1 1 00:00:00,000 --> 00:00:01,560 In this lesson, we're going to talk 2 2 00:00:01,560 --> 00:00:03,780 about Step Four in the Real World. 3 3 00:00:03,780 --> 00:00:05,970 Step four is the implement step. 4 4 00:00:05,970 --> 00:00:07,710 Now, the purpose of the implement step 5 5 00:00:07,710 --> 00:00:09,810 is to implement the controls in the security 6 6 00:00:09,810 --> 00:00:13,290 and privacy plans for the system and organization. 7 7 00:00:13,290 --> 00:00:15,060 As we work through the implement step, 8 8 00:00:15,060 --> 00:00:17,490 we're focused on two main outcomes. 9 9 00:00:17,490 --> 00:00:19,920 First, the control specified in the security 10 10 00:00:19,920 --> 00:00:22,050 and privacy plans have been implemented, 11 11 00:00:22,050 --> 00:00:25,140 and second, security and privacy plans have been updated 12 12 00:00:25,140 --> 00:00:27,540 to reflect controls as implemented. 13 13 00:00:27,540 --> 00:00:28,620 So, let's take a look 14 14 00:00:28,620 --> 00:00:31,020 at what this looks like in the real world. 15 15 00:00:31,020 --> 00:00:33,060 Now, previously we've talked about step two 16 16 00:00:33,060 --> 00:00:34,530 being the categorized step 17 17 00:00:34,530 --> 00:00:37,230 and step three being the selection step. 18 18 00:00:37,230 --> 00:00:39,840 In step two, we were going through and categorizing 19 19 00:00:39,840 --> 00:00:42,330 all of our information and information systems 20 20 00:00:42,330 --> 00:00:43,680 based on their confidentiality, 21 21 00:00:43,680 --> 00:00:45,810 integrity, and availability requirements, 22 22 00:00:45,810 --> 00:00:47,670 as well as some other key factors. 23 23 00:00:47,670 --> 00:00:49,230 Then we moved into step three 24 24 00:00:49,230 --> 00:00:51,870 where we focused on the selection of the different controls 25 25 00:00:51,870 --> 00:00:53,610 to be able to meet the levels that we set up 26 26 00:00:53,610 --> 00:00:55,470 inside of our categorization step 27 27 00:00:55,470 --> 00:00:58,050 based on our low, medium, or high categorization 28 28 00:00:58,050 --> 00:01:00,450 for each of the different factors we were looking at. 29 29 00:01:00,450 --> 00:01:02,820 Now, here in step four, we are going to be focused 30 30 00:01:02,820 --> 00:01:05,010 on implementing all those different controls 31 31 00:01:05,010 --> 00:01:07,320 that we selected back in step three. 32 32 00:01:07,320 --> 00:01:08,850 Now, one of the important things to think about 33 33 00:01:08,850 --> 00:01:10,140 when it comes to RMF 34 34 00:01:10,140 --> 00:01:12,450 is that usually it's not going to be one person 35 35 00:01:12,450 --> 00:01:14,790 doing all seven steps of this process. 36 36 00:01:14,790 --> 00:01:18,360 Instead, RMF tends to be used by large organizations, 37 37 00:01:18,360 --> 00:01:20,400 and each step or maybe a couple of steps 38 38 00:01:20,400 --> 00:01:21,960 will be done by different people. 39 39 00:01:21,960 --> 00:01:24,180 So, you may have somebody who does the categorization 40 40 00:01:24,180 --> 00:01:26,190 and a different person doing the selection, 41 41 00:01:26,190 --> 00:01:28,620 or you may have somebody who does the categorization 42 42 00:01:28,620 --> 00:01:29,670 and the selection, 43 43 00:01:29,670 --> 00:01:31,440 but those people are policy people 44 44 00:01:31,440 --> 00:01:33,390 who work on RMF on a daily basis 45 45 00:01:33,390 --> 00:01:34,890 and not the system administrators 46 46 00:01:34,890 --> 00:01:37,050 who are actually going to have to do the implementation 47 47 00:01:37,050 --> 00:01:39,750 of those controls in the physical system. 48 48 00:01:39,750 --> 00:01:42,210 When we talk about step four, we are really talking about 49 49 00:01:42,210 --> 00:01:44,670 this implementation step where we're actually putting 50 50 00:01:44,670 --> 00:01:46,920 all these different controls into place. 51 51 00:01:46,920 --> 00:01:48,810 If we're talking about a technical control, 52 52 00:01:48,810 --> 00:01:49,860 that means we're doing some kind 53 53 00:01:49,860 --> 00:01:51,780 of configuration in that system. 54 54 00:01:51,780 --> 00:01:53,400 It may be installing software, 55 55 00:01:53,400 --> 00:01:54,990 configuring a piece of hardware, 56 56 00:01:54,990 --> 00:01:57,330 or setting up different things inside of your registry 57 57 00:01:57,330 --> 00:01:59,250 if you're dealing with a Windows system. 58 58 00:01:59,250 --> 00:02:00,690 On the other hand, if you're dealing 59 59 00:02:00,690 --> 00:02:02,850 with an administrative or management control, 60 60 00:02:02,850 --> 00:02:04,950 you may be creating some sort of a policy 61 61 00:02:04,950 --> 00:02:06,630 and in those cases it may be the person 62 62 00:02:06,630 --> 00:02:08,340 who categorized the information 63 63 00:02:08,340 --> 00:02:10,170 and then did the selection of those controls. 64 64 00:02:10,170 --> 00:02:11,003 Because we're dealing 65 65 00:02:11,003 --> 00:02:12,300 with some sort of administrative policy 66 66 00:02:12,300 --> 00:02:14,280 and a policy person who works RMF 67 67 00:02:14,280 --> 00:02:16,590 will be well suited to creating that new policy 68 68 00:02:16,590 --> 00:02:19,410 in order to achieve the outcomes that we're trying to do. 69 69 00:02:19,410 --> 00:02:22,260 So, keep this in mind when it comes to implementation. 70 70 00:02:22,260 --> 00:02:25,170 Oftentimes, this is going to be done by more than one person 71 71 00:02:25,170 --> 00:02:26,640 across multiple disciplines 72 72 00:02:26,640 --> 00:02:28,020 depending on what type of controls 73 73 00:02:28,020 --> 00:02:30,030 you're trying to put in place. 74 74 00:02:30,030 --> 00:02:31,350 Another big thing to think about 75 75 00:02:31,350 --> 00:02:33,180 when it comes to the implementation step 76 76 00:02:33,180 --> 00:02:35,340 is that oftentimes the controls that were selected 77 77 00:02:35,340 --> 00:02:37,650 back in step three, the selection step, 78 78 00:02:37,650 --> 00:02:39,210 tend to be more generic in nature 79 79 00:02:39,210 --> 00:02:42,030 and they won't tell you exactly how to implement them. 80 80 00:02:42,030 --> 00:02:44,160 This is why it's important to have specialists 81 81 00:02:44,160 --> 00:02:45,900 that do the implementation. 82 82 00:02:45,900 --> 00:02:48,120 For example, let's say that I wanted to create 83 83 00:02:48,120 --> 00:02:51,600 a full disc encryption requirement as one of my controls. 84 84 00:02:51,600 --> 00:02:52,957 Now, the control might say, 85 85 00:02:52,957 --> 00:02:55,890 "All servers must utilize full disc encryption." 86 86 00:02:55,890 --> 00:02:57,840 That's a pretty generic control statement, 87 87 00:02:57,840 --> 00:02:59,850 but to do the implementation of it, 88 88 00:02:59,850 --> 00:03:01,830 now my system administrators need to figure out 89 89 00:03:01,830 --> 00:03:03,570 what is going to be the best solution 90 90 00:03:03,570 --> 00:03:05,340 for that particular control. 91 91 00:03:05,340 --> 00:03:08,070 So, if I'm running Windows Server 2019, 92 92 00:03:08,070 --> 00:03:10,200 I might go ahead and select using BitLocker 93 93 00:03:10,200 --> 00:03:12,360 as my full disc encryption system. 94 94 00:03:12,360 --> 00:03:15,120 On the other hand, if I'm using a Mac OS system 95 95 00:03:15,120 --> 00:03:16,980 I might use FileVault 2. 96 96 00:03:16,980 --> 00:03:18,360 If I'm using a Linux system, 97 97 00:03:18,360 --> 00:03:20,460 I may use something else entirely. 98 98 00:03:20,460 --> 00:03:21,570 And that's really the idea here 99 99 00:03:21,570 --> 00:03:23,910 of implementing the control is that it can be implemented 100 100 00:03:23,910 --> 00:03:25,890 in numerous different technical ways 101 101 00:03:25,890 --> 00:03:27,270 and it's really up to the implementer 102 102 00:03:27,270 --> 00:03:29,400 to make sure they're meeting the intended outcome 103 103 00:03:29,400 --> 00:03:32,430 that you're trying to achieve with that particular control. 104 104 00:03:32,430 --> 00:03:34,320 Now, as we look at implementation, 105 105 00:03:34,320 --> 00:03:36,540 we are going to be implementing all of the different controls 106 106 00:03:36,540 --> 00:03:38,220 we've selected for our system. 107 107 00:03:38,220 --> 00:03:39,630 If this is a large system, 108 108 00:03:39,630 --> 00:03:42,540 we may have hundreds or even thousands of controls. 109 109 00:03:42,540 --> 00:03:45,480 I've seen some systems that have over 3,000 controls 110 110 00:03:45,480 --> 00:03:48,480 for a brand new server that's going through the RMF process. 111 111 00:03:48,480 --> 00:03:51,750 So, this can be a very lengthy part of your RMF process 112 112 00:03:51,750 --> 00:03:52,980 and if your system administrators 113 113 00:03:52,980 --> 00:03:55,500 and implementers aren't working through their list quickly, 114 114 00:03:55,500 --> 00:03:57,330 you can actually take several months 115 115 00:03:57,330 --> 00:03:59,310 just trying to build up all of your controls 116 116 00:03:59,310 --> 00:04:01,050 and getting them implemented. 117 117 00:04:01,050 --> 00:04:03,240 Now, as I said, most of the time the implementer 118 118 00:04:03,240 --> 00:04:04,740 is going to be a system administrator. 119 119 00:04:04,740 --> 00:04:06,840 So, if you're a system administrator, 120 120 00:04:06,840 --> 00:04:10,170 this is really where your part of RMF is going to take place. 121 121 00:04:10,170 --> 00:04:13,350 On the other hand, if you're more of an RMF policy person, 122 122 00:04:13,350 --> 00:04:14,400 you're really going to be focused 123 123 00:04:14,400 --> 00:04:16,920 on getting this RMF package through the process 124 124 00:04:16,920 --> 00:04:18,720 and working with those system administrators 125 125 00:04:18,720 --> 00:04:19,980 to make sure they're implementing 126 126 00:04:19,980 --> 00:04:21,990 all the controls you selected. 127 127 00:04:21,990 --> 00:04:24,930 So, remember, when it comes to doing implementation, 128 128 00:04:24,930 --> 00:04:27,360 we are looking at each individual security control 129 129 00:04:27,360 --> 00:04:28,860 and then we're going to figure out 130 130 00:04:28,860 --> 00:04:31,680 what the best solution is to meet that requirement. 131 131 00:04:31,680 --> 00:04:34,680 The control itself will not say what vendor you have to use. 132 132 00:04:34,680 --> 00:04:35,790 It will not say what tool 133 133 00:04:35,790 --> 00:04:38,250 or technology or process you have to use. 134 134 00:04:38,250 --> 00:04:40,650 Instead, they're going to say in generic terms 135 135 00:04:40,650 --> 00:04:42,360 the outcome you're trying to achieve. 136 136 00:04:42,360 --> 00:04:44,610 For example, I want to implement data 137 137 00:04:44,610 --> 00:04:46,680 in transit security because I want to make sure data 138 138 00:04:46,680 --> 00:04:49,590 going to or from my web server is being encrypted 139 139 00:04:49,590 --> 00:04:51,810 before it's being sent over the internet. 140 140 00:04:51,810 --> 00:04:53,010 Now, how would I do that? 141 141 00:04:53,010 --> 00:04:55,530 I could use SSL version two or version three, 142 142 00:04:55,530 --> 00:04:56,640 although I wouldn't recommend it 143 143 00:04:56,640 --> 00:04:58,380 because those are old and antiquated, 144 144 00:04:58,380 --> 00:05:02,370 or I could use something more modern like TLS 1.2 or 1.3, 145 145 00:05:02,370 --> 00:05:04,110 or I could use a VPN 146 146 00:05:04,110 --> 00:05:06,390 and that would also give me an encryption tunnel 147 147 00:05:06,390 --> 00:05:09,420 between my client and the web server I'm connecting to. 148 148 00:05:09,420 --> 00:05:11,340 As you can see, there are lots of different ways 149 149 00:05:11,340 --> 00:05:14,490 to implement that control from a technical perspective, 150 150 00:05:14,490 --> 00:05:16,290 but the way we're going to choose to do it 151 151 00:05:16,290 --> 00:05:18,210 is going to be left up to the implementer, 152 152 00:05:18,210 --> 00:05:20,670 which is one of our system administrators. 153 153 00:05:20,670 --> 00:05:22,860 Now, sometimes you will have controls 154 154 00:05:22,860 --> 00:05:25,020 that will say things that are very specific 155 155 00:05:25,020 --> 00:05:27,090 and they might give you a time associated with it, 156 156 00:05:27,090 --> 00:05:29,910 or a data transfer requirement, or something like that. 157 157 00:05:29,910 --> 00:05:32,580 For example, one of the more specific controls I've seen 158 158 00:05:32,580 --> 00:05:35,040 usually has to do with lock screens. 159 159 00:05:35,040 --> 00:05:37,440 Generally, the lock screen should be enabled 160 160 00:05:37,440 --> 00:05:39,240 anytime you walk away from the computer 161 161 00:05:39,240 --> 00:05:40,890 for more than two minutes. 162 162 00:05:40,890 --> 00:05:42,300 Sometimes your controls will say 163 163 00:05:42,300 --> 00:05:44,130 exactly how long that has to be, 164 164 00:05:44,130 --> 00:05:47,220 whether that's 30 seconds, 60 seconds, two minutes, 165 165 00:05:47,220 --> 00:05:49,080 five minutes, or 15 minutes. 166 166 00:05:49,080 --> 00:05:51,930 And again, this does depend on your organization. 167 167 00:05:51,930 --> 00:05:53,400 But going back to step three, 168 168 00:05:53,400 --> 00:05:54,930 the person who selected the controls 169 169 00:05:54,930 --> 00:05:56,550 when they select this timeout 170 170 00:05:56,550 --> 00:05:59,640 will usually indicate what that timeout value needs to be, 171 171 00:05:59,640 --> 00:06:01,290 and that would be something that can be implemented 172 172 00:06:01,290 --> 00:06:04,320 very quickly on a Windows, Linux, or Mac system 173 173 00:06:04,320 --> 00:06:06,120 by a system administrator. 174 174 00:06:06,120 --> 00:06:07,830 Now, there are lots of other types of things 175 175 00:06:07,830 --> 00:06:09,720 that are going to be prescriptive in nature 176 176 00:06:09,720 --> 00:06:12,690 when it comes from the highest levels of your organization. 177 177 00:06:12,690 --> 00:06:13,800 And in those cases, 178 178 00:06:13,800 --> 00:06:15,690 you're going to have to follow those rules 179 179 00:06:15,690 --> 00:06:18,330 and implement the controls as they dictate. 180 180 00:06:18,330 --> 00:06:20,490 For example, I used to work in the military, 181 181 00:06:20,490 --> 00:06:22,440 which was part of the Department of Defense. 182 182 00:06:22,440 --> 00:06:23,610 The Department of Defense 183 183 00:06:23,610 --> 00:06:25,200 has these different controls set up 184 184 00:06:25,200 --> 00:06:26,790 in what are called STIGs, 185 185 00:06:26,790 --> 00:06:29,730 which is a Security Technical Implementation Guide. 186 186 00:06:29,730 --> 00:06:32,820 Now, a STIG, or Security Technical Implementation Guide, 187 187 00:06:32,820 --> 00:06:35,100 is created by the National Security Agency 188 188 00:06:35,100 --> 00:06:38,970 and the Defense Information Security Agency, known as DISA. 189 189 00:06:38,970 --> 00:06:40,980 These two organizations work together 190 190 00:06:40,980 --> 00:06:43,410 to create a list of controls that should be implemented 191 191 00:06:43,410 --> 00:06:44,970 on any given system. 192 192 00:06:44,970 --> 00:06:48,510 For example, if you're going to be using a Windows Server 2019 193 193 00:06:48,510 --> 00:06:51,330 as part of your system that's going through the RMF process, 194 194 00:06:51,330 --> 00:06:52,560 you're going to go and first 195 195 00:06:52,560 --> 00:06:55,080 download the Security Technical Implementation Guide, 196 196 00:06:55,080 --> 00:06:57,990 known as the STIGs, for that particular server. 197 197 00:06:57,990 --> 00:06:59,910 As of right now, when I'm recording this, 198 198 00:06:59,910 --> 00:07:02,430 if you type in Windows Server 2019 STIG, 199 199 00:07:02,430 --> 00:07:05,310 you'll be able to find this document very easily online 200 200 00:07:05,310 --> 00:07:09,480 and it comes as an Excel file, a JSON file, or an XML file. 201 201 00:07:09,480 --> 00:07:12,360 Inside of this, it has over 300 controls 202 202 00:07:12,360 --> 00:07:13,710 that you're going to be able to use 203 203 00:07:13,710 --> 00:07:14,937 to be able to protect your system, 204 204 00:07:14,937 --> 00:07:17,400 and it tells you this at different levels 205 205 00:07:17,400 --> 00:07:19,740 from high, medium, and low, 206 206 00:07:19,740 --> 00:07:21,167 which are considered CAT I, 207 207 00:07:21,167 --> 00:07:23,160 CAT II, or CAT III vulnerabilities 208 208 00:07:23,160 --> 00:07:25,950 if you don't have these things implemented in your system. 209 209 00:07:25,950 --> 00:07:27,900 Some of these controls inside of the STIG 210 210 00:07:27,900 --> 00:07:30,420 are going to include things like installing security patches, 211 211 00:07:30,420 --> 00:07:32,130 while others will require you to make changes 212 212 00:07:32,130 --> 00:07:33,510 inside of your registry 213 213 00:07:33,510 --> 00:07:35,550 or to set up different configurations. 214 214 00:07:35,550 --> 00:07:39,870 For example, one of the STIGs known as V-93539 215 215 00:07:39,870 --> 00:07:43,110 is considered a high vulnerability in terms of severity, 216 216 00:07:43,110 --> 00:07:45,570 and it's called the Windows Server 2019 217 217 00:07:45,570 --> 00:07:49,050 must restrict anonymous access to named pipes and shares 218 218 00:07:49,050 --> 00:07:51,090 as its title inside of the STIG. 219 219 00:07:51,090 --> 00:07:52,200 Now, what does that mean? 220 220 00:07:52,200 --> 00:07:54,150 It means that allowing anonymous access 221 221 00:07:54,150 --> 00:07:56,430 to named pipes or shares provides the potential 222 222 00:07:56,430 --> 00:07:58,380 for unauthorized system access, 223 223 00:07:58,380 --> 00:08:01,080 and therefore, that access needs to be restricted 224 224 00:08:01,080 --> 00:08:03,210 to people with a valid username and password 225 225 00:08:03,210 --> 00:08:05,610 to protect your system and lower the risk. 226 226 00:08:05,610 --> 00:08:08,280 Now, my goal here is not to make you an expert on STIGs, 227 227 00:08:08,280 --> 00:08:10,830 but just to make sure I'm introducing you to this concept 228 228 00:08:10,830 --> 00:08:12,630 because if you're doing the implementation, 229 229 00:08:12,630 --> 00:08:14,520 STIGs are going to be a big part of your day 230 230 00:08:14,520 --> 00:08:16,500 as the system administrator. 231 231 00:08:16,500 --> 00:08:18,450 Now, in addition to having the STIG, 232 232 00:08:18,450 --> 00:08:20,610 it's going to tell you what the vulnerability is, 233 233 00:08:20,610 --> 00:08:23,430 what the solution is, and how you can implement it. 234 234 00:08:23,430 --> 00:08:26,130 So, it really does give you a lot of great instructions 235 235 00:08:26,130 --> 00:08:28,680 for how you can implement all these different controls 236 236 00:08:28,680 --> 00:08:30,930 on your various systems based on the different types 237 237 00:08:30,930 --> 00:08:33,960 of hardware or software that you may be using. 238 238 00:08:33,960 --> 00:08:35,190 Now, the next thing we need to consider 239 239 00:08:35,190 --> 00:08:37,980 when it comes to implementing step four in the real world, 240 240 00:08:37,980 --> 00:08:40,350 which is our implementation of the controls, 241 241 00:08:40,350 --> 00:08:42,480 is that we need to make sure we're having our project 242 242 00:08:42,480 --> 00:08:44,070 management skills up-to-date 243 243 00:08:44,070 --> 00:08:46,710 so we're ready to tackle all of this information. 244 244 00:08:46,710 --> 00:08:48,060 If you're the person who's responsible 245 245 00:08:48,060 --> 00:08:50,580 for getting this RMF package through the process, 246 246 00:08:50,580 --> 00:08:52,320 one of the hardest steps you're going to go through 247 247 00:08:52,320 --> 00:08:54,810 is step four because we have to follow-up 248 248 00:08:54,810 --> 00:08:56,280 with different system administrators 249 249 00:08:56,280 --> 00:08:57,750 for each of the different systems 250 250 00:08:57,750 --> 00:08:59,520 that are part of our package. 251 251 00:08:59,520 --> 00:09:01,800 For example, many RMF packages 252 252 00:09:01,800 --> 00:09:04,440 aren't for a single system or a single application, 253 253 00:09:04,440 --> 00:09:07,080 but it may be an entire collection of systems, 254 254 00:09:07,080 --> 00:09:08,160 whether those are servers, 255 255 00:09:08,160 --> 00:09:10,140 or workstations, or a combination of both. 256 256 00:09:10,140 --> 00:09:12,150 And so, if you have multiple different systems, 257 257 00:09:12,150 --> 00:09:13,620 you're also going to have multiple different STIGs 258 258 00:09:13,620 --> 00:09:16,500 and controls that are going to be applied across those systems, 259 259 00:09:16,500 --> 00:09:19,200 and those different systems have different implementers, 260 260 00:09:19,200 --> 00:09:21,120 which we call system administrators. 261 261 00:09:21,120 --> 00:09:22,500 So, it's going to be your job 262 262 00:09:22,500 --> 00:09:24,480 to work with all those different system administrators 263 263 00:09:24,480 --> 00:09:27,240 across all those different systems to get the changes made 264 264 00:09:27,240 --> 00:09:29,550 that you need in order to minimize the risk 265 265 00:09:29,550 --> 00:09:32,340 of your system and get it through the RMF process. 266 266 00:09:32,340 --> 00:09:34,470 For this reason, your project management skills 267 267 00:09:34,470 --> 00:09:36,210 are going to be critically important here 268 268 00:09:36,210 --> 00:09:37,980 and you're going to be spending a lot of time 269 269 00:09:37,980 --> 00:09:40,140 tracking down all the different controls 270 270 00:09:40,140 --> 00:09:42,330 that were selected back in step three 271 271 00:09:42,330 --> 00:09:43,740 that are now going to have to be implemented 272 272 00:09:43,740 --> 00:09:47,130 in step four by these different people across your team. 273 273 00:09:47,130 --> 00:09:48,750 When you're building out your plans, 274 274 00:09:48,750 --> 00:09:50,670 this includes your implementation plans, 275 275 00:09:50,670 --> 00:09:52,170 you need to make sure you're giving dates 276 276 00:09:52,170 --> 00:09:53,610 for each of those things. 277 277 00:09:53,610 --> 00:09:57,720 In the DO or military context, we usually call this a POA&M 278 278 00:09:57,720 --> 00:10:02,010 a plan of action and milestones, or P-O-A-&-M. 279 279 00:10:02,010 --> 00:10:04,740 Now, a POA&M is going to be essentially a plan 280 280 00:10:04,740 --> 00:10:06,240 for all the things we're going to do 281 281 00:10:06,240 --> 00:10:07,950 to get these controls done. 282 282 00:10:07,950 --> 00:10:10,350 Let's say you looked at your entire package for RMF 283 283 00:10:10,350 --> 00:10:11,940 and you combine all the different systems 284 284 00:10:11,940 --> 00:10:14,280 and all the different STIGs and all the different controls, 285 285 00:10:14,280 --> 00:10:16,800 you now have about 3,000 changes that need to be tracked 286 286 00:10:16,800 --> 00:10:19,080 and implemented across all these different servers, 287 287 00:10:19,080 --> 00:10:20,820 and clients, and workstations. 288 288 00:10:20,820 --> 00:10:22,320 How are you going to get all that done? 289 289 00:10:22,320 --> 00:10:23,940 Well, you're going to list them all out 290 290 00:10:23,940 --> 00:10:24,960 probably in a spreadsheet 291 291 00:10:24,960 --> 00:10:27,300 or some kind of project management tracking software 292 292 00:10:27,300 --> 00:10:30,840 that says control number one, system number one, 293 293 00:10:30,840 --> 00:10:32,070 here's the thing we need to do, 294 294 00:10:32,070 --> 00:10:33,450 here's the person responsible, 295 295 00:10:33,450 --> 00:10:34,950 and here's when it's going to be done. 296 296 00:10:34,950 --> 00:10:37,135 Control number two, system number one, 297 297 00:10:37,135 --> 00:10:38,520 and you're going to list all those things out 298 298 00:10:38,520 --> 00:10:42,300 for all 3,000 controls, all 20 or 30 systems you have, 299 299 00:10:42,300 --> 00:10:44,880 and all 15 or 20 implementers that you have, 300 300 00:10:44,880 --> 00:10:46,410 and you're going to be following up with those people 301 301 00:10:46,410 --> 00:10:48,480 to ensure all that work is being done. 302 302 00:10:48,480 --> 00:10:49,710 Now, in most organizations, 303 303 00:10:49,710 --> 00:10:52,290 you can't just make changes to servers and systems. 304 304 00:10:52,290 --> 00:10:53,430 Instead, you're going to have to go 305 305 00:10:53,430 --> 00:10:55,020 through the change management process, 306 306 00:10:55,020 --> 00:10:57,510 and that's also going to happen here in step four. 307 307 00:10:57,510 --> 00:10:59,190 And usually, your system administrators 308 308 00:10:59,190 --> 00:11:00,630 will help you with that process 309 309 00:11:00,630 --> 00:11:03,660 because it is going to be specific to your organization. 310 310 00:11:03,660 --> 00:11:05,610 Now, when you're doing your implementation, 311 311 00:11:05,610 --> 00:11:07,470 it's always important to talk to the people 312 312 00:11:07,470 --> 00:11:09,240 who are actually doing the work. 313 313 00:11:09,240 --> 00:11:11,760 Now, in our case, that's going to be our system administrators 314 314 00:11:11,760 --> 00:11:14,310 who are responsible for implementing all these changes. 315 315 00:11:14,310 --> 00:11:17,190 So, if you're working essentially as the project manager 316 316 00:11:17,190 --> 00:11:18,720 and trying to get this RMF package 317 317 00:11:18,720 --> 00:11:20,730 through from step one to step seven, 318 318 00:11:20,730 --> 00:11:22,320 when you're here in step four 319 319 00:11:22,320 --> 00:11:24,000 you're going to be working with a lot of different people 320 320 00:11:24,000 --> 00:11:25,740 across the organization. 321 321 00:11:25,740 --> 00:11:27,120 Always work with those people, 322 322 00:11:27,120 --> 00:11:29,347 be friendly and ask them the question, 323 323 00:11:29,347 --> 00:11:31,440 "What is your estimate for the timeline 324 324 00:11:31,440 --> 00:11:32,970 and what are the big blockers 325 325 00:11:32,970 --> 00:11:34,950 that are preventing you from getting this done?" 326 326 00:11:34,950 --> 00:11:37,170 Once you identify what those blockers are, 327 327 00:11:37,170 --> 00:11:38,610 you're going to need to work with them 328 328 00:11:38,610 --> 00:11:40,680 to make sure you can eliminate those blockers 329 329 00:11:40,680 --> 00:11:42,480 and allow them to get their work done. 330 330 00:11:42,480 --> 00:11:43,740 If somebody tells you it's going to take them 331 331 00:11:43,740 --> 00:11:45,360 three months to implement a control, 332 332 00:11:45,360 --> 00:11:46,980 which sometimes it can take three, 333 333 00:11:46,980 --> 00:11:49,290 six, or nine months to implement a control, 334 334 00:11:49,290 --> 00:11:50,310 then you might want to work with them 335 335 00:11:50,310 --> 00:11:51,600 and say, "How can we get this 336 336 00:11:51,600 --> 00:11:53,580 from six months down to three months? 337 337 00:11:53,580 --> 00:11:56,430 How can we get this from three months down to two months? 338 338 00:11:56,430 --> 00:11:57,930 What are the things that are holding you up? 339 339 00:11:57,930 --> 00:11:58,763 Is it money? 340 340 00:11:58,763 --> 00:11:59,610 Is it time? 341 341 00:11:59,610 --> 00:12:02,370 Is it that their boss has different priorities than you do?" 342 342 00:12:02,370 --> 00:12:04,920 Because this system administrator has a lot of work to do 343 343 00:12:04,920 --> 00:12:06,390 beyond just doing the implementation 344 344 00:12:06,390 --> 00:12:08,670 for the controls in your RMF package. 345 345 00:12:08,670 --> 00:12:10,740 So, it's important that you work with them 346 346 00:12:10,740 --> 00:12:12,570 and you don't get angry or frustrated with them 347 347 00:12:12,570 --> 00:12:14,370 when things start slowing down. 348 348 00:12:14,370 --> 00:12:16,950 Remember, if they tell you it's going to take six months 349 349 00:12:16,950 --> 00:12:18,330 then you should say, "Okay, 350 350 00:12:18,330 --> 00:12:20,100 I'm going to check up with them again in three months 351 351 00:12:20,100 --> 00:12:21,630 and make sure it's still getting done." 352 352 00:12:21,630 --> 00:12:23,730 Anything you can do to start compressing that timeline 353 353 00:12:23,730 --> 00:12:25,440 and getting this thing through the process faster 354 354 00:12:25,440 --> 00:12:26,790 is going to be a good thing. 355 355 00:12:26,790 --> 00:12:28,260 But adding more people 356 356 00:12:28,260 --> 00:12:31,020 isn't necessarily going to make things go faster. 357 357 00:12:31,020 --> 00:12:32,107 There's an old saying, 358 358 00:12:32,107 --> 00:12:35,160 "Nine women can't make a baby in one month." 359 359 00:12:35,160 --> 00:12:37,590 That's because some things just take time. 360 360 00:12:37,590 --> 00:12:39,840 Making a baby takes about nine months 361 361 00:12:39,840 --> 00:12:41,077 and so if somebody says, 362 362 00:12:41,077 --> 00:12:43,260 "It's going to take me nine months to make this baby," 363 363 00:12:43,260 --> 00:12:45,480 you can't tell them, "Well, I need it done in three months," 364 364 00:12:45,480 --> 00:12:47,370 there's no way to get it done quicker. 365 365 00:12:47,370 --> 00:12:48,630 But when it comes to controls, 366 366 00:12:48,630 --> 00:12:50,820 sometimes you can make things go faster 367 367 00:12:50,820 --> 00:12:52,590 by adding money, adding resources, 368 368 00:12:52,590 --> 00:12:55,710 or eliminating other priorities from their pile. 369 369 00:12:55,710 --> 00:12:58,470 For example, I was working on one RMF package 370 370 00:12:58,470 --> 00:13:00,420 and there was only one person who had access 371 371 00:13:00,420 --> 00:13:03,180 to a particular server that we needed to add controls to. 372 372 00:13:03,180 --> 00:13:04,590 Now, we only had five controls 373 373 00:13:04,590 --> 00:13:06,090 that needed to be added to that server, 374 374 00:13:06,090 --> 00:13:08,520 but the person told me they had a backlog of work 375 375 00:13:08,520 --> 00:13:10,080 and that they couldn't get to my stuff 376 376 00:13:10,080 --> 00:13:11,730 for at least six months. 377 377 00:13:11,730 --> 00:13:13,177 So, I approached them and asked them, 378 378 00:13:13,177 --> 00:13:15,570 "What kind of things I could do to help speed this up?" 379 379 00:13:15,570 --> 00:13:18,270 And essentially they told me, "Look, I'm just one person. 380 380 00:13:18,270 --> 00:13:20,130 I only have 40 hours a week to work, 381 381 00:13:20,130 --> 00:13:22,200 and therefore I can't get it done 382 382 00:13:22,200 --> 00:13:23,580 'cause right now my backlog 383 383 00:13:23,580 --> 00:13:25,470 is about five months worth of work." 384 384 00:13:25,470 --> 00:13:27,780 So, I went to their boss and I said, "Hey, 385 385 00:13:27,780 --> 00:13:29,430 is there anything we can do to reprioritize 386 386 00:13:29,430 --> 00:13:30,360 some of this work 387 387 00:13:30,360 --> 00:13:32,250 so that we can get these controls implemented faster?" 388 388 00:13:32,250 --> 00:13:33,660 Because we were at the point 389 389 00:13:33,660 --> 00:13:36,450 where everything else in my RMF package was going to be done 390 390 00:13:36,450 --> 00:13:37,410 at about four months 391 391 00:13:37,410 --> 00:13:39,660 and this person was telling me it was going to take six months. 392 392 00:13:39,660 --> 00:13:43,110 So, after some negotiation and working with their boss 393 393 00:13:43,110 --> 00:13:45,300 we were able to reprioritize some of their work 394 394 00:13:45,300 --> 00:13:47,370 and get our stuff done at the four month mark 395 395 00:13:47,370 --> 00:13:49,320 instead of waiting to the six month mark. 396 396 00:13:49,320 --> 00:13:51,720 In this case, it was just a matter of reprioritization 397 397 00:13:51,720 --> 00:13:53,850 and not a matter of needing additional resources 398 398 00:13:53,850 --> 00:13:55,830 or additional time or additional money, 399 399 00:13:55,830 --> 00:13:57,540 but all those are things that you may need to bring 400 400 00:13:57,540 --> 00:13:59,580 into that situation in order to resolve 401 401 00:13:59,580 --> 00:14:02,700 some of those blockers and get your controls implemented. 402 402 00:14:02,700 --> 00:14:04,440 Now, the final thing we want to talk about 403 403 00:14:04,440 --> 00:14:06,570 is when you're implementing these different controls, 404 404 00:14:06,570 --> 00:14:09,030 it's important to consider the real world circumstances 405 405 00:14:09,030 --> 00:14:10,740 surrounding that control. 406 406 00:14:10,740 --> 00:14:12,840 For example, you might have a system 407 407 00:14:12,840 --> 00:14:13,980 that is labeled as high, 408 408 00:14:13,980 --> 00:14:16,500 and therefore requires multifactor authentication 409 409 00:14:16,500 --> 00:14:18,000 for people to log in. 410 410 00:14:18,000 --> 00:14:19,080 Now, there's lots of different ways 411 411 00:14:19,080 --> 00:14:21,360 to implement multifactor authentication. 412 412 00:14:21,360 --> 00:14:22,470 One of the cheapest ways 413 413 00:14:22,470 --> 00:14:24,540 is to implement two factor authentication 414 414 00:14:24,540 --> 00:14:26,580 through the use of a text message. 415 415 00:14:26,580 --> 00:14:29,190 Now, this might work great for a lot of organizations, 416 416 00:14:29,190 --> 00:14:30,240 but I can tell you 417 417 00:14:30,240 --> 00:14:32,910 if you work in a top secret or secret facility, 418 418 00:14:32,910 --> 00:14:35,850 this is a horrible system for you to try to use. 419 419 00:14:35,850 --> 00:14:37,890 The reason is when you have a secret 420 420 00:14:37,890 --> 00:14:39,030 or top secret environment, 421 421 00:14:39,030 --> 00:14:41,850 you're not allowed to bring a mobile phone into your office. 422 422 00:14:41,850 --> 00:14:44,070 So, I had one system that was fielded 423 423 00:14:44,070 --> 00:14:45,300 by the Department of Defense, 424 424 00:14:45,300 --> 00:14:48,480 and I was working in a top secret environment at the time. 425 425 00:14:48,480 --> 00:14:50,700 Anytime I wanted to log into that website, 426 426 00:14:50,700 --> 00:14:52,860 I had had to have a two factor authentication code 427 427 00:14:52,860 --> 00:14:54,240 sent to my cell phone. 428 428 00:14:54,240 --> 00:14:57,270 Well, that meant I would go and log in on my work computer, 429 429 00:14:57,270 --> 00:14:59,520 run upstairs, go to the phone locker, 430 430 00:14:59,520 --> 00:15:01,530 get my phone out, walk to the parking lot, 431 431 00:15:01,530 --> 00:15:03,930 turn on my phone, get the six digit code, 432 432 00:15:03,930 --> 00:15:05,460 write it down on a piece of paper, 433 433 00:15:05,460 --> 00:15:07,800 put my phone away, run back to my office, 434 434 00:15:07,800 --> 00:15:09,570 and try to enter that six digit code 435 435 00:15:09,570 --> 00:15:12,450 all within five minutes before the timeout occurred. 436 436 00:15:12,450 --> 00:15:14,910 Now, is this a great working environment for most people? 437 437 00:15:14,910 --> 00:15:17,070 No, this is a horrible way of doing it. 438 438 00:15:17,070 --> 00:15:19,320 So, instead, we shouldn't use text messages 439 439 00:15:19,320 --> 00:15:21,540 if we're going to be operating in a secure environment. 440 440 00:15:21,540 --> 00:15:24,300 Instead, we should use an RSA key fob 441 441 00:15:24,300 --> 00:15:26,220 or we're going to have to use some other form 442 442 00:15:26,220 --> 00:15:29,130 of two-factor authentication like a smart card and pin 443 443 00:15:29,130 --> 00:15:30,750 instead of using a text message 444 444 00:15:30,750 --> 00:15:32,520 going to my personal cell phone. 445 445 00:15:32,520 --> 00:15:33,900 Again, this is just a case 446 446 00:15:33,900 --> 00:15:36,450 where people didn't consider the real world circumstances 447 447 00:15:36,450 --> 00:15:37,830 of a lot of the end users 448 448 00:15:37,830 --> 00:15:40,050 who were in the military using the system. 449 449 00:15:40,050 --> 00:15:41,940 Instead, they were thinking about 70% 450 450 00:15:41,940 --> 00:15:43,530 of the military folks who work 451 451 00:15:43,530 --> 00:15:45,180 in an unclassified environment, 452 452 00:15:45,180 --> 00:15:47,640 but the 30% that were operating in a secret 453 453 00:15:47,640 --> 00:15:50,160 or top secret environment could not use the system 454 454 00:15:50,160 --> 00:15:52,950 in an effective way because of this five minute timeout 455 455 00:15:52,950 --> 00:15:54,870 and sometimes it would take you more than five minutes 456 456 00:15:54,870 --> 00:15:56,070 just to get from your office 457 457 00:15:56,070 --> 00:15:57,450 to where your cell phone was stored, 458 458 00:15:57,450 --> 00:15:59,010 out by the front doors of the building, 459 459 00:15:59,010 --> 00:16:00,510 or over in the parking lot. 460 460 00:16:00,510 --> 00:16:02,160 So, these are the things we have to think about 461 461 00:16:02,160 --> 00:16:03,660 when we start thinking about the implementation 462 462 00:16:03,660 --> 00:16:06,720 of these controls and will they work in the real world? 463 463 00:16:06,720 --> 00:16:08,460 So, this goes back to step one 464 464 00:16:08,460 --> 00:16:09,660 in your preparation stage 465 465 00:16:09,660 --> 00:16:11,580 and understanding what type of environment 466 466 00:16:11,580 --> 00:16:13,320 your system is going to be used in. 467 467 00:16:13,320 --> 00:16:15,420 Based on that, you'll then categorize the system 468 468 00:16:15,420 --> 00:16:18,030 and select appropriate controls to meet the requirements 469 469 00:16:18,030 --> 00:16:20,790 that you have based on the categorization of the system. 470 470 00:16:20,790 --> 00:16:21,990 If you're trying to implement something 471 471 00:16:21,990 --> 00:16:23,790 using multifactor authentication, 472 472 00:16:23,790 --> 00:16:25,380 there are lots of ways of doing that, 473 473 00:16:25,380 --> 00:16:26,670 but you have to pick the one 474 474 00:16:26,670 --> 00:16:28,890 that is right for your operating environment. 475 475 00:16:28,890 --> 00:16:30,900 For example, if I'm working with the Navy 476 476 00:16:30,900 --> 00:16:33,150 and building a system that's going to be used by a submarine, 477 477 00:16:33,150 --> 00:16:35,250 I can't expect them to get cell phone coverage 478 478 00:16:35,250 --> 00:16:37,470 because a submarine is underwater. 479 479 00:16:37,470 --> 00:16:40,410 Instead, that submarine would have to use a different way 480 480 00:16:40,410 --> 00:16:41,940 of doing two-factor authentication, 481 481 00:16:41,940 --> 00:16:44,340 such as using a smart card and a pin. 482 482 00:16:44,340 --> 00:16:45,390 In addition to that, 483 483 00:16:45,390 --> 00:16:48,060 I might have people who are working in a top secret skiff. 484 484 00:16:48,060 --> 00:16:49,590 Again, in this environment, 485 485 00:16:49,590 --> 00:16:51,360 they're not going to have access to a cell phone 486 486 00:16:51,360 --> 00:16:53,820 or an authenticator app on their cell phone. 487 487 00:16:53,820 --> 00:16:55,770 So, neither of those options would work for us 488 488 00:16:55,770 --> 00:16:58,650 by sending a text message or using an authenticator app. 489 489 00:16:58,650 --> 00:17:00,150 And so instead, we're going to have to rely 490 490 00:17:00,150 --> 00:17:01,920 on something that can meet the control 491 491 00:17:01,920 --> 00:17:03,660 of multifactor authentication 492 492 00:17:03,660 --> 00:17:05,370 while still meeting the environment 493 493 00:17:05,370 --> 00:17:07,080 of being in a classified space, 494 494 00:17:07,080 --> 00:17:09,630 an underwater space, or something like that. 495 495 00:17:09,630 --> 00:17:10,650 Keep these things in mind 496 496 00:17:10,650 --> 00:17:12,300 as you work through your implementations 497 497 00:17:12,300 --> 00:17:13,680 because they're going to be many times 498 498 00:17:13,680 --> 00:17:15,960 where you're not able to meet the control as written 499 499 00:17:15,960 --> 00:17:18,570 because of the environment that you're operating within. 500 500 00:17:18,570 --> 00:17:19,403 Based on that, 501 501 00:17:19,403 --> 00:17:21,210 you're going to have to tailor those controls 502 502 00:17:21,210 --> 00:17:23,250 and this should be done as a negotiation 503 503 00:17:23,250 --> 00:17:24,630 between your system administrators, 504 504 00:17:24,630 --> 00:17:26,070 who are implementing those controls, 505 505 00:17:26,070 --> 00:17:28,050 and the person who wrote the control. 506 506 00:17:28,050 --> 00:17:30,150 If the control was written very specifically 507 507 00:17:30,150 --> 00:17:33,330 and it says specifically that you must use text messaging 508 508 00:17:33,330 --> 00:17:35,520 as your form of multifactor authentication 509 509 00:17:35,520 --> 00:17:36,960 then you're going to have to go back to that person 510 510 00:17:36,960 --> 00:17:38,310 who selected that control 511 511 00:17:38,310 --> 00:17:40,200 and explain to them why you cannot meet 512 512 00:17:40,200 --> 00:17:41,430 that technical control 513 513 00:17:41,430 --> 00:17:43,320 and come up with an exception to that control 514 514 00:17:43,320 --> 00:17:44,370 that you'll be able to meet 515 515 00:17:44,370 --> 00:17:46,120 based on the operating environment.