1 1 00:00:00,050 --> 00:00:01,020 In this lesson, 2 2 00:00:01,020 --> 00:00:03,150 we're going to talk about the seven-step process 3 3 00:00:03,150 --> 00:00:04,830 that's used in RMF. 4 4 00:00:04,830 --> 00:00:07,260 Now, we've mentioned these seven steps a couple of times, 5 5 00:00:07,260 --> 00:00:09,630 but that's because they're really important. 6 6 00:00:09,630 --> 00:00:12,000 In this lesson, we're going to dive a little bit deeper 7 7 00:00:12,000 --> 00:00:13,350 into each of those seven steps 8 8 00:00:13,350 --> 00:00:15,540 and then in section three of the course, 9 9 00:00:15,540 --> 00:00:18,270 we're going to dive into each of those steps individually 10 10 00:00:18,270 --> 00:00:20,130 and really break them apart in depth. 11 11 00:00:20,130 --> 00:00:21,510 But for now, I really want to give you 12 12 00:00:21,510 --> 00:00:23,700 a good overview of what these steps are 13 13 00:00:23,700 --> 00:00:26,310 and how they're used inside of RMF. 14 14 00:00:26,310 --> 00:00:28,620 Now, the first step in the seven-step process 15 15 00:00:28,620 --> 00:00:30,390 is what's called prepare. 16 16 00:00:30,390 --> 00:00:31,890 Now, during the prepare phase, 17 17 00:00:31,890 --> 00:00:33,780 you're going to be doing all the essential activities 18 18 00:00:33,780 --> 00:00:35,370 to get your organization ready 19 19 00:00:35,370 --> 00:00:38,430 to manage your security and your privacy risks. 20 20 00:00:38,430 --> 00:00:40,200 As you go through the prepare phase, 21 21 00:00:40,200 --> 00:00:41,610 it's important for you to remember 22 22 00:00:41,610 --> 00:00:44,190 that you're doing this to get ready to execute RMF 23 23 00:00:44,190 --> 00:00:47,160 from an organizational and system level perspective. 24 24 00:00:47,160 --> 00:00:49,410 And this allows you to get clear guidance on your context 25 25 00:00:49,410 --> 00:00:51,030 that you're going to be using during RMF 26 26 00:00:51,030 --> 00:00:52,950 as well as the priorities you're going to be using 27 27 00:00:52,950 --> 00:00:56,850 for managing your security, privacy, and supply chain risks. 28 28 00:00:56,850 --> 00:01:00,030 Now, when we're conducting step one, also known as prepare, 29 29 00:01:00,030 --> 00:01:02,310 we're really focused on two big risk areas 30 30 00:01:02,310 --> 00:01:03,720 that you need to think about. 31 31 00:01:03,720 --> 00:01:06,150 The first is the cybersecurity of your organization 32 32 00:01:06,150 --> 00:01:08,880 or the security risks that you're going to be facing. 33 33 00:01:08,880 --> 00:01:11,400 And the second is going to be the privacy risks 34 34 00:01:11,400 --> 00:01:13,260 that are going to be facing your organization. 35 35 00:01:13,260 --> 00:01:14,760 And this is really important as well 36 36 00:01:14,760 --> 00:01:17,130 because there are so many data breaches that are occurring 37 37 00:01:17,130 --> 00:01:19,980 against organizations in the real world these days. 38 38 00:01:19,980 --> 00:01:21,600 And so it's important to think about 39 39 00:01:21,600 --> 00:01:23,430 both the cybersecurity aspect 40 40 00:01:23,430 --> 00:01:24,900 and how you're going to protect bad actors 41 41 00:01:24,900 --> 00:01:26,340 from getting into your network, 42 42 00:01:26,340 --> 00:01:28,050 as well as the privacy concerns 43 43 00:01:28,050 --> 00:01:29,670 that if they do get into your network, 44 44 00:01:29,670 --> 00:01:31,590 what kind of things can they achieve 45 45 00:01:31,590 --> 00:01:34,080 and what kind of data can they get their hands on? 46 46 00:01:34,080 --> 00:01:35,850 If you keep both of these areas in mind 47 47 00:01:35,850 --> 00:01:37,500 as you're preparing yourself, 48 48 00:01:37,500 --> 00:01:38,580 you're going to be able to think about 49 49 00:01:38,580 --> 00:01:40,920 all the bad things that could happen to your network 50 50 00:01:40,920 --> 00:01:42,690 and then figure out what type of controls 51 51 00:01:42,690 --> 00:01:44,430 you're going to want to select and implement 52 52 00:01:44,430 --> 00:01:46,860 to be able to mitigate those risks later on 53 53 00:01:46,860 --> 00:01:48,570 in the seven steps. 54 54 00:01:48,570 --> 00:01:50,550 This brings us into our second step. 55 55 00:01:50,550 --> 00:01:53,310 And our second step is known as categorize. 56 56 00:01:53,310 --> 00:01:54,840 During the categorized step, 57 57 00:01:54,840 --> 00:01:57,540 you're going to go through each and every one of your assets. 58 58 00:01:57,540 --> 00:01:59,700 This includes your software, your hardware, 59 59 00:01:59,700 --> 00:02:01,410 your servers, your network. 60 60 00:02:01,410 --> 00:02:03,060 Anything you have in your organization 61 61 00:02:03,060 --> 00:02:05,970 that's considered an asset or has some kind of value to you, 62 62 00:02:05,970 --> 00:02:07,350 it needs to be categorized 63 63 00:02:07,350 --> 00:02:10,080 in step two of the risk management framework. 64 64 00:02:10,080 --> 00:02:10,913 During this step, 65 65 00:02:10,913 --> 00:02:12,930 we're going to be categorizing all of our systems 66 66 00:02:12,930 --> 00:02:15,480 as well as all the information that's being processed, 67 67 00:02:15,480 --> 00:02:18,180 stored, or transmitted in that system 68 68 00:02:18,180 --> 00:02:21,150 based on an analysis of how big the impact would be 69 69 00:02:21,150 --> 00:02:24,450 if those assets were deleted, corrupted, stolen, 70 70 00:02:24,450 --> 00:02:27,030 or simply not available when you need them. 71 71 00:02:27,030 --> 00:02:28,800 Yes, you can categorize the system 72 72 00:02:28,800 --> 00:02:30,510 as an extremely important asset 73 73 00:02:30,510 --> 00:02:32,550 and it needs to be protected at all costs, 74 74 00:02:32,550 --> 00:02:34,500 but this isn't always necessary 75 75 00:02:34,500 --> 00:02:36,930 and it's not always the best practice to do this. 76 76 00:02:36,930 --> 00:02:39,300 For example, I have a small network printer 77 77 00:02:39,300 --> 00:02:40,740 sitting in my office. 78 78 00:02:40,740 --> 00:02:43,260 Now, I might say that this is a critically important asset 79 79 00:02:43,260 --> 00:02:45,930 because we only have one printer in our small office 80 80 00:02:45,930 --> 00:02:47,160 and if that printer went away, 81 81 00:02:47,160 --> 00:02:48,900 we wouldn't be able to print things out. 82 82 00:02:48,900 --> 00:02:50,940 So I might say, this is critically important 83 83 00:02:50,940 --> 00:02:53,460 and I have to protect it at all costs. 84 84 00:02:53,460 --> 00:02:54,390 Well, that might mean 85 85 00:02:54,390 --> 00:02:56,160 that I'm going to spend millions of dollars 86 86 00:02:56,160 --> 00:02:57,780 to be able to protect this single printer 87 87 00:02:57,780 --> 00:02:58,830 because I classified it 88 88 00:02:58,830 --> 00:03:01,380 as as this really high and important thing. 89 89 00:03:01,380 --> 00:03:03,480 The problem with that though is that printer 90 90 00:03:03,480 --> 00:03:05,790 isn't worth more than about $500, 91 91 00:03:05,790 --> 00:03:08,580 so if it's going to cost more than $500 to protect it, 92 92 00:03:08,580 --> 00:03:09,690 I really shouldn't do it 93 93 00:03:09,690 --> 00:03:11,670 because it doesn't make good business sense. 94 94 00:03:11,670 --> 00:03:12,750 And these are the kind of things 95 95 00:03:12,750 --> 00:03:13,590 that you have to think about 96 96 00:03:13,590 --> 00:03:15,330 when you're categorizing something. 97 97 00:03:15,330 --> 00:03:16,920 Yes, it may be important, 98 98 00:03:16,920 --> 00:03:19,860 but how much value does it hold to your organization? 99 99 00:03:19,860 --> 00:03:22,650 In my case, if somebody was able to attack that printer 100 100 00:03:22,650 --> 00:03:25,230 and make it so it doesn't even print anymore, that's fine. 101 101 00:03:25,230 --> 00:03:27,930 I'll just go to the store, buy a new one for $500, 102 102 00:03:27,930 --> 00:03:29,550 bring it back to the office, hook it up, 103 103 00:03:29,550 --> 00:03:31,980 and we'll be back up and running in less than an hour. 104 104 00:03:31,980 --> 00:03:34,410 So when it comes time to categorize that printer, 105 105 00:03:34,410 --> 00:03:35,970 even if it is critically important, 106 106 00:03:35,970 --> 00:03:39,930 it may not be a critically high important item in RMF 107 107 00:03:39,930 --> 00:03:41,670 because the cost to protect that device 108 108 00:03:41,670 --> 00:03:44,640 may actually cost us more than simply replacing the device 109 109 00:03:44,640 --> 00:03:47,550 if it was destroyed or hacked by an intruder. 110 110 00:03:47,550 --> 00:03:49,050 These are the kind of things you need to think about 111 111 00:03:49,050 --> 00:03:51,270 when you're doing your categorization. 112 112 00:03:51,270 --> 00:03:54,030 So remember, when it comes to categorizing your system, 113 113 00:03:54,030 --> 00:03:56,160 remember that you need to be focused on the information 114 114 00:03:56,160 --> 00:03:58,740 that it's processing, storing, and transmitting, 115 115 00:03:58,740 --> 00:04:00,990 and then you're going to do your categorization 116 116 00:04:00,990 --> 00:04:04,350 based on your analysis based on the impact of loss. 117 117 00:04:04,350 --> 00:04:05,520 Now, this is really important 118 118 00:04:05,520 --> 00:04:08,580 because that loss is really what we're focused on. 119 119 00:04:08,580 --> 00:04:10,920 If I have a one terabyte solid state device 120 120 00:04:10,920 --> 00:04:12,870 that I spent $100 to procure, 121 121 00:04:12,870 --> 00:04:14,580 but it's holding data that contains 122 122 00:04:14,580 --> 00:04:16,170 millions of dollars of value 123 123 00:04:16,170 --> 00:04:18,960 because it contains proprietary source code for my company, 124 124 00:04:18,960 --> 00:04:21,360 or my customer's data, or things like that, 125 125 00:04:21,360 --> 00:04:24,450 well, the value isn't the $99 hard drive, 126 126 00:04:24,450 --> 00:04:26,730 but instead it's all the value associated 127 127 00:04:26,730 --> 00:04:29,460 with the information that's being stored on that hard drive. 128 128 00:04:29,460 --> 00:04:31,800 So we're going to have to categorize that hard drive 129 129 00:04:31,800 --> 00:04:33,270 based on the contents of the data 130 130 00:04:33,270 --> 00:04:36,120 that's going to be stored or processed on that device, 131 131 00:04:36,120 --> 00:04:38,550 and then based on that we can determine 132 132 00:04:38,550 --> 00:04:40,860 what type of controls we're going to select. 133 133 00:04:40,860 --> 00:04:43,290 And this brings us into step three. 134 134 00:04:43,290 --> 00:04:46,830 When we get to step three, we are in the select phase. 135 135 00:04:46,830 --> 00:04:49,260 Now, in step three, we're going to select the controls 136 136 00:04:49,260 --> 00:04:52,470 that we want to use to protect our different assets. 137 137 00:04:52,470 --> 00:04:56,610 Remember, step one, we prepared. Step two, we categorized. 138 138 00:04:56,610 --> 00:04:57,840 Now, here in step three, 139 139 00:04:57,840 --> 00:05:00,930 we're actually going to select controls to protect those assets 140 140 00:05:00,930 --> 00:05:03,480 that we just categorize back in step two. 141 141 00:05:03,480 --> 00:05:04,313 Now, at this point, 142 142 00:05:04,313 --> 00:05:05,850 all we're doing is selecting the controls. 143 143 00:05:05,850 --> 00:05:08,280 We're not actually going to install them or implement them. 144 144 00:05:08,280 --> 00:05:09,870 We'll save that for later on. 145 145 00:05:09,870 --> 00:05:10,787 But here in step three, 146 146 00:05:10,787 --> 00:05:12,960 we are going to be selecting the controls 147 147 00:05:12,960 --> 00:05:15,660 and we're going to be using reference controls that we can find 148 148 00:05:15,660 --> 00:05:20,660 inside of the NIST Special Publication 800-53 revision 5. 149 149 00:05:21,090 --> 00:05:24,210 This document is known as the security and privacy controls 150 150 00:05:24,210 --> 00:05:26,580 for information systems and organizations, 151 151 00:05:26,580 --> 00:05:28,560 and it's heavily used in both RMF, 152 152 00:05:28,560 --> 00:05:29,760 the Risk Management Framework, 153 153 00:05:29,760 --> 00:05:32,550 and CSF, the Cybersecurity Framework, 154 154 00:05:32,550 --> 00:05:35,580 and both of those are published and created by NIST. 155 155 00:05:35,580 --> 00:05:36,930 Now, when it comes to this document, 156 156 00:05:36,930 --> 00:05:40,170 which we call the SP 800-53, 157 157 00:05:40,170 --> 00:05:41,820 it really is just a big catalog 158 158 00:05:41,820 --> 00:05:44,640 of all the different controls that you may choose to use 159 159 00:05:44,640 --> 00:05:45,570 when you're trying to protect 160 160 00:05:45,570 --> 00:05:47,580 some kind of an information system. 161 161 00:05:47,580 --> 00:05:49,890 Now, when it comes to the 800-53, 162 162 00:05:49,890 --> 00:05:52,620 I want you to remember that this is not a checklist 163 163 00:05:52,620 --> 00:05:55,020 of all the things you need to do to a system. 164 164 00:05:55,020 --> 00:05:57,150 Instead, this is just a list of of things 165 165 00:05:57,150 --> 00:06:00,450 you can choose from and decide what you want. 166 166 00:06:00,450 --> 00:06:02,490 Now, this means it's more like a dictionary 167 167 00:06:02,490 --> 00:06:05,070 or an encyclopedia where you can look up what you need 168 168 00:06:05,070 --> 00:06:07,560 and then select the particular articles that interest you 169 169 00:06:07,560 --> 00:06:08,790 instead of a regular book 170 170 00:06:08,790 --> 00:06:10,140 where you would read it from page one 171 171 00:06:10,140 --> 00:06:12,180 all the way through to the end of the book. 172 172 00:06:12,180 --> 00:06:14,310 Instead, you're going to go through this catalog 173 173 00:06:14,310 --> 00:06:16,350 and pick out the things that are relevant to you, 174 174 00:06:16,350 --> 00:06:17,670 and you're going to select those controls 175 175 00:06:17,670 --> 00:06:19,440 based on the risk to your systems, 176 176 00:06:19,440 --> 00:06:20,910 and the data you're trying to protect, 177 177 00:06:20,910 --> 00:06:23,880 and the level that you've categorized that data to. 178 178 00:06:23,880 --> 00:06:26,580 Again, the higher of the categorization you make, 179 179 00:06:26,580 --> 00:06:28,500 the more controls and the more protections 180 180 00:06:28,500 --> 00:06:30,360 you're likely going to be using. 181 181 00:06:30,360 --> 00:06:32,400 So remember, when you're in this third step, 182 182 00:06:32,400 --> 00:06:35,310 which we call the selection phase, we are going to select 183 183 00:06:35,310 --> 00:06:37,470 an initial set of controls for our systems 184 184 00:06:37,470 --> 00:06:39,600 and then we'll be able to tailor those controls 185 185 00:06:39,600 --> 00:06:42,810 as we need to in order to mitigate or reduce the risk 186 186 00:06:42,810 --> 00:06:46,440 down to an acceptable level based upon our risk assessment. 187 187 00:06:46,440 --> 00:06:47,490 And we're going to keep doing this 188 188 00:06:47,490 --> 00:06:50,040 as we go through our seven-step process to make sure 189 189 00:06:50,040 --> 00:06:52,710 we get the system down to an acceptable level of risk 190 190 00:06:52,710 --> 00:06:54,210 so that our authorizing official 191 191 00:06:54,210 --> 00:06:55,740 will be able to accept that system 192 192 00:06:55,740 --> 00:06:57,600 and allow us to install it and operate it 193 193 00:06:57,600 --> 00:06:59,460 on the corporate network. 194 194 00:06:59,460 --> 00:07:01,320 Next, we move into step four, 195 195 00:07:01,320 --> 00:07:03,930 and step four is known as implement. 196 196 00:07:03,930 --> 00:07:04,920 During step four, 197 197 00:07:04,920 --> 00:07:06,870 we're actually going to implement the controls 198 198 00:07:06,870 --> 00:07:09,120 that we've selected back in step three. 199 199 00:07:09,120 --> 00:07:10,650 So let's say, for example, 200 200 00:07:10,650 --> 00:07:12,930 that we want to implement two-factor authentication 201 201 00:07:12,930 --> 00:07:14,580 for all of our websites. 202 202 00:07:14,580 --> 00:07:18,960 This would be a control that we selected from the SP 800-53, 203 203 00:07:18,960 --> 00:07:20,610 but now that we've selected that control 204 204 00:07:20,610 --> 00:07:23,040 we have to figure out how we're going to implement it. 205 205 00:07:23,040 --> 00:07:25,080 This is because you can do a lot of different methods 206 206 00:07:25,080 --> 00:07:27,390 when you're implementing two-factor authentication, 207 207 00:07:27,390 --> 00:07:30,510 and according to the Special Publication 800-53 208 208 00:07:30,510 --> 00:07:32,820 they really don't care which method you use. 209 209 00:07:32,820 --> 00:07:34,230 You could use a hardware token. 210 210 00:07:34,230 --> 00:07:35,820 You could use a software token. 211 211 00:07:35,820 --> 00:07:38,190 You could use text messaging to give you a one-time code 212 212 00:07:38,190 --> 00:07:40,260 every time you try to log into the system. 213 213 00:07:40,260 --> 00:07:43,020 All these are acceptable things you can use, but again, 214 214 00:07:43,020 --> 00:07:44,820 depending on how you classified that system 215 215 00:07:44,820 --> 00:07:46,170 that's processing the data, 216 216 00:07:46,170 --> 00:07:47,490 you may have certain requirements 217 217 00:07:47,490 --> 00:07:48,600 that you're going to want to meet 218 218 00:07:48,600 --> 00:07:51,090 in order to make this more or less secure. 219 219 00:07:51,090 --> 00:07:53,340 For example, a lot of corporate environments 220 220 00:07:53,340 --> 00:07:55,590 will use a two-factor authentication system 221 221 00:07:55,590 --> 00:07:57,900 based on SMS or text messaging, 222 222 00:07:57,900 --> 00:08:00,390 but if you're working in the context of the US military 223 223 00:08:00,390 --> 00:08:01,650 and the Department of Defense, 224 224 00:08:01,650 --> 00:08:03,780 they don't allow you to take your smartphone with you 225 225 00:08:03,780 --> 00:08:05,820 into the offices where you're doing your work. 226 226 00:08:05,820 --> 00:08:08,310 So if I had to use a two-factor authentication 227 227 00:08:08,310 --> 00:08:09,720 based on a text message, 228 228 00:08:09,720 --> 00:08:11,820 it would not work for that environment. 229 229 00:08:11,820 --> 00:08:13,170 And instead, I would use something 230 230 00:08:13,170 --> 00:08:15,600 like a physical RSA key fob token 231 231 00:08:15,600 --> 00:08:18,270 that rotates the code every 30 to 60 seconds, 232 232 00:08:18,270 --> 00:08:20,250 and I can carry that into the building with me 233 233 00:08:20,250 --> 00:08:21,150 and I'll be able to use that 234 234 00:08:21,150 --> 00:08:23,250 anytime I'm trying to log into a system. 235 235 00:08:23,250 --> 00:08:25,800 So again, remember, when it comes to step four, 236 236 00:08:25,800 --> 00:08:27,690 we're really focused on implementation 237 237 00:08:27,690 --> 00:08:30,000 and how we're going to take the controls we selected 238 238 00:08:30,000 --> 00:08:32,040 and how we're going to document how those controls 239 239 00:08:32,040 --> 00:08:34,140 are going to be employed within the systems 240 240 00:08:34,140 --> 00:08:35,910 and in the environment of operations 241 241 00:08:35,910 --> 00:08:37,500 that we're going to be using. 242 242 00:08:37,500 --> 00:08:40,080 Another good example of this might be a control that says 243 243 00:08:40,080 --> 00:08:41,460 you have to use data at rest 244 244 00:08:41,460 --> 00:08:44,310 for any data that's being put on an external hard drive 245 245 00:08:44,310 --> 00:08:46,410 or external solid state device. 246 246 00:08:46,410 --> 00:08:47,460 Well, there's again, 247 247 00:08:47,460 --> 00:08:49,297 lots of different ways you could do this. 248 248 00:08:49,297 --> 00:08:50,460 You could use full disc encryption 249 249 00:08:50,460 --> 00:08:52,650 using something like BitLocker on Windows, 250 250 00:08:52,650 --> 00:08:55,020 or FileVault if you're using a Mac system, 251 251 00:08:55,020 --> 00:08:58,230 or you could use individual file level encryption as well. 252 252 00:08:58,230 --> 00:08:59,310 It really does depend 253 253 00:08:59,310 --> 00:09:01,260 on how you want to configure these controls, 254 254 00:09:01,260 --> 00:09:03,780 and that's really what we're focused on in implement 255 255 00:09:03,780 --> 00:09:05,910 is how we're going to take those controls we selected 256 256 00:09:05,910 --> 00:09:08,250 and then implement them in the real world. 257 257 00:09:08,250 --> 00:09:11,220 This brings us to step five, which is assess. 258 258 00:09:11,220 --> 00:09:14,220 The assess step is where we've now implemented our controls 259 259 00:09:14,220 --> 00:09:16,140 and we need to assess are those controls 260 260 00:09:16,140 --> 00:09:18,060 doing what we want them to do 261 261 00:09:18,060 --> 00:09:19,980 now that I've implemented some kind of a control, 262 262 00:09:19,980 --> 00:09:23,730 like two-factor authentication or data rest encryption. 263 263 00:09:23,730 --> 00:09:26,100 Now, how are those controls actually working 264 264 00:09:26,100 --> 00:09:27,570 after you've implemented them? 265 265 00:09:27,570 --> 00:09:29,610 For example, you might say that you're going to use 266 266 00:09:29,610 --> 00:09:31,350 a third party encryption tool. 267 267 00:09:31,350 --> 00:09:33,540 Well, if you use a third party encryption tool 268 268 00:09:33,540 --> 00:09:36,360 and people are able to crack that tool and access your data, 269 269 00:09:36,360 --> 00:09:39,180 that control is not doing what you expected it to do 270 270 00:09:39,180 --> 00:09:40,650 and that would be something you'd figure out 271 271 00:09:40,650 --> 00:09:42,570 during the assess process. 272 272 00:09:42,570 --> 00:09:43,770 Another great example of this 273 273 00:09:43,770 --> 00:09:45,570 is that there's a lot of controls you can do 274 274 00:09:45,570 --> 00:09:47,850 that are considered administrative controls. 275 275 00:09:47,850 --> 00:09:50,370 For example, you might make a policy that says 276 276 00:09:50,370 --> 00:09:52,650 nobody can bring their smartphone into your building 277 277 00:09:52,650 --> 00:09:54,450 to be able to use in their offices. 278 278 00:09:54,450 --> 00:09:56,250 Well, if you do an assessment 279 279 00:09:56,250 --> 00:09:57,870 and somebody's able to walk in the front door, 280 280 00:09:57,870 --> 00:09:59,370 and they have their smartphone on them 281 281 00:09:59,370 --> 00:10:00,660 and nobody catches it, 282 282 00:10:00,660 --> 00:10:02,880 that means that control is not effective. 283 283 00:10:02,880 --> 00:10:04,020 And so that's what we're talking about 284 284 00:10:04,020 --> 00:10:08,040 when we talk about assess in step five of the RMF process. 285 285 00:10:08,040 --> 00:10:09,270 We want to make sure those controls 286 286 00:10:09,270 --> 00:10:11,430 we selected and implemented are actually doing 287 287 00:10:11,430 --> 00:10:12,900 what we thought they were going to do. 288 288 00:10:12,900 --> 00:10:14,580 And that's really what we're focused on 289 289 00:10:14,580 --> 00:10:16,230 to ensure they're satisfying the controls 290 290 00:10:16,230 --> 00:10:17,063 that we're implementing 291 291 00:10:17,063 --> 00:10:20,010 as part of our security and privacy requirements. 292 292 00:10:20,010 --> 00:10:22,110 This brings us to step number six, 293 293 00:10:22,110 --> 00:10:24,000 which is the authorize step. 294 294 00:10:24,000 --> 00:10:25,410 In the authorize step, 295 295 00:10:25,410 --> 00:10:27,480 this is where you're going to go to your senior official 296 296 00:10:27,480 --> 00:10:29,820 and they're going to be able to make a risk-based decision 297 297 00:10:29,820 --> 00:10:31,530 to authorize the system to operate 298 298 00:10:31,530 --> 00:10:33,810 or tell you that the risk is too high 299 299 00:10:33,810 --> 00:10:35,070 and they want you to go back 300 300 00:10:35,070 --> 00:10:38,430 and do additional categorization, selection, implementation, 301 301 00:10:38,430 --> 00:10:41,520 and assessment to get that risk level back down. 302 302 00:10:41,520 --> 00:10:42,870 Now, in every organization, 303 303 00:10:42,870 --> 00:10:44,880 whether you're working in a government organization, 304 304 00:10:44,880 --> 00:10:45,870 like the military, 305 305 00:10:45,870 --> 00:10:48,120 or if you're working in a commercial sector organization, 306 306 00:10:48,120 --> 00:10:50,010 like a bank or an insurance company, 307 307 00:10:50,010 --> 00:10:51,180 there is going to be somebody 308 308 00:10:51,180 --> 00:10:53,040 who's considered that senior official 309 309 00:10:53,040 --> 00:10:54,360 who gets to make the decision 310 310 00:10:54,360 --> 00:10:57,510 of when you can hook up something to the corporate network. 311 311 00:10:57,510 --> 00:10:58,500 Now, the reason for this 312 312 00:10:58,500 --> 00:11:00,540 is anytime you attach something to your network, 313 313 00:11:00,540 --> 00:11:02,430 you're adding risk to that network 314 314 00:11:02,430 --> 00:11:05,490 because every additional workstation, client, smartphone, 315 315 00:11:05,490 --> 00:11:08,880 router, or switch does bring some vulnerabilities with it. 316 316 00:11:08,880 --> 00:11:11,400 So when we're working on the authorize step, 317 317 00:11:11,400 --> 00:11:13,740 we're really focused on saying to that senior official, 318 318 00:11:13,740 --> 00:11:14,857 whoever that is, 319 319 00:11:14,857 --> 00:11:16,890 "You're going to be responsible for all the risks 320 320 00:11:16,890 --> 00:11:19,350 that are now going to be accepted by the organization 321 321 00:11:19,350 --> 00:11:21,750 when we go and connect this thing to the network. 322 322 00:11:21,750 --> 00:11:22,980 Are you willing to do that? 323 323 00:11:22,980 --> 00:11:24,870 Do you understand what the risk level is, 324 324 00:11:24,870 --> 00:11:26,130 and is it low enough 325 325 00:11:26,130 --> 00:11:28,170 that you feel comfortable accepting that?" 326 326 00:11:28,170 --> 00:11:30,300 Now, every organization is going to be different 327 327 00:11:30,300 --> 00:11:32,760 in terms of how much risk they're willing to accept. 328 328 00:11:32,760 --> 00:11:34,290 For example, if you're working 329 329 00:11:34,290 --> 00:11:36,330 in a small startup in Silicon Valley, 330 330 00:11:36,330 --> 00:11:38,550 they usually have a very high risk tolerance, 331 331 00:11:38,550 --> 00:11:39,900 which means they'll take a lot more risk 332 332 00:11:39,900 --> 00:11:42,780 because usually it's not a life and death situation. 333 333 00:11:42,780 --> 00:11:44,760 On the other hand, if you're building software 334 334 00:11:44,760 --> 00:11:46,560 that's going to be used by nuclear reactors, 335 335 00:11:46,560 --> 00:11:48,810 or by a fighter jet, or something like that, 336 336 00:11:48,810 --> 00:11:50,970 you need to make sure that the quality assurance is high 337 337 00:11:50,970 --> 00:11:52,290 and the risk is low. 338 338 00:11:52,290 --> 00:11:54,870 So in those cases, it is a matter of life and death 339 339 00:11:54,870 --> 00:11:56,310 because if you're working on a project 340 340 00:11:56,310 --> 00:11:58,170 for the software that's going to run an airline 341 341 00:11:58,170 --> 00:12:00,000 and that software doesn't work right, 342 342 00:12:00,000 --> 00:12:01,680 it can actually cause that plane to crash 343 343 00:12:01,680 --> 00:12:03,060 and kill everybody on board 344 344 00:12:03,060 --> 00:12:05,370 if the program is not doing what it's supposed to do 345 345 00:12:05,370 --> 00:12:06,750 and some kind of threat actor 346 346 00:12:06,750 --> 00:12:08,160 has been able to hack that system 347 347 00:12:08,160 --> 00:12:10,080 and take control of the plane remotely. 348 348 00:12:10,080 --> 00:12:11,820 That would really be a bad day. 349 349 00:12:11,820 --> 00:12:13,110 So the authorizing official 350 350 00:12:13,110 --> 00:12:15,570 for somebody who's running the airplanes for an airline 351 351 00:12:15,570 --> 00:12:17,730 would probably have a much lower risk tolerance 352 352 00:12:17,730 --> 00:12:19,740 than somebody at a Silicon Valley startup. 353 353 00:12:19,740 --> 00:12:20,850 And that's really what we're talking about 354 354 00:12:20,850 --> 00:12:22,590 when we talk about authorization 355 355 00:12:22,590 --> 00:12:25,080 as step six of the RMF process. 356 356 00:12:25,080 --> 00:12:28,830 The final step we have is step seven, which is monitor. 357 357 00:12:28,830 --> 00:12:30,270 Now, during the monitor step, 358 358 00:12:30,270 --> 00:12:31,740 we're going to be continuously monitoring 359 359 00:12:31,740 --> 00:12:33,930 all of our systems and all of our controls 360 360 00:12:33,930 --> 00:12:34,920 to make sure they're working 361 361 00:12:34,920 --> 00:12:36,780 and doing what they're supposed to do 362 362 00:12:36,780 --> 00:12:38,400 and to make sure the risk level 363 363 00:12:38,400 --> 00:12:40,320 is the level we thought it was. 364 364 00:12:40,320 --> 00:12:42,330 For example, let's say that you had a system 365 365 00:12:42,330 --> 00:12:44,850 that was authorized and you've connected it to the network. 366 366 00:12:44,850 --> 00:12:46,350 That system was running something 367 367 00:12:46,350 --> 00:12:49,020 like Windows 2016 as its server. 368 368 00:12:49,020 --> 00:12:51,960 Now, over time, that's going to become more and more vulnerable 369 369 00:12:51,960 --> 00:12:54,960 because, over time, more vulnerabilities are discovered 370 370 00:12:54,960 --> 00:12:56,550 and there are going to be more security patches 371 371 00:12:56,550 --> 00:12:59,580 that need to be installed to mitigate those vulnerabilities. 372 372 00:12:59,580 --> 00:13:01,470 Part of our monitoring process is to ensure 373 373 00:13:01,470 --> 00:13:03,330 that we are doing the proper work 374 374 00:13:03,330 --> 00:13:05,670 of being able to download, install, and validate 375 375 00:13:05,670 --> 00:13:09,030 those security patches are occurring on that given system. 376 376 00:13:09,030 --> 00:13:11,190 Now, that sounds like a no-brainer to most people, 377 377 00:13:11,190 --> 00:13:12,510 but there are some systems 378 378 00:13:12,510 --> 00:13:14,880 where you can't simply update them on the fly 379 379 00:13:14,880 --> 00:13:16,830 like you would in a corporate network. 380 380 00:13:16,830 --> 00:13:18,600 For example, let's say I had a server 381 381 00:13:18,600 --> 00:13:20,400 that was running an ICS/SCADA plant 382 382 00:13:20,400 --> 00:13:22,530 for a manufacturing organization. 383 383 00:13:22,530 --> 00:13:25,290 I can't always just install another security patch there 384 384 00:13:25,290 --> 00:13:28,050 because that could break some of those complex SCADA systems 385 385 00:13:28,050 --> 00:13:29,970 that are being operated by that server. 386 386 00:13:29,970 --> 00:13:31,080 And so in this case, 387 387 00:13:31,080 --> 00:13:33,720 we would have to monitor and see what that risk level is. 388 388 00:13:33,720 --> 00:13:35,520 And every time a new patch is coming out 389 389 00:13:35,520 --> 00:13:36,780 if we're not installing it, 390 390 00:13:36,780 --> 00:13:39,810 we're actually increasing the risk level on that system. 391 391 00:13:39,810 --> 00:13:42,390 So over time, we're going to have to go back 392 392 00:13:42,390 --> 00:13:45,390 and iterate again and start categorizing, selecting, 393 393 00:13:45,390 --> 00:13:48,510 implementing, assessing, authorizing, and monitoring 394 394 00:13:48,510 --> 00:13:50,880 over and over again to make sure those systems 395 395 00:13:50,880 --> 00:13:52,440 are at the right level of risk 396 396 00:13:52,440 --> 00:13:55,080 and a risk level that we're willing to accept. 397 397 00:13:55,080 --> 00:13:56,400 Again, this all goes back 398 398 00:13:56,400 --> 00:13:58,050 to how you're going to categorize things 399 399 00:13:58,050 --> 00:13:59,730 all the way back in step two 400 400 00:13:59,730 --> 00:14:02,550 because that's going to determine what level you need to meet. 401 401 00:14:02,550 --> 00:14:04,350 And if we have something like an airplane, 402 402 00:14:04,350 --> 00:14:06,630 that's kind of a very high level associated with it, 403 403 00:14:06,630 --> 00:14:07,500 whereas if I have something 404 404 00:14:07,500 --> 00:14:08,970 like a network printer in my office, 405 405 00:14:08,970 --> 00:14:11,100 that would have a very low level associated with it. 406 406 00:14:11,100 --> 00:14:14,040 And based on that, we'll assign the appropriate resources, 407 407 00:14:14,040 --> 00:14:16,530 whether that's people, systems, or technologies 408 408 00:14:16,530 --> 00:14:18,510 to make sure we can mitigate that risk level 409 409 00:14:18,510 --> 00:14:19,890 down to an acceptable level 410 410 00:14:19,890 --> 00:14:21,240 so that we can get the authorization 411 411 00:14:21,240 --> 00:14:22,800 to connect it in step six, 412 412 00:14:22,800 --> 00:14:24,990 and then moving into monitoring those systems over time 413 413 00:14:24,990 --> 00:14:27,660 to ensure the risk level stays where we think it should. 414 414 00:14:27,660 --> 00:14:30,090 So remember, during this seventh step, 415 415 00:14:30,090 --> 00:14:32,610 when we're doing monitoring of the systems and the controls, 416 416 00:14:32,610 --> 00:14:34,380 this is an ongoing process 417 417 00:14:34,380 --> 00:14:36,390 and we're going to be assessing the controls effectiveness 418 418 00:14:36,390 --> 00:14:38,220 through regular testing and analysis, 419 419 00:14:38,220 --> 00:14:40,020 such as doing vulnerability analysis 420 420 00:14:40,020 --> 00:14:42,300 or a penetration test against our systems, 421 421 00:14:42,300 --> 00:14:44,610 as well as being able to document changes to the systems 422 422 00:14:44,610 --> 00:14:46,200 and the environment of operation, 423 423 00:14:46,200 --> 00:14:47,970 such as the installation of other patches 424 424 00:14:47,970 --> 00:14:49,440 or new versions of the software 425 425 00:14:49,440 --> 00:14:52,050 because that will also change your risk risk baseline. 426 426 00:14:52,050 --> 00:14:54,570 Also, we want to ensure we're conducting risk assessments 427 427 00:14:54,570 --> 00:14:57,180 and impact analysis of these systems, 428 428 00:14:57,180 --> 00:14:58,710 and we want to make sure we're reporting 429 429 00:14:58,710 --> 00:15:01,650 on the security and privacy posture of the system 430 430 00:15:01,650 --> 00:15:04,800 back up to our authorizing official on a regular basis 431 431 00:15:04,800 --> 00:15:06,570 so they can keep track of the level of risk 432 432 00:15:06,570 --> 00:15:08,907 across the entire organization for your system 433 433 00:15:08,907 --> 00:15:10,230 and all the other systems 434 434 00:15:10,230 --> 00:15:12,430 that are connected to the corporate network.