1 1 00:00:00,360 --> 00:00:01,800 Now let's take a look 2 2 00:00:01,800 --> 00:00:03,540 at all the resources that are provided 3 3 00:00:03,540 --> 00:00:07,080 in Special Publication 800-37 4 4 00:00:07,080 --> 00:00:10,740 for each step in the risk management framework. 5 5 00:00:10,740 --> 00:00:15,540 Each of the seven steps in RMF has a purpose statement, 6 6 00:00:15,540 --> 00:00:17,460 a defined set of outcomes, 7 7 00:00:17,460 --> 00:00:18,990 and a set of tasks 8 8 00:00:18,990 --> 00:00:22,140 that are carried out to achieve those outcomes. 9 9 00:00:22,140 --> 00:00:23,430 For example, 10 10 00:00:23,430 --> 00:00:26,910 the first outcome in the prepare step for your organization 11 11 00:00:26,910 --> 00:00:31,260 comes from doing Task P-1, and it says, 12 12 00:00:31,260 --> 00:00:35,310 individuals are identified and assigned key roles 13 13 00:00:35,310 --> 00:00:38,610 for executing the risk management framework. 14 14 00:00:38,610 --> 00:00:39,840 By the way, 15 15 00:00:39,840 --> 00:00:44,840 RMF outcomes for Task P-1 map to two specific outcomes 16 16 00:00:46,560 --> 00:00:49,380 in the NIST Cybersecurity Framework. 17 17 00:00:49,380 --> 00:00:52,560 The first is ID.AM-6, 18 18 00:00:52,560 --> 00:00:53,393 which says, 19 19 00:00:53,393 --> 00:00:55,530 cybersecurity roles and responsibilities 20 20 00:00:55,530 --> 00:00:58,770 for the entire workforce and third-party stakeholders 21 21 00:00:58,770 --> 00:00:59,940 are established. 22 22 00:00:59,940 --> 00:01:03,390 And the second cybersecurity framework outcome 23 23 00:01:03,390 --> 00:01:08,390 that maps to Task P-1 is ID.GV-2, 24 24 00:01:08,760 --> 00:01:09,780 which says, 25 25 00:01:09,780 --> 00:01:12,000 cybersecurity roles and responsibilities 26 26 00:01:12,000 --> 00:01:14,220 are coordinated and aligned 27 27 00:01:14,220 --> 00:01:18,000 with internal roles and external partners. 28 28 00:01:18,000 --> 00:01:20,340 We'll take a much closer look at the relationship 29 29 00:01:20,340 --> 00:01:23,460 between RMF and the cybersecurity framework 30 30 00:01:23,460 --> 00:01:24,930 in a future lesson. 31 31 00:01:24,930 --> 00:01:27,690 But for now, just know that there is 32 32 00:01:27,690 --> 00:01:30,510 a complimentary and useful relationship 33 33 00:01:30,510 --> 00:01:32,430 between these two frameworks. 34 34 00:01:32,430 --> 00:01:34,740 Okay, let's go back to RMF. 35 35 00:01:34,740 --> 00:01:36,060 To prepare your organization 36 36 00:01:36,060 --> 00:01:38,700 for the RMF work you'll need to do, 37 37 00:01:38,700 --> 00:01:40,740 you'll need to complete seven tasks, 38 38 00:01:40,740 --> 00:01:43,860 numbered P-1 through P-7. 39 39 00:01:43,860 --> 00:01:45,690 And you can see what I'm talking about 40 40 00:01:45,690 --> 00:01:48,960 by looking at Table 1 on page 28 41 41 00:01:48,960 --> 00:01:52,110 of Special Publication 800-37. 42 42 00:01:52,110 --> 00:01:54,690 Now throughout the RMF publication, 43 43 00:01:54,690 --> 00:01:58,740 each task contains a lot of helpful resources. 44 44 00:01:58,740 --> 00:02:00,990 Looking at the top of page 29, 45 45 00:02:00,990 --> 00:02:03,630 you'll see the five types of resources 46 46 00:02:03,630 --> 00:02:06,900 provided for you to complete Task P-1. 47 47 00:02:06,900 --> 00:02:07,950 First, 48 48 00:02:07,950 --> 00:02:11,160 there's a set of potential inputs needed 49 49 00:02:11,160 --> 00:02:12,543 to complete the task. 50 50 00:02:13,440 --> 00:02:15,720 And then, you'll see a description of the outputs 51 51 00:02:15,720 --> 00:02:18,690 you'll have from completing the task. 52 52 00:02:18,690 --> 00:02:21,000 In addition, you'll find two lists 53 53 00:02:21,000 --> 00:02:23,760 of the primary and secondary roles 54 54 00:02:23,760 --> 00:02:26,280 that have responsibility for this task. 55 55 00:02:26,280 --> 00:02:27,120 For example, 56 56 00:02:27,120 --> 00:02:31,080 Task P-1 shows that the head of agency 57 57 00:02:31,080 --> 00:02:33,963 is a role with primary responsibility. 58 58 00:02:34,890 --> 00:02:36,660 Then there's a discussion section 59 59 00:02:36,660 --> 00:02:39,600 and that provides you with detailed information 60 60 00:02:39,600 --> 00:02:40,740 to help you plan out 61 61 00:02:40,740 --> 00:02:42,810 how you're going to complete the task. 62 62 00:02:42,810 --> 00:02:45,600 And finally, there's a list of references, 63 63 00:02:45,600 --> 00:02:49,290 which often link to other NIST documents 64 64 00:02:49,290 --> 00:02:51,570 that can provide you with more details 65 65 00:02:51,570 --> 00:02:54,900 about different aspects of the task. 66 66 00:02:54,900 --> 00:02:58,650 As you read through the Task P-1 description on page 29, 67 67 00:02:58,650 --> 00:03:01,320 you'll see the many resources provided 68 68 00:03:01,320 --> 00:03:03,570 to help you complete this task. 69 69 00:03:03,570 --> 00:03:08,400 A lot of the resources are found in later pages 70 70 00:03:08,400 --> 00:03:11,340 of Special Publication 800-37. 71 71 00:03:11,340 --> 00:03:13,500 Some of the resources are contained 72 72 00:03:13,500 --> 00:03:15,630 in other NIST publications 73 73 00:03:15,630 --> 00:03:19,830 and some can only come from your organization. 74 74 00:03:19,830 --> 00:03:23,040 Now, don't be afraid to draw on other resources 75 75 00:03:23,040 --> 00:03:24,330 if you need to. 76 76 00:03:24,330 --> 00:03:28,413 What you'll find in RMF is just a starting point.