1 1 00:00:00,120 --> 00:00:02,880 Now let's move on to step number three, 2 2 00:00:02,880 --> 00:00:05,070 where we'll select the controls 3 3 00:00:05,070 --> 00:00:08,370 that will protect your system and the information 4 4 00:00:08,370 --> 00:00:09,870 that's contained with it. 5 5 00:00:09,870 --> 00:00:11,370 And just a quick reminder, 6 6 00:00:11,370 --> 00:00:15,750 controls are the things your organization implements 7 7 00:00:15,750 --> 00:00:18,810 to meet your cybersecurity supply chain 8 8 00:00:18,810 --> 00:00:21,120 and privacy requirements. 9 9 00:00:21,120 --> 00:00:25,890 Controls can be technical, administrative, or even physical. 10 10 00:00:25,890 --> 00:00:29,100 In addition, controls can be sorted into preventative, 11 11 00:00:29,100 --> 00:00:32,100 detective, or corrective categories. 12 12 00:00:32,100 --> 00:00:34,290 Let's get into the six tasks 13 13 00:00:34,290 --> 00:00:37,080 that are inside of step number three. 14 14 00:00:37,080 --> 00:00:39,360 At the end of Task S-1, 15 15 00:00:39,360 --> 00:00:41,580 you'll have selected the controls you need 16 16 00:00:41,580 --> 00:00:44,160 for your system and environment. 17 17 00:00:44,160 --> 00:00:48,810 RMF says you can select controls in one of two ways. 18 18 00:00:48,810 --> 00:00:53,580 The first approach is called baseline control selection 19 19 00:00:53,580 --> 00:00:56,670 while the second approach is called 20 20 00:00:56,670 --> 00:01:01,050 an organization generated control selection. 21 21 00:01:01,050 --> 00:01:04,620 Now, the first approach, a baseline control selection 22 22 00:01:04,620 --> 00:01:08,190 is when you choose a pre-written set of controls 23 23 00:01:08,190 --> 00:01:10,620 that was made to help your organization 24 24 00:01:10,620 --> 00:01:13,950 with their security and privacy needs. 25 25 00:01:13,950 --> 00:01:18,270 In contrast, an organization generated selection approach 26 26 00:01:18,270 --> 00:01:21,000 is more of a do it yourself way to go, 27 27 00:01:21,000 --> 00:01:25,170 and you don't start with a predefined set of controls. 28 28 00:01:25,170 --> 00:01:27,420 If you do it yourself, you'll create 29 29 00:01:27,420 --> 00:01:32,190 and use your own selection process to choose controls. 30 30 00:01:32,190 --> 00:01:34,020 This approach may be necessary 31 31 00:01:34,020 --> 00:01:36,780 if your system is very specialized, 32 32 00:01:36,780 --> 00:01:39,660 such as a weapon system or a medical device, 33 33 00:01:39,660 --> 00:01:41,490 or you may need to take this approach 34 34 00:01:41,490 --> 00:01:43,980 if your system has a limited purpose, 35 35 00:01:43,980 --> 00:01:46,110 such as a smart meter. 36 36 00:01:46,110 --> 00:01:50,610 The do it yourself approach is more of a bottom up method 37 37 00:01:50,610 --> 00:01:53,070 but it could be more cost effective 38 38 00:01:53,070 --> 00:01:56,250 than the baseline control selection approach 39 39 00:01:56,250 --> 00:01:58,650 depending on your situation. 40 40 00:01:58,650 --> 00:02:01,500 Let's look now at Task S-2. 41 41 00:02:01,500 --> 00:02:03,330 When you finish it, you'll have a collection 42 42 00:02:03,330 --> 00:02:07,140 of tailored controls that are selected for your system 43 43 00:02:07,140 --> 00:02:09,660 and the environment that it operates in. 44 44 00:02:09,660 --> 00:02:11,610 You can use your risk assessments 45 45 00:02:11,610 --> 00:02:16,200 to guide this tailoring part of the process, 46 46 00:02:16,200 --> 00:02:18,270 and then you can modify it further 47 47 00:02:18,270 --> 00:02:21,903 based on your organization's budget and other requirements. 48 48 00:02:22,740 --> 00:02:25,590 Once you have your list of tailored controls, 49 49 00:02:25,590 --> 00:02:29,640 you'll use it to complete Task S-3, 50 50 00:02:29,640 --> 00:02:31,890 which is called control allocation. 51 51 00:02:31,890 --> 00:02:34,800 In this task, the controls will be designated 52 52 00:02:34,800 --> 00:02:39,800 as either system specific, hybrid, or common controls. 53 53 00:02:40,260 --> 00:02:42,330 Let me explain each one. 54 54 00:02:42,330 --> 00:02:46,590 Common controls satisfy security and privacy requirements 55 55 00:02:46,590 --> 00:02:50,160 at the organization level and are inherited 56 56 00:02:50,160 --> 00:02:53,370 by one or more systems may be yours. 57 57 00:02:53,370 --> 00:02:56,310 Hybrid controls are partially inherited 58 58 00:02:56,310 --> 00:02:58,110 by one or more systems, 59 59 00:02:58,110 --> 00:03:01,590 which means your system may or may not inherit controls 60 60 00:03:01,590 --> 00:03:03,720 that other systems inherit. 61 61 00:03:03,720 --> 00:03:06,600 And finally, system specific controls 62 62 00:03:06,600 --> 00:03:11,190 provide a protective function for a single system. 63 63 00:03:11,190 --> 00:03:13,560 Now, after you've designated the controls 64 64 00:03:13,560 --> 00:03:15,870 then what you do next is you allocate them 65 65 00:03:15,870 --> 00:03:19,140 to their respective parts of the system. 66 66 00:03:19,140 --> 00:03:21,210 When you finish Task S-4, 67 67 00:03:21,210 --> 00:03:24,000 you'll have good documentation of the controls 68 68 00:03:24,000 --> 00:03:25,770 that you plan to implement. 69 69 00:03:25,770 --> 00:03:28,380 The documentation of your controls should be included 70 70 00:03:28,380 --> 00:03:30,630 in your security and privacy plans. 71 71 00:03:30,630 --> 00:03:33,240 You should also decide if you want your security 72 72 00:03:33,240 --> 00:03:36,090 and privacy plans to be separate 73 73 00:03:36,090 --> 00:03:40,140 or to put them together into a single document. 74 74 00:03:40,140 --> 00:03:44,160 In Task S-5 five, you'll develop and implement a plan 75 75 00:03:44,160 --> 00:03:47,550 for how you'll continue to monitor the effectiveness 76 76 00:03:47,550 --> 00:03:49,890 of the controls that you put into place. 77 77 00:03:49,890 --> 00:03:52,560 And this plan will define things 78 78 00:03:52,560 --> 00:03:56,880 like how changes to your system will be monitored 79 79 00:03:56,880 --> 00:04:00,630 and how risk assessments are to be conducted in the future. 80 80 00:04:00,630 --> 00:04:03,900 You'll also define reporting requirements. 81 81 00:04:03,900 --> 00:04:07,830 Continuously monitoring your controls at a system level 82 82 00:04:07,830 --> 00:04:11,880 is an important aspect of managing the ongoing risk 83 83 00:04:11,880 --> 00:04:13,110 to your system. 84 84 00:04:13,110 --> 00:04:15,030 You'll also need to decide how often 85 85 00:04:15,030 --> 00:04:18,420 to review your controls based on your protection needs 86 86 00:04:18,420 --> 00:04:22,080 as well as the criticality of each control. 87 87 00:04:22,080 --> 00:04:24,060 So I want you to ask yourself, 88 88 00:04:24,060 --> 00:04:28,230 how dire will the situation be if one of your controls 89 89 00:04:28,230 --> 00:04:32,340 for a specific part of your system should fail? 90 90 00:04:32,340 --> 00:04:35,880 Now, answering this question should help guide your decision 91 91 00:04:35,880 --> 00:04:38,430 about assessment frequency. 92 92 00:04:38,430 --> 00:04:40,830 By the end of tasks S-6, 93 93 00:04:40,830 --> 00:04:42,810 you'll have a complete list of controls 94 94 00:04:42,810 --> 00:04:45,540 inside your security and privacy plans 95 95 00:04:45,540 --> 00:04:47,760 that have been reviewed and approved 96 96 00:04:47,760 --> 00:04:50,280 by your authorizing official, 97 97 00:04:50,280 --> 00:04:53,498 which is a major RMF milestone.