Re: Explaining Step 1 of the NIST SP 800-37 Risk Management Framework
Having worked RMF for many years, both as a system owner and in a role as a security control assessor/auditor before I retired, I definitely agree with what you have laid out as a both logical and ideal way to approach the process and getting senior leader by in, especially from the authorizing official (AO) or their representative, is critical. I also agree with your view point on the high water mark concept, in fact for National Security Systems in the AO, they do not use the High Watermark Approach, as noted in the Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, it states right up front that CNSS "does not adopt the high water mark (HWM) concept from FIPS 200, Minimum Security Requirements for Federal Information and Information Systems,for categorizing information systems." Refer to https://www.dss.mil/Portals/69/documents/io/rmf/CNSSI_No1253.pdf
I especially liked your approach of not using the definitions of impact levels until after you obtained the actual potential results statements from the stakeholders so as to avoid the "gut feel" driving requirements based on a gut feel. Unfortunately, what I have seen over decades in the business, is that "gut feel," artificially compressed schedules, and politics drives too many costly decisions instead of truly careful analysis.
Unfortunately, what I have seen over decades in the business, is that "gut feel," artificially compressed schedules, and politics drives too many costly decisions instead of truly careful analysis.
Thank you for the supporting language. Yes, you are right in citing the mutually enforcing causes for quick, from-the-hip, and usually too-high system impact categorizations. Our team had the duty of re-examining the categories of a large number of existing systems, previously set at Impact High (single high watermark value), with the goal of getting as many as possible legitimately categorized as Moderate, or, even better Low, in preparation to a major move of systems into a cloud environment. The cost of providing protections for High systems in the new cloud was going to be prohibitive. Thus, both the system owners and the AO had incentive based on budget impact to carry out the new process. And, yes, quite a few of the previously High systems had been set that way due to the politics of system owners wanting to be important.
Truthfully, the money folks would just as soon have done a magic wand wave and moved all of them to Moderate or Low without such a refined process, but the AO agreed that we needed a legitimate and defensible process and record for changing each system. Further, some of them did retain their High category after the review.
p.s. Thank you for your service, Colonel, particularly in the combat arms and in the National Guard. My career was entirely in the Air Guard, with most of it on active duty, but no combat time for me. I'm also a Capitol grad; given your adjunct status, please contact me directly if you'd like to talk about adding another degree to your quiver for your teaching status.