1
1
00:00:00,090 --> 00:00:00,923
Welcome to this course
2
2
00:00:00,923 --> 00:00:04,980
on the NST Risk Management Framework, known as the RMF
3
3
00:00:04,980 --> 00:00:06,630
In this course, you're going to learn all
4
4
00:00:06,630 --> 00:00:08,610
about the NST Risk Management Framework
5
5
00:00:08,610 --> 00:00:11,490
and how it's used to help integrate security, privacy
6
6
00:00:11,490 --> 00:00:14,070
and cyber supply chain risk management activities
7
7
00:00:14,070 --> 00:00:16,470
into the system development life cycle.
8
8
00:00:16,470 --> 00:00:18,690
The Risk Management Framework was created by the
9
9
00:00:18,690 --> 00:00:21,060
National Institute of Standards and Technology
10
10
00:00:21,060 --> 00:00:22,050
known as NIST
11
11
00:00:22,050 --> 00:00:24,180
to help provide a risk based approach to
12
12
00:00:24,180 --> 00:00:27,030
control selection and help manage organizational risk
13
13
00:00:27,030 --> 00:00:29,760
for large organizations across the globe.
14
14
00:00:29,760 --> 00:00:32,100
RMF, unlike some other frameworks,
15
15
00:00:32,100 --> 00:00:34,140
was designed to be applied to both newer systems
16
16
00:00:34,140 --> 00:00:35,070
being fielded,
17
17
00:00:35,070 --> 00:00:36,870
as well as older legacy systems
18
18
00:00:36,870 --> 00:00:40,320
that still remain in use today across our organizations.
19
19
00:00:40,320 --> 00:00:42,240
The Risk Management Framework can be applied
20
20
00:00:42,240 --> 00:00:44,580
to any type of system or technology as well
21
21
00:00:44,580 --> 00:00:47,430
whether it's an end users workstation, a web server
22
22
00:00:47,430 --> 00:00:50,430
a database cluster, a cloud-based server environment,
23
23
00:00:50,430 --> 00:00:53,160
a supervisory control and data acquisition system,
24
24
00:00:53,160 --> 00:00:54,570
an internet of things device,
25
25
00:00:54,570 --> 00:00:58,380
or really any other type of computing device or system.
26
26
00:00:58,380 --> 00:01:02,100
RMF is also designed to be flexible and scalable
27
27
00:01:02,100 --> 00:01:06,360
so you can use it with organizations both large and small.
28
28
00:01:06,360 --> 00:01:10,230
Personally, I've used RMF in some small organizations
29
29
00:01:10,230 --> 00:01:12,510
with only a few dozen employees
30
30
00:01:12,510 --> 00:01:14,940
as well as inside of others
31
31
00:01:14,940 --> 00:01:17,880
that had tens of thousands of employees
32
32
00:01:17,880 --> 00:01:21,150
and it can be scaled upward and downward as needed
33
33
00:01:21,150 --> 00:01:24,570
to provide the proper governance and risk management,
34
34
00:01:24,570 --> 00:01:26,220
regardless of your organization's
35
35
00:01:26,220 --> 00:01:30,150
size, scope, industry or sector.
36
36
00:01:30,150 --> 00:01:32,490
Now, to help you get the most out of the framework
37
37
00:01:32,490 --> 00:01:35,280
we're going to move through not just the theory
38
38
00:01:35,280 --> 00:01:37,650
of how each of the seven steps
39
39
00:01:37,650 --> 00:01:41,070
in the Risk Management Framework might be used
40
40
00:01:41,070 --> 00:01:43,110
according to a textbook definition,
41
41
00:01:43,110 --> 00:01:46,560
but we'll also dive into how each step is applied
42
42
00:01:46,560 --> 00:01:48,060
in the real world
43
43
00:01:48,060 --> 00:01:50,790
to make sure that you walk away from this course
44
44
00:01:50,790 --> 00:01:52,500
with a good understanding of how
45
45
00:01:52,500 --> 00:01:55,680
you can implement the Risk Management Framework inside
46
46
00:01:55,680 --> 00:01:57,663
of your own organization.
47
47
00:01:58,530 --> 00:01:59,730
First, we're going to begin
48
48
00:01:59,730 --> 00:02:01,800
by introducing the Risk Management Framework
49
49
00:02:01,800 --> 00:02:03,690
by providing an overview of RMF
50
50
00:02:03,690 --> 00:02:05,940
and briefly looking at each of its seven steps
51
51
00:02:05,940 --> 00:02:07,620
so that you can get a high level overview
52
52
00:02:07,620 --> 00:02:10,980
of what RMF is and how it's going to be used.
53
53
00:02:10,980 --> 00:02:13,260
Then we're going to move into some important details
54
54
00:02:13,260 --> 00:02:15,570
concerning information security and privacy,
55
55
00:02:15,570 --> 00:02:18,480
and how those are integrated together into RMF.
56
56
00:02:18,480 --> 00:02:20,940
Also, we'll talk about authorization boundaries
57
57
00:02:20,940 --> 00:02:23,730
for a given system and how they're going to be created.
58
58
00:02:23,730 --> 00:02:25,770
We're also going to be discussing how supply chain
59
59
00:02:25,770 --> 00:02:27,630
risk management is implemented inside
60
60
00:02:27,630 --> 00:02:29,300
of the Risk Management Framework
61
61
00:02:29,300 --> 00:02:31,680
so you can better understand that process as well.
62
62
00:02:31,680 --> 00:02:33,120
Then we're going to be taking a look
63
63
00:02:33,120 --> 00:02:34,920
at how flexible RMF can be
64
64
00:02:34,920 --> 00:02:35,753
and we're going to discuss
65
65
00:02:35,753 --> 00:02:37,380
the different requirements and controls
66
66
00:02:37,380 --> 00:02:39,600
and the difference between these two concepts
67
67
00:02:39,600 --> 00:02:42,540
because most people get these two vital areas confused
68
68
00:02:42,540 --> 00:02:44,010
when they're trying to select and implement
69
69
00:02:44,010 --> 00:02:47,070
various controls for their IT systems.
70
70
00:02:47,070 --> 00:02:50,190
Next, we're going to look at each of the seven steps
71
71
00:02:50,190 --> 00:02:53,160
of the Risk Management Framework in more depth
72
72
00:02:53,160 --> 00:02:56,070
including how to prepare your organization
73
73
00:02:56,070 --> 00:03:00,000
and your system for the RMF process
74
74
00:03:00,000 --> 00:03:01,680
how to categorize your system,
75
75
00:03:01,680 --> 00:03:03,450
how to select your controls,
76
76
00:03:03,450 --> 00:03:06,120
how to implement those selected controls,
77
77
00:03:06,120 --> 00:03:08,880
how to assess those same controls,
78
78
00:03:08,880 --> 00:03:11,970
how to gain authorization to operate your system
79
79
00:03:11,970 --> 00:03:14,970
and how to monitor the system over time
80
80
00:03:14,970 --> 00:03:18,720
to ensure it's operating as expected.
81
81
00:03:18,720 --> 00:03:20,160
As we dive into each step,
82
82
00:03:20,160 --> 00:03:23,070
we'll cover not just the theory or details
83
83
00:03:23,070 --> 00:03:26,020
from the Risk Management Framework documentation
84
84
00:03:27,110 --> 00:03:30,750
but we'll also share our decades of experience with you
85
85
00:03:30,750 --> 00:03:33,060
by pointing out the common pitfalls,
86
86
00:03:33,060 --> 00:03:36,900
landmines and errors that people commonly make
87
87
00:03:36,900 --> 00:03:40,530
when implementing RMF in the real world.
88
88
00:03:40,530 --> 00:03:43,200
After that, we'll cover some other topics
89
89
00:03:43,200 --> 00:03:46,570
that are important to understand when implementing RMF
90
90
00:03:47,664 --> 00:03:49,560
including how you can automate RMF
91
91
00:03:49,560 --> 00:03:54,330
an Introduction to eMASS, which is an acronym, and it stands
92
92
00:03:54,330 --> 00:03:58,420
for the Enterprise Mission Assurance Support Service
93
93
00:03:59,960 --> 00:04:03,060
which is software that's used to collect data for RMF
94
94
00:04:03,060 --> 00:04:05,820
and helps you navigate the entire process
95
95
00:04:05,820 --> 00:04:07,260
and we're going to tell you
96
96
00:04:07,260 --> 00:04:10,530
how you can combine the Risk Management Framework
97
97
00:04:10,530 --> 00:04:13,380
with the NIST Cybersecurity framework
98
98
00:04:13,380 --> 00:04:15,363
which will call CSF,
99
99
00:04:16,534 --> 00:04:18,540
to gain additional efficiencies.
100
100
00:04:18,540 --> 00:04:21,480
We'll also teach you how you can use both of them
101
101
00:04:21,480 --> 00:04:24,903
to increase the overall security of your systems.
102
102
00:04:25,890 --> 00:04:27,510
So whether you're taking this course
103
103
00:04:27,510 --> 00:04:30,090
to simply learn about the NIST Risk Management Framework
104
104
00:04:30,090 --> 00:04:31,410
or you're taking this course
105
105
00:04:31,410 --> 00:04:33,030
to learn how to implement the framework
106
106
00:04:33,030 --> 00:04:34,770
inside of your organization,
107
107
00:04:34,770 --> 00:04:36,660
this course has been designed specifically
108
108
00:04:36,660 --> 00:04:39,330
to teach you the entire NIST Risk Management Framework
109
109
00:04:39,330 --> 00:04:41,610
and how to apply it in the real world.
110
110
00:04:41,610 --> 00:04:43,530
Before we dive into the course materials
111
111
00:04:43,530 --> 00:04:45,360
let me provide you with a quick introduction
112
112
00:04:45,360 --> 00:04:47,400
to the NIST Risk Management Framework.
113
113
00:04:47,400 --> 00:04:49,980
After all, if your boss enrolled you in this course
114
114
00:04:49,980 --> 00:04:50,970
you may not even know what
115
115
00:04:50,970 --> 00:04:52,980
the NIST Risk Management Framework is
116
116
00:04:52,980 --> 00:04:55,020
and what it's going to be used for.
117
117
00:04:55,020 --> 00:04:58,230
The NIST Risk Management Framework helps organizations
118
118
00:04:58,230 --> 00:05:00,870
implement a tried and true process
119
119
00:05:00,870 --> 00:05:05,130
for the preparation, categorization, selection
120
120
00:05:05,130 --> 00:05:10,080
implementation, assessment, authorization, and monitoring
121
121
00:05:10,080 --> 00:05:14,610
of a given system and its associated security controls.
122
122
00:05:14,610 --> 00:05:18,963
But I guess that begs the question, what is a framework?
123
123
00:05:20,125 --> 00:05:20,958
Well, a framework
124
124
00:05:20,958 --> 00:05:23,280
in the cybersecurity discipline
125
125
00:05:23,280 --> 00:05:26,160
is a collection of best practices or guidelines
126
126
00:05:26,160 --> 00:05:28,140
that an organization should follow
127
127
00:05:28,140 --> 00:05:31,620
to manage its cybersecurity risk posture.
128
128
00:05:31,620 --> 00:05:34,050
Most cybersecurity frameworks have the goal
129
129
00:05:34,050 --> 00:05:38,010
of reducing the organization's exposure to cyber attacks
130
130
00:05:38,010 --> 00:05:40,500
by identifying the areas that are most
131
131
00:05:40,500 --> 00:05:43,713
at risk of being exploited by a threat actor.
132
132
00:05:44,640 --> 00:05:46,380
The NIST Risk Management Framework is just
133
133
00:05:46,380 --> 00:05:48,450
one cybersecurity framework available,
134
134
00:05:48,450 --> 00:05:52,050
but it is by far one of the most popular and widely used.
135
135
00:05:52,050 --> 00:05:53,850
Other competing frameworks include the
136
136
00:05:53,850 --> 00:05:56,700
NIST Cybersecurity framework known as CSF,
137
137
00:05:56,700 --> 00:05:58,400
the Center for Internet Securities
138
138
00:05:59,344 --> 00:06:00,177
Critical Security Controls
139
139
00:06:00,177 --> 00:06:01,010
known as CIS
140
140
00:06:01,010 --> 00:06:03,240
and the International Standards Organization's frameworks
141
141
00:06:03,240 --> 00:06:07,973
included inside the ISO/IEC 27001 and 27002.
142
142
00:06:09,210 --> 00:06:10,360
For this course, though
143
143
00:06:11,662 --> 00:06:12,495
we're going to be focused almost exclusively
144
144
00:06:12,495 --> 00:06:13,426
on the NIST Risk Management Framework
145
145
00:06:13,426 --> 00:06:16,950
in some of our discussions and planned implementations
146
146
00:06:16,950 --> 00:06:19,320
but we're also going to spend a little bit of time
147
147
00:06:19,320 --> 00:06:22,020
covering how you can integrate the Risk Management Framework
148
148
00:06:22,020 --> 00:06:24,720
with the NIST Cybersecurity framework as well
149
149
00:06:24,720 --> 00:06:27,120
because they do work very well together.
150
150
00:06:27,120 --> 00:06:28,290
Now, hopefully you're excited
151
151
00:06:28,290 --> 00:06:29,160
to begin learning all
152
152
00:06:29,160 --> 00:06:31,080
about the NST Risk Management Framework,
153
153
00:06:31,080 --> 00:06:33,630
but before we do we need to take a small detour
154
154
00:06:33,630 --> 00:06:36,330
in this course to introduce you to your two instructors
155
155
00:06:36,330 --> 00:06:37,920
and give you four important tips
156
156
00:06:37,920 --> 00:06:40,500
to help you learn best during our time together.
157
157
00:06:40,500 --> 00:06:42,210
My name is Jason Dion
158
158
00:06:42,210 --> 00:06:44,970
and I am the lead instructor at Dion Training Solutions.
159
159
00:06:44,970 --> 00:06:47,130
I've been working in the IT and cybersecurity field
160
160
00:06:47,130 --> 00:06:50,700
for over two decades for organizations both large and small.
161
161
00:06:50,700 --> 00:06:51,900
In all these organizations
162
162
00:06:51,900 --> 00:06:53,430
though we were focused on trying to
163
163
00:06:53,430 --> 00:06:56,580
identify, mitigate and manage cybersecurity risks
164
164
00:06:56,580 --> 00:06:58,440
to keep threat actors at bay.
165
165
00:06:58,440 --> 00:07:00,300
When I talk about small organizations
166
166
00:07:00,300 --> 00:07:02,430
I'm talking about organizations like my own company
167
167
00:07:02,430 --> 00:07:04,320
which has about 20 people
168
168
00:07:04,320 --> 00:07:06,990
but I also have worked for large organizations too
169
169
00:07:06,990 --> 00:07:08,520
and one of my last positions was
170
170
00:07:08,520 --> 00:07:10,980
for an organization that spans six continents,
171
171
00:07:10,980 --> 00:07:13,800
dozens of countries and millions of end users.
172
172
00:07:13,800 --> 00:07:16,020
My name is Kip Boyle and I'm the founder
173
173
00:07:16,020 --> 00:07:17,730
of Cyber Risk Opportunities,
174
174
00:07:17,730 --> 00:07:21,360
where I serve as a chief information security officer
175
175
00:07:21,360 --> 00:07:24,810
for many organizations across the United States
176
176
00:07:24,810 --> 00:07:27,060
including a professional sports team,
177
177
00:07:27,060 --> 00:07:30,600
some fast growing financial technology companies,
178
178
00:07:30,600 --> 00:07:32,040
and a lot more.
179
179
00:07:32,040 --> 00:07:33,960
Before that, I was a full-time CISO
180
180
00:07:33,960 --> 00:07:35,820
for an insurance company,
181
181
00:07:35,820 --> 00:07:38,310
and before that I helped design mitigations
182
182
00:07:38,310 --> 00:07:41,430
for several Global 100 organizations
183
183
00:07:41,430 --> 00:07:44,370
when I worked at Stanford Research.
184
184
00:07:44,370 --> 00:07:46,650
My career in cybersecurity all started
185
185
00:07:46,650 --> 00:07:48,960
when I was on active duty in the US Air Force,
186
186
00:07:48,960 --> 00:07:51,060
where I led data protection programs
187
187
00:07:51,060 --> 00:07:53,340
for several major weapons systems
188
188
00:07:53,340 --> 00:07:55,890
like the F22 Stealth Fighter.
189
189
00:07:55,890 --> 00:07:58,680
So as you can see, we aren't just instructors
190
190
00:07:58,680 --> 00:08:01,890
we're practitioners in the cybersecurity industry
191
191
00:08:01,890 --> 00:08:04,530
with lots of experience to share with you.
192
192
00:08:04,530 --> 00:08:08,970
So I want you to rest assured you're in good hands with us.
193
193
00:08:08,970 --> 00:08:11,670
Now for our four tips to success in this course.
194
194
00:08:11,670 --> 00:08:13,740
First, for every video in this course
195
195
00:08:13,740 --> 00:08:16,230
you have the ability to turn on closed captions.
196
196
00:08:16,230 --> 00:08:18,840
Each video is captioned by a real human for accuracy
197
197
00:08:18,840 --> 00:08:19,800
and this will allow you to read
198
198
00:08:19,800 --> 00:08:21,900
along with the course if you need to.
199
199
00:08:21,900 --> 00:08:23,400
Many of my students who speak English
200
200
00:08:23,400 --> 00:08:24,570
as their second language
201
201
00:08:24,570 --> 00:08:26,250
really love having those captions playing
202
202
00:08:26,250 --> 00:08:28,950
along the bottom of the videos to aid in their learning.
203
203
00:08:28,950 --> 00:08:30,750
If you want to enable the close captions,
204
204
00:08:30,750 --> 00:08:32,190
simply click on the CC button
205
205
00:08:32,190 --> 00:08:34,230
in the bottom of your video player.
206
206
00:08:34,230 --> 00:08:37,050
The second tip is about playback speed.
207
207
00:08:37,050 --> 00:08:40,290
Some of our students say Jason speaks too fast
208
208
00:08:40,290 --> 00:08:43,470
and others have said, I speak way too slowly.
209
209
00:08:43,470 --> 00:08:46,770
Either way, you can control the speed of instruction
210
210
00:08:46,770 --> 00:08:48,990
by clicking on the 1X button
211
211
00:08:48,990 --> 00:08:51,060
in the bottom of the video player.
212
212
00:08:51,060 --> 00:08:53,370
Now, if you want me to teach faster
213
213
00:08:53,370 --> 00:08:57,780
go ahead and choose 1.25X or even 1.5X
214
214
00:08:57,780 --> 00:09:00,450
and if you'd like Jason to teach slower then
215
215
00:09:00,450 --> 00:09:04,753
just click on the 0.75X or 0.5X.
216
216
00:09:05,880 --> 00:09:08,703
Faster or slower, the choice is yours.
217
217
00:09:09,690 --> 00:09:11,340
The third tip is that this course comes
218
218
00:09:11,340 --> 00:09:13,650
with a downloadable study guide as a PDF
219
219
00:09:13,650 --> 00:09:15,090
in lesson two of the course,
220
220
00:09:15,090 --> 00:09:16,320
as well as a complete copy
221
221
00:09:16,320 --> 00:09:18,030
of the NIST Risk Measurement Framework
222
222
00:09:18,030 --> 00:09:20,250
as a PDF in lesson two.
223
223
00:09:20,250 --> 00:09:22,140
I recommend that you download our study guide
224
224
00:09:22,140 --> 00:09:22,973
and print it out
225
225
00:09:22,973 --> 00:09:24,870
because it makes a great offline resource
226
226
00:09:24,870 --> 00:09:27,540
as you begin working with the NIST Risk Management Framework
227
227
00:09:27,540 --> 00:09:29,943
on a daily basis inside your organization.
228
228
00:09:31,733 --> 00:09:32,566
The fourth tip is
229
229
00:09:32,566 --> 00:09:35,460
that this course is just the beginning of your adventure
230
230
00:09:35,460 --> 00:09:38,910
into the world of cybersecurity and risk management.
231
231
00:09:38,910 --> 00:09:40,140
If you'd like to learn more
232
232
00:09:40,140 --> 00:09:43,860
you can always visit yourcyber path.com
233
233
00:09:43,860 --> 00:09:46,731
where we share our experience
234
234
00:09:46,731 --> 00:09:50,670
through our free podcast and our paid membership programs.
235
235
00:09:50,670 --> 00:09:52,440
If you have any questions for us,
236
236
00:09:52,440 --> 00:09:55,013
you can always send us a video message at
237
237
00:09:55,013 --> 00:09:58,950
yourcyberpath.com/ask
238
238
00:09:58,950 --> 00:10:02,733
or you can post it in the Q and A of this course.
239
239
00:10:04,879 --> 00:10:07,140
Now, with all the introductions behind us,
240
240
00:10:07,140 --> 00:10:08,880
let's get started with learning
241
241
00:10:08,880 --> 00:10:12,363
all about the NIST Risk Management Framework.