1
1

00:00:00,180  -->  00:00:01,020
<v ->In this lesson,</v>
2

2

00:00:01,020  -->  00:00:03,570
I'm going to give you the big picture perspective
3

3

00:00:03,570  -->  00:00:05,820
on the risk management framework.
4

4

00:00:05,820  -->  00:00:08,310
If you're a big picture person like I am,
5

5

00:00:08,310  -->  00:00:10,650
then I think you're going to appreciate this.
6

6

00:00:10,650  -->  00:00:12,270
Every time you use RMF,
7

7

00:00:12,270  -->  00:00:15,210
what you're trying to do is get to a point
8

8

00:00:15,210  -->  00:00:17,880
where an authorizing official can decide
9

9

00:00:17,880  -->  00:00:21,270
to either yes or no to this question.
10

10

00:00:21,270  -->  00:00:25,830
Are we able to accept the residual risk of this system
11

11

00:00:25,830  -->  00:00:27,810
when we connect it to the network
12

12

00:00:27,810  -->  00:00:31,050
and use it to support our mission?
13

13

00:00:31,050  -->  00:00:32,700
So I want you to remember
14

14

00:00:32,700  -->  00:00:37,700
that RMF is not about achieving a 100% secure system.
15

15

00:00:38,820  -->  00:00:42,570
It's also not about eliminating all risks.
16

16

00:00:42,570  -->  00:00:43,620
Why?
17

17

00:00:43,620  -->  00:00:46,020
Because there's just no practical way
18

18

00:00:46,020  -->  00:00:50,610
to protect every digital asset 100% of the time
19

19

00:00:50,610  -->  00:00:53,910
and still get real work done.
20

20

00:00:53,910  -->  00:00:57,060
So you just want to get the overall risk
21

21

00:00:57,060  -->  00:01:00,240
to the sensitive data and the critical system
22

22

00:01:00,240  -->  00:01:02,490
down to a reasonable level,
23

23

00:01:02,490  -->  00:01:05,940
where the residual risk is willing to be accepted
24

24

00:01:05,940  -->  00:01:07,890
based on the benefits
25

25

00:01:07,890  -->  00:01:10,590
you're going to get from using that system
26

26

00:01:10,590  -->  00:01:12,510
to support your mission.
27

27

00:01:12,510  -->  00:01:15,570
By the way, the term residual risk means
28

28

00:01:15,570  -->  00:01:18,690
the risk that's left over in the system
29

29

00:01:18,690  -->  00:01:21,810
after you've implemented the controls.
30

30

00:01:21,810  -->  00:01:23,400
Now, I'm telling you all this,
31

31

00:01:23,400  -->  00:01:27,090
because RMF is a very systematized approach
32

32

00:01:27,090  -->  00:01:29,190
and when you're down in the weeds,
33

33

00:01:29,190  -->  00:01:33,900
it can be easy to lose track of this big idea.
34

34

00:01:33,900  -->  00:01:34,830
So again,
35

35

00:01:34,830  -->  00:01:36,720
the big idea behind RMF
36

36

00:01:36,720  -->  00:01:38,580
is to come up with the right amount of security
37

37

00:01:38,580  -->  00:01:39,690
for your system
38

38

00:01:39,690  -->  00:01:42,420
at the right time and at the right cost
39

39

00:01:42,420  -->  00:01:47,420
with an acceptable amount of residual or leftover risk.
40

40

00:01:47,580  -->  00:01:51,810
This is your North Star as you work through RMF
41

41

00:01:51,810  -->  00:01:55,650
towards the approval to operate or the ATO
42

42

00:01:55,650  -->  00:01:57,480
that you are aiming to get
43

43

00:01:57,480  -->  00:02:00,450
from your authorizing official.
44

44

00:02:00,450  -->  00:02:01,320
Now that means,
45

45

00:02:01,320  -->  00:02:05,820
we need you to do some very good system security engineering
46

46

00:02:05,820  -->  00:02:08,580
and RMF can help you do that.
47

47

00:02:08,580  -->  00:02:12,450
It's important to realize that while you need to follow RMF,
48

48

00:02:12,450  -->  00:02:15,660
I don't want you to put following the steps
49

49

00:02:15,660  -->  00:02:17,310
at a higher priority
50

50

00:02:17,310  -->  00:02:21,330
than delivering very good system security engineering.
51

51

00:02:21,330  -->  00:02:23,850
By the way, the title of the publication
52

52

00:02:23,850  -->  00:02:26,250
we're going to be learning about in this course
53

53

00:02:26,250  -->  00:02:28,170
is Risk Management Framework
54

54

00:02:28,170  -->  00:02:31,680
for Information Systems and Organizations,
55

55

00:02:31,680  -->  00:02:35,970
A System Lifecycle Approach for Security and Privacy.
56

56

00:02:35,970  -->  00:02:38,250
It's numeric designation
57

57

00:02:38,250  -->  00:02:42,210
is NIST Special Publication 800-37,
58

58

00:02:42,210  -->  00:02:46,770
and we are going to focus on Revision 2 in this course.
59

59

00:02:46,770  -->  00:02:50,160
There are seven steps in the RMF process.
60

60

00:02:50,160  -->  00:02:54,000
Let me quickly tell you what they are right now.
61

61

00:02:54,000  -->  00:02:55,950
The first step is you have to prepare
62

62

00:02:55,950  -->  00:02:58,350
your organization and your system
63

63

00:02:58,350  -->  00:03:01,260
to manage security and privacy risk.
64

64

00:03:01,260  -->  00:03:04,650
The second step is you have to categorize your system
65

65

00:03:04,650  -->  00:03:07,860
and the information that it processes, stores,
66

66

00:03:07,860  -->  00:03:09,330
and transmits.
67

67

00:03:09,330  -->  00:03:11,430
The third step is you've got to get
68

68

00:03:11,430  -->  00:03:15,510
into NIST Special Publication 800-53,
69

69

00:03:15,510  -->  00:03:18,480
which is a catalog of controls,
70

70

00:03:18,480  -->  00:03:19,890
and you have to select the ones
71

71

00:03:19,890  -->  00:03:22,050
that are going to help you reduce risk.
72

72

00:03:22,050  -->  00:03:25,110
Step number four is you implement the controls
73

73

00:03:25,110  -->  00:03:27,690
and you document how they're deployed.
74

74

00:03:27,690  -->  00:03:30,330
Step number five is you assess
75

75

00:03:30,330  -->  00:03:33,210
to determine if the controls are in place
76

76

00:03:33,210  -->  00:03:35,670
that they're operating as they're supposed to
77

77

00:03:35,670  -->  00:03:40,350
and that you are getting the correct results from them.
78

78

00:03:40,350  -->  00:03:44,670
Step number six is your senior official then is asked
79

79

00:03:44,670  -->  00:03:46,980
to make a risk-based decision
80

80

00:03:46,980  -->  00:03:51,630
to authorize the system to become a production system.
81

81

00:03:51,630  -->  00:03:54,990
And then, the seventh step is to continuously monitor
82

82

00:03:54,990  -->  00:03:58,020
the implementation of your controls and to make sure
83

83

00:03:58,020  -->  00:04:01,890
that the risks to your system stay reasonable.
84

84

00:04:01,890  -->  00:04:03,090
In the next lesson,
85

85

00:04:03,090  -->  00:04:05,040
we're going to give you a little more detail
86

86

00:04:05,040  -->  00:04:07,560
on the seven steps I just covered.
87

87

00:04:07,560  -->  00:04:09,000
And later in the course,
88

88

00:04:09,000  -->  00:04:11,640
we're going to take each step completely apart
89

89

00:04:11,640  -->  00:04:14,460
and explain what you have to do
90

90

00:04:14,460  -->  00:04:17,854
and how to do it in the real world.