1 1 00:00:00,000 --> 00:00:01,170 Now we're going to move on 2 2 00:00:01,170 --> 00:00:04,380 to step number seven, which is called monitor. 3 3 00:00:04,380 --> 00:00:08,490 And it's the last step in the risk management framework. 4 4 00:00:08,490 --> 00:00:11,550 The purpose of the monitor step is to maintain awareness 5 5 00:00:11,550 --> 00:00:15,210 about the security and privacy posture of your system. 6 6 00:00:15,210 --> 00:00:17,550 You'll use a strategy of continuous monitoring 7 7 00:00:17,550 --> 00:00:19,290 during this step. 8 8 00:00:19,290 --> 00:00:21,540 Your organization's system and environment 9 9 00:00:21,540 --> 00:00:23,700 will inevitably change in some way, 10 10 00:00:23,700 --> 00:00:27,630 whether it's changes in software, staff, your facility, 11 11 00:00:27,630 --> 00:00:31,650 or the way adversaries are trying to exploit your system. 12 12 00:00:31,650 --> 00:00:35,160 So I want you to be on the lookout for unauthorized changes, 13 13 00:00:35,160 --> 00:00:38,463 and if you find them, be sure to get to the bottom of it. 14 14 00:00:39,360 --> 00:00:41,550 When you complete Task M-1, 15 15 00:00:41,550 --> 00:00:44,220 you'll have updated security and privacy plans, 16 16 00:00:44,220 --> 00:00:46,470 updated plans of action and milestones, 17 17 00:00:46,470 --> 00:00:48,240 which is called the POAM, 18 18 00:00:48,240 --> 00:00:50,670 and you'll have updated security 19 19 00:00:50,670 --> 00:00:53,310 and privacy assessment reports. 20 20 00:00:53,310 --> 00:00:57,330 In Task M-2 you'll assess the controls in the system, 21 21 00:00:57,330 --> 00:01:01,080 very similar to the way you did during the assess step. 22 22 00:01:01,080 --> 00:01:03,960 After your initial system or control authorization, 23 23 00:01:03,960 --> 00:01:07,440 you'll have to assess all controls on an ongoing basis. 24 24 00:01:07,440 --> 00:01:09,270 Assessing control effectiveness 25 25 00:01:09,270 --> 00:01:11,880 is part of continuous monitoring. 26 26 00:01:11,880 --> 00:01:13,950 Control assessment should continue 27 27 00:01:13,950 --> 00:01:17,130 as information you generate from continuous monitoring 28 28 00:01:17,130 --> 00:01:21,900 is correlated, analyzed and reported to senior officials. 29 29 00:01:21,900 --> 00:01:24,660 If you have to satisfy the annual FISMA 30 30 00:01:24,660 --> 00:01:26,730 security assessment requirement, 31 31 00:01:26,730 --> 00:01:29,340 you can use the assessment results 32 32 00:01:29,340 --> 00:01:31,740 from your continuous monitoring. 33 33 00:01:31,740 --> 00:01:33,660 During continuous monitoring 34 34 00:01:33,660 --> 00:01:36,180 you'll probably run into more risks. 35 35 00:01:36,180 --> 00:01:39,600 Task M-3 will end with mitigation actions 36 36 00:01:39,600 --> 00:01:41,850 or risk acceptance decisions, 37 37 00:01:41,850 --> 00:01:45,960 which you'll document in your security and privacy reports. 38 38 00:01:45,960 --> 00:01:48,930 Assessments done during continuous monitoring 39 39 00:01:48,930 --> 00:01:51,120 should be provided to the system owner 40 40 00:01:51,120 --> 00:01:53,280 and common control provider. 41 41 00:01:53,280 --> 00:01:54,780 The authorizing official will determine 42 42 00:01:54,780 --> 00:01:58,440 the best risk response to the new assessment findings 43 43 00:01:58,440 --> 00:02:02,280 or they may approve whatever the system owner proposes 44 44 00:02:02,280 --> 00:02:03,750 as a solution. 45 45 00:02:03,750 --> 00:02:05,940 Then the system owner will implement 46 46 00:02:05,940 --> 00:02:08,790 the appropriate risk response. 47 47 00:02:08,790 --> 00:02:11,100 When you complete task M-4, 48 48 00:02:11,100 --> 00:02:15,540 you'll have an updated security and privacy report 49 49 00:02:15,540 --> 00:02:19,410 detailing the findings from Task M-3. 50 50 00:02:19,410 --> 00:02:22,260 Now, to achieve near realtime risk management 51 51 00:02:22,260 --> 00:02:23,850 your organization will have to update 52 52 00:02:23,850 --> 00:02:27,600 security and privacy plans, assessment reports, 53 53 00:02:27,600 --> 00:02:31,800 and plans of action and milestones on an ongoing basis. 54 54 00:02:31,800 --> 00:02:33,570 The frequency of these updates 55 55 00:02:33,570 --> 00:02:36,030 is at the discretion of the system owner, 56 56 00:02:36,030 --> 00:02:39,333 common control provider, and authorizing official. 57 57 00:02:40,680 --> 00:02:42,180 Make sure to track changes 58 58 00:02:42,180 --> 00:02:43,740 in your security and privacy plans 59 59 00:02:43,740 --> 00:02:46,203 throughout your continuous monitoring. 60 60 00:02:47,160 --> 00:02:49,140 In Task M-5 you'll report 61 61 00:02:49,140 --> 00:02:51,660 the system security and privacy posture 62 62 00:02:51,660 --> 00:02:53,850 to your authorizing official. 63 63 00:02:53,850 --> 00:02:55,950 All of the documents that were updated 64 64 00:02:55,950 --> 00:02:59,670 in the authorization package back in Task M-4 65 65 00:02:59,670 --> 00:03:02,220 will be reported to the authorizing official 66 66 00:03:02,220 --> 00:03:04,140 on an ongoing basis. 67 67 00:03:04,140 --> 00:03:07,710 This reporting can be event driven, time driven, 68 68 00:03:07,710 --> 00:03:09,870 or a combination of both, 69 69 00:03:09,870 --> 00:03:12,840 this means that you can either report when something happens 70 70 00:03:12,840 --> 00:03:15,300 or if a certain amount of time has passed, 71 71 00:03:15,300 --> 00:03:17,910 how your report is written and formatted 72 72 00:03:17,910 --> 00:03:20,100 is up to you and your organization, 73 73 00:03:20,100 --> 00:03:23,280 with the ultimate goal being to effectively communicate 74 74 00:03:23,280 --> 00:03:25,680 your security and privacy posture 75 75 00:03:25,680 --> 00:03:28,080 to your authorizing official. 76 76 00:03:28,080 --> 00:03:30,180 At a minimum, you should summarize changes 77 77 00:03:30,180 --> 00:03:34,320 to security and privacy plans, assessment reports, 78 78 00:03:34,320 --> 00:03:37,983 and plans of action and milestones since the last report. 79 79 00:03:38,820 --> 00:03:40,830 The goal of Task M-6 80 80 00:03:40,830 --> 00:03:44,220 is to have an ongoing authorization process, 81 81 00:03:44,220 --> 00:03:46,620 along with assessing and reporting. 82 82 00:03:46,620 --> 00:03:49,860 Your authorizing official will also have to authorize 83 83 00:03:49,860 --> 00:03:51,720 all the ongoing changes 84 84 00:03:51,720 --> 00:03:55,440 and your security privacy posture. 85 85 00:03:55,440 --> 00:03:59,850 Task M-7 is the last task in the monitoring step. 86 86 00:03:59,850 --> 00:04:01,800 When you complete task M-7 87 87 00:04:01,800 --> 00:04:04,620 you'll have a system disposal strategy. 88 88 00:04:04,620 --> 00:04:07,590 Several risk management actions are required 89 89 00:04:07,590 --> 00:04:10,440 when putting a system out of commission. 90 90 00:04:10,440 --> 00:04:14,370 Controls addressing system disposal have to be implemented 91 91 00:04:14,370 --> 00:04:17,460 such as media sanitization, 92 92 00:04:17,460 --> 00:04:20,130 configuration management and control, 93 93 00:04:20,130 --> 00:04:24,150 component authenticity, and record retention. 94 94 00:04:24,150 --> 00:04:26,700 Organizational tracking and management systems, 95 95 00:04:26,700 --> 00:04:29,910 like inventory systems, will need to be updated to show 96 96 00:04:29,910 --> 00:04:32,490 that the system is being disposed of. 97 97 00:04:32,490 --> 00:04:35,280 Users and application owners hosted on the system 98 98 00:04:35,280 --> 00:04:37,500 have to be notified in a timely manner, 99 99 00:04:37,500 --> 00:04:40,863 and security and privacy reports must be updated. 100 100 00:04:41,970 --> 00:04:44,250 I want you to ensure that your disposal 101 101 00:04:44,250 --> 00:04:47,220 complies with federal laws, regulations, 102 102 00:04:47,220 --> 00:04:49,893 directives, policies, and standards.