the chief information officer, the authorizing official, or the chief information security officer will identify controls that require a higher level of monitoring, such as depth of monitoring and frequency, based on organizational mission or threat.

The continuous monitoring plan also evaluates system changes implemented on the system to ensure that they do not constitute a security-relevant change that will require the information system to undergo a reauthorization, nullifying the current ATO. While this is normally monitored through the system or organization's configuration or change management plan, the continuous monitoring program is an excellent check and balance to the organization's configuration/change management program.

Once the continuous monitoring plan's development is complete, the authorizing official or a designated representative reviews the plan for completeness, noting any deficiencies. If the plan is acceptable, the AO can approve the plan. If, however, there are significant deficiencies, the AO can return the plan to the information system owner or common control provider for corrections. The authorizing official also ensures that the plan does not place unnecessary or unrealistic burdens on the organization by requiring reauthorization of the information system each time a new subsystem is added or removed and has not compromised the accepted security posture of the overall system. Based on this authorization, the level of continuous monitoring and frequency for each control is defined, allowing the system developers and engineers to begin incorporating the monitoring plan into the system development and O&M plan.

Organizational leadership may determine that the required continuous monitoring plan is too costly for the organization. If this is the case, the leadership, including the AO, need to determine if the organization's risk posture allows the system to operate without the continuous monitoring of the controls in question. If the risk posture does not allow this operation, the information system may need to be re-engineered or the development canceled.

Once the system's continuous monitoring plan has been developed, finalized, and approved, this information is added to the security documentation, either in the SSP itself or as an attachment.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499958000107

Strategies for continuous monitoring

Matthew Metheny , in Federal Cloud Computing (Second Edition), 2017

CM Program

Although more tactically focused, the organization's CM program facilitates the implementation of the CM strategy. The scope of the program should be designed to address the sufficiency in security-related information to support risk-based decisions. This can be accomplished by defining metrics and frequencies 38 of monitoring and assessment that produce the needed information. The development of a Continuous Monitoring Plan 39 facilitates the implementation of the CM program. The Continuous Monitoring Plan also addresses the integration of CM activities and metrics to support the CM strategy through the identification of security controls necessary for monitoring to ensure their effectiveness 40 over time.

As previously mentioned, metrics provide a guide for collecting security-related information. The types of metrics defined for the organization reflect the security objectives for the organization, mission/business processes, and/or information systems. In addition, metrics can also be defined at any organizational tier. Therefore, the organization will need to ensure that the frequency of monitoring, if not consistent across the organizational tiers, has a linkage between the security-related information requirements.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128097106000123

RMF Phase 6

James Broad , in Risk Management Framework, 2013

Phase 6, Task 4: Updating the Security Documentation

The information regarding the control weakness is put into the system's plan of action and milestones (POA&M), ensuring that the information concerning the details of the control's deficiency, methods of correction, required milestones, completion date, and resources are noted. Again, it is important that the updated information does not remove findings documented earlier in the POA&M, to ensure that the audit trail remains intact. The system owner also ensures that the systems security plan is updated to reflect the current security posture of the system and details the manner in which the required security controls are implemented. The updated SSP, SAR, and POA&M are presented to the authorizing official or the official's designated representative for review. The AO, with the assistance of the risk executive (function), determine the impact of the deficiency to the organization and whether the deficiency will create a situation that will invalidate the information system's ATO.

In addition to scheduled assessments conducted by independent assessors, the system owner can conduct self-assessments at any time, based on the system's continuous monitoring plan, to evaluate the status of a security control or set of controls. Under approval from the configuration control board, the system may be modified in minor or significant ways. The results of these self-assessments and modifications require that the system's documentation, including the security plan, be updated as these changes occur. It is important to note that the system's self-assessments cannot be used to update the POA&M or SAR. For these documents to be updated, the organization's independent assessors must reassess the deficient controls and validate that they are working as designed and providing the required level of protection.

The frequency of updates to the risk-related information for the information system is determined by the authorizing official and the information system owner. When determining this frequency, care must be taken to ensure that the organization remains compliant with regulations and laws such as the FISMA law, which requires certain controls be assessed annually. For updates to the risk picture, full advantage of automated tools, which can increase the efficiency of control assessments, should be taken. Additionally, system- and organization-wide programs and policies should be leveraged to ensure that the organization's control allocation has been done in the most effective manner possible. This, in turn, ensures that common, system, and hybrid controls are in place, effective, and working as designed, while being maintained in the most efficient manner. The use of common controls reduces the duplication of effort in implementing, managing, and accessing a control that is centrally provided by the organization.

Throughout this task, it is important to remember to accurately track in a change control log when updates to the SSP, SAR and POA&M are made. The initial information in the SAR and POA&M should not be deleted but simply updated to reflect the current status of the system. In the POA&M, corrected deficiencies should remain; however, the correction should be noted, the finding that was documented as corrected closed out, and information on the independent assessor who validated the correction noted. These steps ensure transparency, maintain accountability, and can be used to track growing threats and trends that develop.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499958000144

FedRAMP primer

Matthew Metheny , in Federal Cloud Computing (Second Edition), 2017

FedRAMP Policy Memo

The FedRAMP "Policy Memo" 9 established the governing federal policy for the secure adoption and government-wide use of cloud services. The memorandum describes the framework for implementing the FedRAMP components that includes:

A standard set of security requirements for provisional 10 authorization and ongoing monitoring;

A conformity assessment program for third-party assessment 11 ;

An assembly of security experts from across government to review authorization documents 12 to support the risk-based decisions by the Joint Authorization Board (JAB) 13 ;

Standardized contract language that integrates FedRAMP requirements into the federal government acquisition process; and

An authoritative central repository for storing authorization documents.

As illustrated in Fig. 8.1, the FedRAMP "Policy Memo" is represented at the top of the FedRAMP document hierarchy, providing the highest level of governance. The governance processes defined in the FedRAMP Security Assessment Framework (SAF), previously the FedRAMP Concept of Operations (CONOPS), are supported by the foundational elements, which include: (i) security assessment templates and guidelines; (ii) the Third Party Assessment Organization (3PAO) program description and application; and (iii) the three parallel ongoing monitoring mechanisms (automated/manual data feeds, annual attestation, and event/incident handling). The foundational elements provide the FedRAMP PMO with the key functions needed to meet the operating capability for the program.

Figure 8.1. Document hierarchy [4].

The scope of coverage for the FedRAMP "Policy Memo" is inclusive of almost all cloud services, regardless of the service and deployment models 14 or whether the cloud service is commercial 15 or noncommercial. 16 In addition, the memorandum is applied government-wide, 17 with the exception of the following conditions in which the requirements under the FISMA 18 still apply:

A private cloud 19 deployment model;

On-premises (i.e., within a Federal facility 20 ); and

Cloud services are not provided to any external entity. 21

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128097106000081

Applying the NIST risk management framework

Matthew Metheny , in Federal Cloud Computing (Second Edition), 2017

Security Controls Assessment

The security controls implemented and documented in the previous steps are essential components for conducting an effective assessment. 98 The security controls assessment step in the NIST RMF (Step 4) involves the preparation, execution, and reporting of the security controls effectiveness in the information system. This section will summarize the assessment-related tasks in Table 5.8. The assessment tasks are dependent on the close collaboration and cooperation of the security assessor 99 and the organization to ensure that there is an appropriate level of depth 100 and coverage 101 applied when evaluating the security controls effective against the organization's identified assurance requirements. 102

Table 5.8. NIST RMF Step 4 Activities [3]

Task Name Activities References
4-1 Assessment preparation

Develop, review, and approve a plan to assess the security controls

NIST SP 800-53A
4-2 Security control assessment

Assess the security controls in accordance with the assessment procedures defined in the security assessment plan

NIST SP 800-53A

NIST SP 800-115
4-3 Security assessment report

Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment

NIST SP 800-53A
4-4 Remediation actions

Conduct the initial remediation actions on security controls based on the findings and recommendations of the security assessment report

Reassess remediated control(s), as appropriate

NIST SP 800-30

NIST SP 800-53A

Assessment Preparation

Prior to beginning the assessment activities, expectations should be appropriately set through the development of a security assessment plan (SAP). Preparatory activities should be planned together, by the organization undergoing the assessment and the provider conducting the assessment, to limit any unexpected issues and to gain a clear understanding of the level of effort required. Fig. 5.12 provides an example list of preparatory activities that guide the completion of the assessment plan. In addition, the organization should also provide the security assessor with the following types of information:

Figure 5.12. Security controls assessment process [16].

Organizational chart (or description of organizational personnel responsible for security policies and procedures);

Policies and procedures that relate to the information system;

Organizational chart (or description of organizational personnel responsible for security control implementation); and

Artifacts, where available, that provide an understanding of security controls such as the security plan, risk assessment, continuous monitoring plan, plan of action and milestones (POA&Ms), accreditation decision letter (if already under an existing accreditation), privacy impact assessment (PIA), contingency plan, configuration management plan, security configuration checklists, and/or interconnection system agreements (ISAs, MOU (Memorandum of Understanding), contracts, etc.).

Security Assessment Plan

Planning activities are critical for the success of the security assessment. The SAP, 103 developed by the security assessor, should be reviewed and approved by the organization based on an agreement of what is in scope for the assessment. Similar to Step 2, where the organization selects, tailors, and supplements security controls to be implemented, the security assessor should also perform similar activities by selecting, tailoring, and supplementing assessment procedures that address specific assurance requirements by the organization.

Tip

Select, Tailor, Customize, Optimize

As a guide, and to improve the effectiveness in executing assessments, an assessor should seek to find ways to save time and money when conducting assessments through the following steps [16]:

Select assessment methods 104 and objects that match the assurance requirements.

Select the appropriate depth and coverage attributes. 105

Identify common controls to reduce redundancy and duplication of effort.

Customize security-specific assessment procedures to closely match the operating environment (and utilizing supplemental guidance in the NIST Security Controls Catalog to establish an intent of the security control).

Identify assessment results that are applicable for reuse (previous assessments) or through more efficiency in sequencing the current assessment.

Adjust assessment procedures to accommodate external service providers based on contracts or service-level agreements.

Develop assessment procedures 106 for custom security controls.

Identify areas where assessment procedures can be combined and consolidated to maximize cost savings without compromising quality.

Assessing Security Controls

Conducting security assessments, 107 which will be discussed in more detail in later chapters, is described briefly in this section. The security assessment execution is primarily organized and executed by the security assessor, with the organization's support. Therefore, the key focus will be on making the assurance case. 108

When conducting the security assessment, the security assessor needs to obtain evidence 109 to facilitate the security assessor in making an objective determination of security control effectiveness, based on the criteria (i.e., expect input, behavior, and outcome) identified in the assessment procedures. Since the key focus will be on making the assurance case, the evidence should come directly from the information system or operating environment, or from a third-party evaluation of the product or technology such as a common criteria evaluation. 110 In addition, automated tools and techniques could be used to improve the quality of the security assessment through an increase in the sampling size and coverage.

Reporting Assessment Results

Reporting on the security control assessment results, including any issues, weaknesses and deficiencies, and recommendations, is performed through the security assessment report (SAR). 111 The SAR works together with the security plan (including risk assessment) and POA&Ms to provide an overall picture of the security state and risk posture for the information system. The specific reporting format for security assessment results is organizationally dependent, but should provide enough detail to enable the authorizing official to establish a credible, risk-based decision. In addition to findings, the SAR also includes key recommendations for addressing the findings. 112 Evidence produced during the security assessment should be retained by the organization for reuse in future security assessment-related activities either through manual or automated consumption. 113

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128097106000056