1 1 00:00:00,360 --> 00:00:02,550 The purpose of the prepare step 2 2 00:00:02,550 --> 00:00:05,310 is to make sure your organization is ready 3 3 00:00:05,310 --> 00:00:09,420 to manage its cyber supply chain and privacy risks 4 4 00:00:09,420 --> 00:00:12,000 using the Risk Management Framework. 5 5 00:00:12,000 --> 00:00:16,770 There are two collections of tasks within the prepare step, 6 6 00:00:16,770 --> 00:00:21,480 organizational level tasks, and system level tasks. 7 7 00:00:21,480 --> 00:00:24,900 Altogether, this step has 18 tasks 8 8 00:00:24,900 --> 00:00:29,640 which is much more than any other single step in RMF. 9 9 00:00:29,640 --> 00:00:31,920 If you want to see a summary of all the tasks 10 10 00:00:31,920 --> 00:00:34,470 from each of the seven RMF steps, 11 11 00:00:34,470 --> 00:00:39,150 check out appendix E in special publication 800-37 12 12 00:00:39,150 --> 00:00:42,750 which starts on page 126. 13 13 00:00:42,750 --> 00:00:44,460 In this lesson, we're going to look at tasks 14 14 00:00:44,460 --> 00:00:47,880 that prepare your organization for RMF. 15 15 00:00:47,880 --> 00:00:50,010 In the next lesson, we'll look at the tasks 16 16 00:00:50,010 --> 00:00:53,670 that prepare your system for RMF. 17 17 00:00:53,670 --> 00:00:56,100 We said that RMF is a framework 18 18 00:00:56,100 --> 00:00:59,850 and that organizations have discretion over which tasks 19 19 00:00:59,850 --> 00:01:02,160 and how rigorous they're going to be 20 20 00:01:02,160 --> 00:01:06,870 when assembling a RMF approval package. 21 21 00:01:06,870 --> 00:01:10,140 But to be clear, you have to do all seven steps 22 22 00:01:10,140 --> 00:01:14,880 and you have to carefully consider how to do each task 23 23 00:01:14,880 --> 00:01:19,440 within each step, and you have to put a reasonable amount 24 24 00:01:19,440 --> 00:01:21,900 of effort into each of those tasks 25 25 00:01:21,900 --> 00:01:26,900 based on whether your system or data is categorized as high, 26 26 00:01:27,630 --> 00:01:29,760 medium, or low. 27 27 00:01:29,760 --> 00:01:32,790 There are seven tasks in the prepare step 28 28 00:01:32,790 --> 00:01:34,470 at the organizational level. 29 29 00:01:34,470 --> 00:01:37,530 Let's go through each one right now so you can know 30 30 00:01:37,530 --> 00:01:39,480 what needs to be done. 31 31 00:01:39,480 --> 00:01:41,820 When you finish Task P-1, 32 32 00:01:41,820 --> 00:01:46,170 individual people will be identified and assigned key roles 33 33 00:01:46,170 --> 00:01:48,750 for moving an ATO request 34 34 00:01:48,750 --> 00:01:51,030 through the Risk Management Framework. 35 35 00:01:51,030 --> 00:01:54,930 This list of people and their roles is the specific outcome 36 36 00:01:54,930 --> 00:01:56,430 of this task. 37 37 00:01:56,430 --> 00:02:00,630 The standard roles and responsibilities of key participants 38 38 00:02:00,630 --> 00:02:04,740 in RMF are described in appendix D. 39 39 00:02:04,740 --> 00:02:08,220 It's important that you make sure there are no conflicts 40 40 00:02:08,220 --> 00:02:11,670 of interest when assigning the same individual 41 41 00:02:11,670 --> 00:02:13,590 to multiple roles. 42 42 00:02:13,590 --> 00:02:17,610 For example, authorizing officials cannot occupy 43 43 00:02:17,610 --> 00:02:19,593 the role of system owner. 44 44 00:02:20,610 --> 00:02:22,920 Now, when you finish task P-2, 45 45 00:02:22,920 --> 00:02:24,990 you'll have a risk management strategy 46 46 00:02:24,990 --> 00:02:28,530 for your organization that includes a determination 47 47 00:02:28,530 --> 00:02:33,180 and expression of organizational risk tolerance. 48 48 00:02:33,180 --> 00:02:36,720 Now, risk tolerance is the degree of risk 49 49 00:02:36,720 --> 00:02:41,010 or uncertainty that is acceptable to your organization 50 50 00:02:41,010 --> 00:02:44,040 and it's supposed to help people make risk decisions 51 51 00:02:44,040 --> 00:02:46,020 based on the needs of the mission, 52 52 00:02:46,020 --> 00:02:49,260 rather than on their own personal sense 53 53 00:02:49,260 --> 00:02:51,900 of how much risk is okay. 54 54 00:02:51,900 --> 00:02:53,370 Your risk management strategy 55 55 00:02:53,370 --> 00:02:55,980 should also include a brief description 56 56 00:02:55,980 --> 00:02:58,920 of your acceptable risk assessment methodologies 57 57 00:02:58,920 --> 00:03:03,120 and your risk response strategies. 58 58 00:03:03,120 --> 00:03:04,950 You also need to include a process 59 59 00:03:04,950 --> 00:03:09,510 for consistently evaluating security and privacy risks 60 60 00:03:09,510 --> 00:03:14,370 organization wide, and you need to talk about approaches 61 61 00:03:14,370 --> 00:03:16,833 for monitoring risk over time. 62 62 00:03:18,330 --> 00:03:22,260 Now, the result of task P-3 will be an organization-wide 63 63 00:03:22,260 --> 00:03:25,200 risk assessment if you don't already have one, 64 64 00:03:25,200 --> 00:03:29,043 or you may be able to update an existing risk assessment. 65 65 00:03:30,600 --> 00:03:32,640 The breadth of your organizational risk assessment 66 66 00:03:32,640 --> 00:03:34,500 is very wide. 67 67 00:03:34,500 --> 00:03:37,170 You'll need to pull together all system level 68 68 00:03:37,170 --> 00:03:38,940 risk assessment results. 69 69 00:03:38,940 --> 00:03:42,300 You'll need insights on risk from continuous monitoring 70 70 00:03:42,300 --> 00:03:45,390 and you'll need any strategic risk considerations 71 71 00:03:45,390 --> 00:03:47,550 that are relevant to your organization, 72 72 00:03:47,550 --> 00:03:51,930 like your current missions and operating locations. 73 73 00:03:51,930 --> 00:03:56,430 And don't forget to include risks from information exchanges 74 74 00:03:56,430 --> 00:03:59,100 and network connections that you have 75 75 00:03:59,100 --> 00:04:04,100 with other internally and externally owned systems 76 76 00:04:04,380 --> 00:04:07,473 and from the use of external providers. 77 77 00:04:08,310 --> 00:04:13,080 Now, task P-4 is the first explicitly optional task 78 78 00:04:13,080 --> 00:04:15,630 that you'll encounter in RMF. 79 79 00:04:15,630 --> 00:04:18,570 The opportunity here is to formally incorporate 80 80 00:04:18,570 --> 00:04:22,170 the NIST Cybersecurity Framework into your organization, 81 81 00:04:22,170 --> 00:04:24,570 and you'll do this by tailoring, 82 82 00:04:24,570 --> 00:04:29,400 or what's also known as profiling the CSF 83 83 00:04:29,400 --> 00:04:32,520 to fit your organization's unique needs. 84 84 00:04:32,520 --> 00:04:36,000 Now, this can help you later on when you select controls 85 85 00:04:36,000 --> 00:04:39,120 for the specific ATO that you're working on 86 86 00:04:39,120 --> 00:04:43,650 because your CSF profile will guide you to specific areas 87 87 00:04:43,650 --> 00:04:48,650 that are already prioritized and specified for your system. 88 88 00:04:48,990 --> 00:04:52,080 Hopefully, this task has already been accomplished 89 89 00:04:52,080 --> 00:04:55,260 since it doesn't need to be unique to each ATO 90 90 00:04:55,260 --> 00:04:57,090 that you're working on. 91 91 00:04:57,090 --> 00:05:02,090 In a similar way, the result of task P-5 is a published list 92 92 00:05:02,190 --> 00:05:05,760 of the common controls that are available for use 93 93 00:05:05,760 --> 00:05:08,340 by your organizational systems. 94 94 00:05:08,340 --> 00:05:10,920 There's no need to recreate this list 95 95 00:05:10,920 --> 00:05:13,140 for each ATO that you're working on, 96 96 00:05:13,140 --> 00:05:16,860 so I hope you'll simply be able to look up the list 97 97 00:05:16,860 --> 00:05:19,350 that your organization already has. 98 98 00:05:19,350 --> 00:05:22,260 Now, a simple example of a common control 99 99 00:05:22,260 --> 00:05:25,290 might be a centralized endpoint detection 100 100 00:05:25,290 --> 00:05:27,000 and response solution, 101 101 00:05:27,000 --> 00:05:30,870 probably from a commercial off the shelf source. 102 102 00:05:30,870 --> 00:05:33,510 If your organization already has an EDR package, 103 103 00:05:33,510 --> 00:05:36,030 then your system may be able to use it 104 104 00:05:36,030 --> 00:05:40,290 which will eliminate the need for you to search for an EDR 105 105 00:05:40,290 --> 00:05:43,500 to purchase just for your system. 106 106 00:05:43,500 --> 00:05:46,530 Task P-6 is another optional one 107 107 00:05:46,530 --> 00:05:49,350 and is done only after organizational systems 108 108 00:05:49,350 --> 00:05:53,730 have been categorized in task C-2, 109 109 00:05:53,730 --> 00:05:56,490 which is in the categorized step. 110 110 00:05:56,490 --> 00:05:59,070 Talk with your senior accountable official 111 111 00:05:59,070 --> 00:06:02,820 for risk management to find out if you should do this step 112 112 00:06:02,820 --> 00:06:05,040 for your ATO request. 113 113 00:06:05,040 --> 00:06:08,340 If you do this task, then you'll need to become familiar 114 114 00:06:08,340 --> 00:06:12,720 with the FIPS 199 and FIPS 200 standards, 115 115 00:06:12,720 --> 00:06:14,940 both of which are published by NIST. 116 116 00:06:14,940 --> 00:06:17,400 By the way, FIPS, F-I-P-S, 117 117 00:06:17,400 --> 00:06:21,090 means Federal Information Processing Standards 118 118 00:06:21,090 --> 00:06:26,090 and each standard focuses on one specific topic. 119 119 00:06:26,400 --> 00:06:31,110 The final task in this step one collection is P-7. 120 120 00:06:31,110 --> 00:06:35,610 The output is a developed and implemented 121 121 00:06:35,610 --> 00:06:37,560 organization-wide strategy 122 122 00:06:37,560 --> 00:06:40,350 for monitoring control effectiveness. 123 123 00:06:40,350 --> 00:06:42,930 Hopefully, this task has already been accomplished 124 124 00:06:42,930 --> 00:06:46,410 since it probably won't need to be unique to each ATO 125 125 00:06:46,410 --> 00:06:47,910 you're working on. 126 126 00:06:47,910 --> 00:06:50,730 In the next video, we'll cover the 11 tasks 127 127 00:06:50,730 --> 00:06:53,640 you need to complete in order to prepare your system 128 128 00:06:53,640 --> 00:06:56,520 for RMF, and after that one, 129 129 00:06:56,520 --> 00:06:59,820 we'll have a video that explores the practical aspects 130 130 00:06:59,820 --> 00:07:03,483 of doing all 18 tasks in the prepare step.