NIST SP 800-37

NIST SP 800-37 (RMF)

Gerald Auger Definitive Guide to RMF (2021)

Definitive Guide to RMF (Actionable plan for FISMA Compliance) - YouTube

  1. Video Overview
    1. Duration - 15:40
      1. First two minutes are purely introduction - skip to 2:39
    2. Focus is on NIST SP 800-37
  2. The RMF is a 6-step 7-step continuous cycle to understand and provide a uniform approach to securing information systems
    1. These are the steps:
      1. Prepare (not discussed in Gerald's video)
      2. Categorize
      3. Select
      4. Implement
      5. Assess (Audit)
      6. Authorize
      7. Monitor
  3. RMF Step Guide
    1. Prepare:[2] Setup the organization for success
      1. Identify systems and stakeholders in the business and assign role for executing the RMF
      2. Conduct risk assessments and get a baseline of current risk and security practices
      3. Max note: Without any practical experience myself, I feel like Gerald combined the Prepare and Categorize tasks, and I think that omission would likely make subsequent steps more difficult.
    2. Categorize: Identifying potential impact
      1. FIPS 199 and FIPS 200 are used to identify potential impact of a system
        1. Describes the importance of a system and steps required to secure it
      2. Impact ratings are chosen between High, Moderate, and Low
        1. 80-90% of systems are Moderate impact systems
        2. High ratings are reserved for national security or classified systems
        3. Low ratings are also rare, non-business critical
      3. NIST SP 800-60 provides guidelines on the impact you should assign to certain systems
        1. More on this here: NIST RMF System Categorization Step Hands On (Using SP 800-60 Vol II) - YouTube
    3. Select: Select controls to implement from 800-53R5
      1. Basically a big dictionary with hundreds of controls
      2. We're just baselining, so able to pick and choose as needed
    4. Implement: Implement the controls, the lions-share of the work
      1. Make a "System Security Plan"
        1. This is the book/plan for the documentation of your system
          1. Network diagram, who owns the system, what kind of data is stored, etc.
          2. All the controls to secure the systems and how they are implemented
            1. May be more or less complicated, depending on the size of the organization
        2. Gerald specifically mentions the NIST SP 800-15, but it was withdrawn in September of the year he published his video
      2. If you have any challenges implementing controls, NIST has implementation guides for most systems
        1. Offer tons of instructions and things you can do
    5. Assess: Bring in an independent auditor to inspect your controls
      1. For FISMA or anything else, you will need an external auditor
        1. If this is purely internal, can do it yourself, but it's better to have someone else verify
    6. Authorize: Authorize the system
      1. Basically just a memo from the person responsible authorizing the system to operate
        1. Usually just a page or so with their signature
      2. What's missing in this (as of 2021) is a risk assessment
        1. Use NIST 800-30 to asses risk
          1. Residual risk for controls not implemented, etc.
      3. This grants an Authorization to Operate for 1-3 years, depending on the requirements
    7. Monitor: Monitor the controls
      1. Systems are monitored and brought re-audited at regular intervals
      2. Often the audits are often scheduled to be tested in a kind of sequence to prevent infrequent massive effort

Resources

Official

Supplemental

Articles
Videos

  1. NIST Risk Management Framework | CSRC ↩︎

  2. Not discussed in Gerald's video, but detailed here for reference ↩︎