Part 3 of this tutorial overview of cybersecurity focuses on the U.S. Department of Defense (DoD) and its closer alignment with cybersecurity initiatives and standards in other parts of the Government. These alignments include the Risk Management Framework for DoD IT systems (RMF for DoD IT) as successor to DIACAP, and the adoption of NIST SP 800-53 as the basis for all National Security Systems (NSS, which include those for DoD) security controls upon which tailoring according to CNSSI 1253 is applied.
Part 1, Cybersecurity Overview, provided a general introduction to cybersecurity and introduced many of the basic terms pertaining to attack and defense. Part 2, Cybersecurity and the U.S. Government, discussed the latter’s prominent role in the field and introduced many of the commonly encountered Government cybersecurity organizations, references and standards.
Following the cross-Governmental cooperation of the Joint Task Force Transformation Initiative Working Group (JTF) to develop a unified cybersecurity framework, in alignment with this goal, in March 2014 the DoD Chief Information Officer (CIO) announced changes to DoD cybersecurity (formerly, information assurance or IA) policies and practices. Highlighting some of these changes:
- DoD-wide adoption of the term “cybersecurity” instead of “information assurance, (IA)”.
- Key policy document DoD Directive (DoDD) 8500.01E was reissued as DoD Instruction (DoDI) 8500.01.
- DoDI 8500.01 incorporates by reference, among others, NIST SP 800 – 37, 53 and 53A (discussed in Part 2), CNSSI 1253 (discussed below), and reissued DoDI 8510.01 (discussed below).
- DoDI 8500.2 (often as 8500.02), an IA implementation and controls guidance document, has been cancelled and incorporated into the reissued DoDI 8500.01.
- DoDI 8510.01 has been reissued to present the new Risk Management Framework (RMF) for DoD Information Technology (IT), RMF for DoD IT, which manages the life-cycle cybersecurity risk to DoD IT.
- The RMF for DoD IT (also in context called “RMF”) replaces DIACAP, the DoD Information Assurance Certification and Accreditation Process.
- Incorporated by reference in DoDI 8500.01 and DoDI 8510.01, CNSSI 1253 (Committee on National Security Systems Instruction 1253, “Security Categorization and Control Selection for National Security Systems,” March 15, 2012/March 27, 2014**) provides guidance on information system categorization, controls to be implemented from SP 800-53, and tailoring and potential expansion of controls for the DoD/NSS environment. (**Although the March 15, 2012 revision of CNSSI 1253 was referenced, it has been superseded by the March 27, 2014 revision.)
- Adoption of classification of systems and security levels per FISMA with Impact Values (LOW, MODERATE, HIGH) and Security Objectives (Confidentiality, Integrity and Availability (C, I and A)). These replace Mission Assurance Category (MAC) Levels I, II and III and corresponding confidentiality levels (Classified, Sensitive and Public).
- Unlike FIPS 200 which applies the High Water Mark (HWM) to assign a single value (LOW, MODERATE or HIGH) for security baseline controls (discussed in Part 2) for the Information System, CNSSI 1253 assigns and retains discreet security control baseline values for C, I and A, which provides more granular control of security baselines.
Key References in DoD Cybersecurity: DoDI 8500.01, DoDI 8510.01, NIST SP 800-53 and CNSSI 1253
There are many references named in DoD cybersecurity, but DoDI 8500.01, DoDI 8510.01, NIST SP 800-53 (discussed in depth in Part 2) and CNSSI 1253 are foundational and merit discussion.
Like most DoD Instructions, DoDI 8500.01 is issued as memo with a number of attachments. The single-word subject of DoDI 8500.01 is “Cybersecurity”. DoDI 8500.01 is a reissue and renaming of DoD Directive (DoDD) 8500.01E. In a sense, DoDI 8500.01 is a policy statement in that it defines/incorporates a number of standards by reference (list of References in Enclosure 1), delineates a broad range of functions and responsibilities (Enclosure 2) starting with the DoD CIO, and outlines a range of responsibilities (Enclosure 3). “Enclosures” are akin to attachments or appendices.
Some of the policies outlined in DoDI 8500.01 are significant. For example, References include:
- NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Reference (ch))
- NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (Reference (cj))
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations (Reference (ck))
- CNSSI 1253 (Committee on National Security Systems Instruction 1253), Security Categorization and Control Selection for National Security Systems (Reference (ci))
- DoDI 8510.01, Subject: Risk Management Framework (RMF) for DoD Information Technology (IT) (Reference (q))
Referencing NIST SP 800-53 is noteworthy in this standard’s own references to FISMA and FIPS 199. Significantly, DoDI 8500.2 (often as 8500.02), an IA implementation and controls guidance document, has been cancelled and incorporated into the reissued DoDI 8501.01 – meaning that some well known DoD naming conventions also have been supplanted. For example, classifications by Mission Assurance Category (MAC) Levels I, II and III and corresponding confidentiality levels (Classified, Sensitive and Public) have been supplanted by Impact Values (LOW, MODERATE, HIGH) and Security Objectives (Confidentiality, Integrity and Availability (C, I and A)). These are discussed in Part 2. Additionally, the DoD Information Assurance Certification and Accreditation Process, DIACAP, has been replaced by the Risk Management Framework for DoD IT systems (RMF for DoD IT, or “RMF” in context).
DoDI 8500.01 also established the DoD-wide adoption of the term “cybersecurity” instead of “information assurance, (IA)”.
As noted, the subject of DODI 8510.01 (March 12, 2014) is Risk Management Framework (RMF) for DoD Information Technology (IT). It is a reissuance and renaming of DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), dated November 28, 2007. Therefore, Certification and Accreditation (C&A) is now obtained within the RMF for DoD IT.
DoDI 8510.01 has eight Enclosures: 1) References, 2) Responsibilities, 3) RMF Procedures, 4) RMF Governance, 5) Cybersecurity Reciprocity, 6) Risk Management of IS and PIT Systems (Information System and Platform IT), 7) KS (Knowledge Service), and 8) RMF Transition (vis-à-vis system status with DIACAP).
Of note in Enclosure 1, References, is the inclusion of:
- NIST SP 800-37 (Reference (c)), FISMA (Reference (d), discussed in Part 2), CNSSI 1253 (Reference (e)), and NIST SP 800-53 (Reference (f)) in establishing the RMF for DoD IT, and
- NIST SP 800-53A (Reference (g)), DoDI 8500.01 (Reference (h)), NIST SP 800-39 (Reference (i)), NIST SP 800-30, Guide for Conducting Risk Assessments (Reference (j)), and DoDD 8000.01, Management of the DoD Enterprise, February 10, 2009 (Reference (k)) in managing the lifecycle cybersecurity risk to DoD IT.
Enclosure 3, RMF Procedures, discusses the use of SRGs (Security Requirements Guides) and STIGs (Security Technical Implementation Guides). SRGs provide general security compliance guidelines and serve as source guidance documents for STIGs. There are two levels of SGR, core (more conceptual) and technology. STIGs document applicable DoD policies and security requirements for specific technical products, as well as best practices and configuration guidelines. They are a DoD form of a Secure Host Baseline (SHB), a pre-configured and security hardened machine-ready image that contains an organization’s common OS and application software. STIGs contain technical guidance to “lock down” information systems/software against malicious attacks. If a specific STIG is not available, then the approach is to work according to the guidelines of the applicable SRG.
Enclosure 6, Risk Management of IS and PIT Systems, is the core explanation about implementing RMF for DoD IT systems. It “describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of IS and PIT systems” and “is designed to be a companion guide” to NIST SP 800-53 “providing specific guidance for implementation within DoD”. While recognizing multiple authorizations approaches, Enclosure 6 defines the authorization process for a single Authorizing Official (AO, formerly known as the DAA, Designated Approval Authority).
Enclosure 6 provides a detailed outline of the RMF steps for IS and PIT systems, which are well captured and summarized in Figure 1 based on the figure in Enclosure 6.
Figure 1. RMF for DoD IT: Risk Management Framework for DoD Information Systems (IS) and Platform IT (PIT).
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (Rev. 4, April 2013 and updated January 2014)
As noted above, NISP SP 800-53 is now the basis for security controls for all NSS (includes DoD IT systems). It provides a comprehensive set of security controls, three security control baselines (Low, Moderate, and High impact), and guidance for tailoring the appropriate baseline to specific needs according to the organization’s missions, environments of operation, and technologies used. It is presented in depth in Part 2.
The Committee on National Security Systems (CNSS), a member of the JTF, sets cybersecurity policies, directives, instructions, operational procedures, guidance and advisories for U.S. Government NSS (which include DoD IT systems). The CNSS developed CNSS Instruction No. 1253 (CNSSI 1253) to provide guidance for all NSS on the Steps 1 and 2 of the RMF (Figure 1 above), Categorize and Select, relative to NIST publications on these steps (i.e., NIST SP 800-37, -53 and -60; and FIPS 199 – see Part 2).
Overlays address additional factors (beyond impact) or diverge from the assumptions used to create the security control baselines. CNSSI 1253 also provides NSS-specific information on developing and applying overlays for the national security community and parameter values for NIST SP 800-53 security controls that are applicable to all NSS.
CNSSI 1253 also provides guidance on the areas where categorization and selection differ for NSS. Most notably, areas of difference from NIST publications that are outlined in CNSSI 1253 include:
- While the CNSS adopts the impact value (Low, Moderate, High) and security objective (Confidentiality, Integrity, and Availability (C, I and A)) approach of FIPS 199; it does not adopt FIPS 200’s high water mark (HWM) concept in categorizing information systems. As outlined in CNSSI 1253, preserving the three discrete components, rather than using the HWM, provides granularity in allocating security controls to baselines and reduces the need for subsequent tailoring. (This is discussed further below and will be more apparent in Figure 2.)
- The definitions for MODERATE and HIGH impact are refined from those provided in FIPS 199**.
- The associations of Confidentiality, Integrity, and/or Availability to security controls are explicitly defined within CNSSI 1253.
Guidance on Information System Security Categorization, RMF Step 1
Steps in categorizing the security of the IS (Step 1 in the RMF, Figure 1 above) include:
- Determining the impact values for all information types interacting with the IS and for the IS itself. Key references are FIPS 199 and NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories, Volumes I and II). Section 3.2.2 of CNSSI 1253 is instructive for tailoring guidance.
- Identifying overlays that apply to the IS and its operating environment to account for additional factors (beyond impact) that influence the selection of security controls. As CNSS overlays are developed, they are published as attachments to Appendix F of CNSSI 1253.
All of the above is to be documented in the security plan.
Guidance on Information System Security Control Selection, RMF Step 2
Once the security categorization of the IS is complete, the general steps to security control selection are selecting the initial security control set and then tailoring its elements.
Selecting the Initial Security Control Set
Key steps in selecting the initial security control set:
- Select the baseline security controls identified from Table D-1 in (CNSSI 1253) Appendix D corresponding to the security category of the system (i.e., the impact values determined for each security objective (C, I and A)).
- Apply any overlay(s) identified as applicable during security categorization, RMF Step 1.
Therefore we have:
In Table D-1, the NIST SP 800-53 Baselines are expressed as “X” and the Additional SP 800-53 Controls Needed for NSS are expressed as a “+” sign. Therefore, in Table D-1, the NSS Baseline per control element (row) is indicated by the X and the + sign (Figure 2, note, for example, rows AC-2(4) and (5) and the need for additional controls). Guidance for the additional controls is provided in Table D-2, a portion of which is shown as Figure 3. Figure 2 also shows that each security objective maintains its own Low, Medium or High impact value as opposed to the HWM concept of FIPS 200.
Note that overlays are baseline-independent, meaning that they can be applied to any NSS baseline (e.g., High-Moderate-Moderate or Low-Low-Low), potentially resulting in an overlap of security controls between those of the baseline and the overlay.
Figure 2. Portion of Table D-1 of CNSSI 1253 Appendix D showing Initial Security Control Set requirements as NSS Baseline (X) and addtional controls (+) required for NSS. Note independence of L, M and H impact values within C, I and A security objectives as opposed to a HWM concept. (Table D-1 of CNSSI-1253 is comprehensive, essentially building on NIST SP 800-53 Tables D-2 through D-19.)
Figure 3. Portion of Table D-2 of CNSSI 1253 Appendix D showing guidance on additional control requirements (“+” signs in certain rows in Table D-1) and which controls might be implemented as a common control.
Document the above in the security plan.
Tailoring the Initial Security Control Set
Tailoring modifies and aligns the initial control set to more closely account for conditions affecting the specific system (i.e., conditions related to organizational missions/business functions, information systems, or environments of operation).
- Tailor the initial security control set using Table D-2 (as above); NIST SP 800-53, Section 3.2.8; and CNSSI 1253 Appendix E, Security Control Parameter Values. Appendix E defines the actual values for NSS, as illustrated in Figure 4 below, showing a portion of Table E-1.
Figure 4. Example of control parameters defined for NSS in CNSSI 1253 Appendix E, Table E-1.
- Determine whether or not additional assurance–related controls are needed to increase the level of trustworthiness in the information system. If so, tailor the set of controls accordingly. (See NIST SP 800-53, Appendix E, Assurance and Trustworthiness, Measures of Confidence for Information Systems.)
Document the above in the security plan.
FedRAMP and Security Controls for DoD Cloud Services
As discussed in Part 2, FedRAMP is a Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP security controls use NIST SP 800-53 rev3 (rev4 going forward) controls for LOW and MODERATE impact systems as the basis and then add further controls and enhancements to address the unique elements of cloud computing. Cloud Service Providers (CSPs) implement the FedRAMP security requirements and ultimately secure a Provisional Authority to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB) or a narrower, specific agency-based ATO.
For the cloud security model for the DoD, the Defense Information Systems Agency (DISA) has classified information systems according to six impact levels. Levels 1-5 handle increasingly controlled unclassified information. (Level 1 is for unclassified, public information, level 2 is for unclassified information with limited access, and impact levels 3-5 deal with controlled unclassified information, CUI, of increasing confidentiality.) Level 6 is for classified information. Security controls for all six levels do rely upon FedRAMP as their basis, but each level adds further controls and enhancements. Impact level 1 uses FedRAMP Low impact as its basis, while FedRAMP Moderate is the basis for impact levels 2-6.
This process is in line with that described above for selecting the Initial Security Control Set for NSS. In this case the baseline is FedRAMP (which uses NIST SP 800-53 as its baseline) to which additional controls, and any overlays, are applied.
Summary of Part 3
Part 3 of our three-part cybersecurity tutorial (Part 1, Part 2) has focused on cybersecurity and the U.S. Department of Defense (and all NSS). We have seen the impact of the JTF in changes to DoD cybersecurity policy. Importantly, we note the acceptance of NIST standards as the baseline of NSS security policy and controls, upon which additional controls and policies are placed for the special requirements of NSS. If you want to watch the video version of Part 3, look for it at the bottom of the cybersecurity landing page.
The author of this three-part tutorial, Darrell Tanno, often engages in proposal support work and other marketing activities on a contract basis. If you want to contact me about an assignment for your company, please either drop me a gmail at darrell.tanno or call me at 202-640-3932.
**Specifically, for DoD/NSS interpret the FIPS 199 amplification for the moderate and high potential impact values, as if the phrase “exceeding mission expectations.” were appended to the end of the sentence in FIPS 199, Section 3. For example, under the HIGH potential impact: “AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation…. or (iv) result in severe or catastrophic harm to individuals exceeding mission expectations”.