1 1 00:00:00,300 --> 00:00:02,580 Cyber is a dynamic risk, 2 2 00:00:02,580 --> 00:00:04,080 not a static one. 3 3 00:00:04,080 --> 00:00:07,560 So we need to improve our risk management tools, 4 4 00:00:07,560 --> 00:00:09,750 and methods on a regular basis. 5 5 00:00:09,750 --> 00:00:11,850 And that's why the Risk Management Framework 6 6 00:00:11,850 --> 00:00:14,220 has been updated several times 7 7 00:00:14,220 --> 00:00:18,240 since it was first released in May 2004. 8 8 00:00:18,240 --> 00:00:22,530 Revision one of RMF was published six years later 9 9 00:00:22,530 --> 00:00:24,450 in February 2010, 10 10 00:00:24,450 --> 00:00:29,100 and had minor updates made to it in June of 2014. 11 11 00:00:29,100 --> 00:00:32,250 Right now, RMF is at version 2, 12 12 00:00:32,250 --> 00:00:36,480 which was released in December 2018. 13 13 00:00:36,480 --> 00:00:40,530 NIST has made many changes to RMF over the years. 14 14 00:00:40,530 --> 00:00:42,240 Right now, I want to highlight some 15 15 00:00:42,240 --> 00:00:46,350 of the most important changes in version 2. 16 16 00:00:46,350 --> 00:00:50,820 A major goal of version 2 is to make RMF easier to complete 17 17 00:00:50,820 --> 00:00:55,290 while giving better results at a reduced cost. 18 18 00:00:55,290 --> 00:00:59,370 One way it does this is by adding the new prepare step 19 19 00:00:59,370 --> 00:01:02,490 in order to better strategically integrate RMF 20 20 00:01:02,490 --> 00:01:05,220 into both your organization level 21 21 00:01:05,220 --> 00:01:07,710 and system-level activities. 22 22 00:01:07,710 --> 00:01:11,820 The idea here is that the more you use RMF, 23 23 00:01:11,820 --> 00:01:13,890 the better you're going to get. 24 24 00:01:13,890 --> 00:01:16,951 Version 2 also better incorporates the missions 25 25 00:01:16,951 --> 00:01:19,500 and business functions of the organization 26 26 00:01:19,500 --> 00:01:21,780 that's attempting to get their system 27 27 00:01:21,780 --> 00:01:24,900 and approval to operate, 28 28 00:01:24,900 --> 00:01:28,053 which we often say as ATO. 29 29 00:01:29,010 --> 00:01:32,100 Version 2 also tries to improve the communications 30 30 00:01:32,100 --> 00:01:34,290 about RMF amongst senior leaders, 31 31 00:01:34,290 --> 00:01:37,083 managers and operational personnel. 32 32 00:01:38,100 --> 00:01:40,650 Other major updates to version 2 33 33 00:01:40,650 --> 00:01:41,790 include the integration 34 34 00:01:41,790 --> 00:01:45,630 of privacy risk management processes, and alignment 35 35 00:01:45,630 --> 00:01:48,270 with the system development lifecycle 36 36 00:01:48,270 --> 00:01:51,180 security engineering processes, 37 37 00:01:51,180 --> 00:01:54,840 the incorporation of supply chain risk management processes, 38 38 00:01:54,840 --> 00:01:59,840 and an alignment with the NIST cybersecurity framework. 39 39 00:01:59,910 --> 00:02:04,260 This is noteworthy because the cybersecurity framework 40 40 00:02:04,260 --> 00:02:06,780 makes a natural extension to RMF 41 41 00:02:06,780 --> 00:02:11,040 because they're actually complementary to each other. 42 42 00:02:11,040 --> 00:02:12,990 One way they're complementary 43 43 00:02:12,990 --> 00:02:15,450 is that the cybersecurity framework 44 44 00:02:15,450 --> 00:02:18,750 is organized around the five phases 45 45 00:02:18,750 --> 00:02:21,240 of the incident lifecycle, 46 46 00:02:21,240 --> 00:02:26,240 which are identify, protect, detect, respond and recover. 47 47 00:02:28,050 --> 00:02:30,690 Now, this is very different than RMF, 48 48 00:02:30,690 --> 00:02:35,100 which is organized around the systems development lifecycle. 49 49 00:02:35,100 --> 00:02:37,380 And this means that the cybersecurity framework 50 50 00:02:37,380 --> 00:02:39,840 could take a lot more to the table 51 51 00:02:39,840 --> 00:02:43,110 when an RMF user reaches step seven, 52 52 00:02:43,110 --> 00:02:46,140 which requires you to monitor your system 53 53 00:02:46,140 --> 00:02:48,480 while it's supporting your mission. 54 54 00:02:48,480 --> 00:02:50,910 A final thought on RMF version 2 55 55 00:02:50,910 --> 00:02:54,330 is the increased emphasis on the use of automation. 56 56 00:02:54,330 --> 00:02:58,140 NIST encourages RMF users to maximize the use 57 57 00:02:58,140 --> 00:03:00,270 of automation wherever possible 58 58 00:03:00,270 --> 00:03:03,060 to increase the speed, effectiveness 59 59 00:03:03,060 --> 00:03:06,930 and efficiency of completing the seven steps 60 60 00:03:06,930 --> 00:03:08,073 for each system. 61 61 00:03:09,450 --> 00:03:14,070 NIST says that automation of RMF is particularly useful 62 62 00:03:14,070 --> 00:03:16,890 in the preparation of authorization packages, 63 63 00:03:16,890 --> 00:03:18,720 to speed decision making, 64 64 00:03:18,720 --> 00:03:23,640 and in the assessment and continuous monitoring of controls. 65 65 00:03:23,640 --> 00:03:26,460 Later in the course, we'll explore automation 66 66 00:03:26,460 --> 00:03:28,377 in much greater detail.