Through National Security Systems (NSS) and non-National Security Systems the Federal government and corporations use risk management framework (RMF) as a solution for cybersecurity alignment for domestic, national and international cyber-related issues. Examining NSS and non-NSS from the perspective of the United States, is significant because the country is a state actor with many cybersecurity capabilities. The U.S. uses cybersecurity to protect its assets domestically and abroad, and are also apart of military strategy and operations, as well as protection of critical infrastructures.The dichotomy between NSS and non-NSS means that the two strategies will differ in regards to their steps, tasks, controls, control enhancements, overlays and baselines.
Since the U.S. has many networks for telecommunications and internet, there is always the need for government and private cybersecurity professionals to discover methods by which to secure American networks and systems. The Department of Homeland Security (DHS) is responsible for implementing cybersecurity resources into domestic cases of cyberattack and cybercrime. The Department of Defense (DoD) uses US Cyber Command to handle international cybersecurity issues. However, there are distinct qualities exhibited by each agency as it regards NSS and non-NSS.
NSS and non-NSS has many commonalities and differences. The primary difference between them is that NSS is implemented by the government and non-NSS does not have any connection with Federal networks and systems. RMF step one, categorize, occurs differently between the two solutions; for NSS the category is determined by a chosen government agency head, or a member of the Committee on National Security Systems (CNSS) will provide a categorization in step one. With non-NSS, the Secretary of Commerce or an individual chosen by an executive staff will determine the categorization by asserting measures within publications by the National Institute for Standards and Technology (NIST).
On the surface, it appears that implementing an RMF for NSS is more complex than for non-NSS. The former has to identify a specific person within the government to oversee its’s implementation and follow the CNSS’s guidelines regarding categorization. Non-NSS on the other hand, can be completed by a broader spectrum of managers with a less complex way of determining the baseline.
CNSS conducts the research and development needed to provide cybersecurity solutions for NSS. The CNSS provides technical support, risk assessments and mitigation strategies. It provides a technical base for government systems and also collects intelligence from private corporations and the opensource. The information collected can be introduced as recommendations for future policy updates. A member of the (DoD) becomes chairman of CNSS. The remaining members come from 21 U.S. departments: CIA, DIA, DOD, DOJ, FBI, NSA, National Security Council, and U.S. military. The CNSS is a complex organization that has various subcommittees and is responsible for training government cybersecurity personnel.
Even though the introduction of CNSS makes implementing RMF for NSS more complex, this perspective probably goes away quickly after cybersecurity personnel gain a familiarity with the process. The aspects of having a political figure and a more complex categorization strategy are areas that cybersecurity become accustomed to when using a Federal RMF.
The publication NIST SP 800-53 is used to determine security control baselines for both NSS and non-NSS. However, there is a difference between the two in regards to how they assign an impact level to the baseline. Non-NSS systems are categorized as “low”, “moderate” and “high” as it is outlined in FIPS 199. NSS uses a strategy by CNSSI rather than FIPS 199; each component of the CIA Triad is categorized with “low”, “moderate” or “high” in regards to the RMF’s ability to ensure confidentiality, integrity and availability of data and technical resources. Therefore, NSS categorization will have three metrics and non-NSS will have only one. Both approaches use NIST SP 800-53 to decide on what controls to implement after the categorization stage. It is important for cybersecurity professionals to be well-versed regarding the first step of the RMF process between the two approaches. It is possible that some cybersecurity professionals may spend part of their career working in government and another part in the private sector. It would be essential for the employee to know how to implement step one on either NSS or non-NSS in order to effectively conduct the RMF. After step one is complete, the proceeding steps of the RMF are the same between the two approaches.
Also, knowing how to approach both NSS and non-NSS can help cybersecurity professionals who take a consulting role at organization. They will have the ability to draw a distinction between the two, and make recommendations on the types of tasks, controls, and control enhancements that their clients should implement.
For NSS and all the other government departments, there is a mandate that urges all staff members to use CNSSI 1253, a policy entitled “The Security Categorization and Control Selection for National Security Systems”. The instructions include: establishing a comprehensive set of security controls and enhancements, provide tailoring guidance, uses documentation that is formatted the way it is in NIST SP 800-53, and determining the process of categorization for NSS. This also provides implications on the types of controls that should be selected for implementation by NSS. It does not mandate specific controls but the documentation guides the cybersecurity professional to some security possibilities. With non-NSS, the categorization step does not provide implicit directions on the types of controls that should be used for RMF.
Non-NSS rely on NIST publications, but NSS incorporates CNSSI 1253 which distinguishes it in four key areas: retaining impact levels (all three categorization sections receive a level of “low”, “moderate” and “high”), adds factors (regarding how information is transmitted through the system), the implementation of overlays (which adds additional functionality to the security control baselines), defines explicit controls (that attempts to reduce cost and time of the RMF). CNSSI determined that NSS at baseline has the following controls: AC, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PS, RA, SA, SC, SI and PM. Access Control (AC) at baseline is an effective cybersecurity strategy for NSS, as it has many practical controls that can be implemented that are technically sound and non-threatening to the CIA Triad. Cybersecurity will implement AC controls that correspond to the three categorization levels found in step one, and may result in a string of several controls needing to be applied.
It is important for cybersecurity to keep in mind that there is a step zero in the RMF-the prepare stage. It exists in both NSS and non-NSS; it is implemented by both government and non-government organizations. Cybersecurity policies should reflect that staff should engage in the prepare process every time there is a need for an RMF. The prepare step is a preliminary opportunity to pool together resources needed for the RMF at the organization level, mission and business process, and information system levels. The prepare tasks has two outcomes at the organization level and at the information security level. It is also important to remember that before using all of the controls, it may be convenient for the RMF to use tasks first in order to provide resources and then add the controls on top of it, and use control enhancements should cybersecurity deem it necessary.
Prepare tasks at the organizational level is a significant part of step 0. Task P-1 to P-7 applies for the following: risk management roles, risk management strategy, risk-assessment organization, organizationally-tailored control baselines and cybersecurity framework profiles, common control identification, impact-level prioritization, and continuous monitoring strategy-organization. Each selected task will generate a specific output that cybersecurity uses throughout the RMF process. Prepare tasks at the system level include Task P-8 to Task P-18 and include the following inputs: mission or business focus, system stakeholders, asset identification, authorization boundary, information types, information life cycle, risk assessment-system, requirements definition, enterprise architecture, requirements allocation and system registration. These tasks also produce a positive outcome for the RMF and the controls that will be added in subsequent steps.
After the prepare step is complete, a good RMF strategy would be to implement Access Control (AC) family inputs. AC is a control family of 25 that is created to provide technical resources to cybersecurity through RMF. Each control is assigned to a baseline of “low”, “moderate”, and “high”. There are also priority codes that tell the cybersecurity professional the order in which they should apply these controls. Controls AC-1 to AC-25 apply the following inputs and many others: access control policies and procedures, account management, separation of duties, least privilege, system use notification, remote access and wireless access. AC-6 control enhancements derive the following inputs: authorize access to security functions, non-privileged access for non-security functions, network access to privileged commands, auditing use of privileged functions, and prohibit non-privileged users from executing privileged functions. The outputs of the control enhancements will provide cybersecurity with an extra layer of security and additional functionality.
The Risk Assessment (RA) control family of six controls at baseline is often a complementary strategy to the AC family. RA controls have the following inputs: risk assessment policy and procedures, security categorization, risk assessment, risk assessment update, vulnerability scanning, and technical surveillance countermeasures survey. RA-5 control enhancement (vulnerability scanning) is one of the most effective strategies for reducing risk in the RMF. The control enhancement also has other inputs as well: update tool capability, update by frequency/prior to new scan/when identified, discoverable information, and privileged access. Using controls AC and RA simultaneously provide cybersecurity with effective technical and management resources for conducting a sound RMF.
After the controls are implemented, cybersecurity often goes through a second round of tailoring using overlays-technical and non-technical components that can further tailor the baseline controls. There are many different types of overlays that can be selected; one of the most common are those that respond to insider threats. Other overlays include the space platform, intelligence, classified information and privacy. However, it is important to take a cybersecurity perspective that includes the possibility of insider threats while running an RMF for government or non-government agencies. Establishing overlays that can protect systems and networks from insider threats should be included in every enterprises’ RMF strategies and operations. Sometimes the greatest threat to the organization is a disgruntled employee that causes deliberate damage or someone who has demonstrated human error. Providing an overlay can be a physical or digital fourth wall of security that provides it during the operation of tasks, controls, and control enhancements. Therefore, a successful implementation of RMF promotes security in those four key areas, which at the end of the process work collaboratively to solve or reduce risk within information systems while promoting the CIA Triad. The overlay exists to provide supplemental guidance for the tailoring process, which causes the RMF to be more efficient and successful.
Security should be baked into a RMF solution rather than being bolted on. Focusing on security should be the perspective of the individual or team responsible for implementing the RMF. They should know not to underestimate step 0, prepare, because in this step it will get them ready to make a proper categorization and establish a baseline. Step two, select, is one of the most important steps because it introduces specific security controls that will be applied throughout the RMF. At this point, when an overlay is introduced it will provide guidance for the baseline and the security controls that are selected. If implemented correctly the overlay will make steps 3-6 run more efficiently to reduce risk of insider threats and other overlays.
Both NSS and non-NSS are significant approaches to implementing RMF for government or private use. While there are some differences in the beginning, the remaining parts of the two RMF’s are identical in many ways. The ultimate goal is to select the perfect categorization and follow it with asserting the best security controls to support the baseline. When cybersecurity achieves this, it is important to remain focused on what is going to make the RMF more secure and run as efficiently as possible. When finally getting to the overlay stage, it is important for cybersecurity to ensure that the additional controls will be supplementary with the controls already asserted in step two. The successful implementation of all these procedures will produce a RMF that reduces or removes risks. It is also important for cybersecurity to keep in mind that if mistakes are made that they can be corrected. Even if they get to the final stage where they are applying overlays and they discover that it does not correspond with the controls asserted in step two, it is never too late to go back and re-configure controls that will make the RMF more effective. When it comes to national security, these procedures will assist any cybersecurity personnel on ways in which to provide security for their systems and networks. They may also have the direct responsibility of impacting government departments, critical infrastructures and American lives.