NIST Framework – Applying Step 1 to 6
Following the categorization example we did in class, categorize your system. (You should come up with your system and system details as requested in Step 0).
Below are the requirements and instructions:
- Use the template provided in class
- Use NIST guiding documents to categorize
- Your system categorization should include a minimum of 3 but no more than 5 Information Types referenced in the NIST SP 800-60 Volume II Revision 1.
- Modify 3 or more of the NIST recommended Impact Level and provide justification for each.
- Save your final document in pdf
- Replace the “template” in the document file name with your system abbreviation and firstinitial_lastname.
- Upload the file version pdf version of your document to canvas
- Refer to the class syllabus for additional requirements and instructions.
Following Step 2 class lecture, select the applicable NIST 800-53 security controls based on the overall categorization level you selected for your Step 1 activity.
Below are the requirements.
- Use the template provided in class
- Use NIST guiding documents to select controls
- Select the controls that are at your systems categorization (based on Step 1)
- Because NIST 800-53 controls are meant to be a baseline:
- For LOW & MODERATE systems – You should add a minimum of 2 but no more than 3 higher-level controls that can be ADDED to your selected controls as it applies to your system. Provide a justification for why the controls should be added.
- For HIGH systems – You should REMOVE 2 controls. Provide a justification for why the controls should be removed.
Use a separate excel sheet for the next steps:
- Select a minimum of 10 controls and a maximum of 20 from a minimum of 5 families (you can select from all the families if you wish).
- Select 3 common controls (you cannot use any – 1 controls such as AC-1, IA-1 etc.)
- Select 3 inherited controls
- Select 3 hybrid controls
- Select 1 system specific control (keep in mind you will implement and audit the system specific control, so you should select a technical control)
—————————————-3-Select one technical control at the categorization level of your Step 1 Activity. Implement the control, and provide a control implementation statement detailing how the control was implemented. (Not a step by step guide). But referencing the technology and process used. Use the Step 3 template provided.Please choose your control carefully, because you will provide implementation evidence as part of the next step.
____________________4-Using NIST 800-53A as a guide, assess your Step 3 security control implementation.Activities:
- Please provide the control implementation screenshot.
- Record your screen to show the effectiveness of your security control.
- Mark one of the operational control you selected in Step 2 as a finding. Document the finding in a POA&M.
- Your screen recording and picture should include showing your name, time and date stamp on your computer. (If you are using a Mac – you can enable all 3 on your menu bar, if you are using a Windows machine, use the date and time in the taskbar, and type your name in notepad, – For screenshot. The notepad should clearly show in visible fonts. For the video – the name should be typed as part of the video)
- Your screen recording video should not be more than 5 minutes.
- The screenshot should align with the implementation statement in Step 3.
- Your assessment should show the effectiveness (NOT IMPLEMENTATION PROCESS) of your security control. Example: if you configure a password complexity to include special characters, then your video should show that using a password without special characters will fail.
- The picture and video should be cross-platform. Meaning if you use an Apple device, it should viewable in Windows and vice versa. (I advise using the generic formats .jpg and .mp4)
- For ease upload to Canvas, the video does not need to be in high-resolution (480p) is absolutely fine. But it should be readable. For the picture, if your device is set to smaller fonts. Please zoom it in so it is readable.
Deliverables to submit (upload to Canvas):
- Control Implementation Screenshot
- Control Effectiveness Video
Use the FedRAMP ISCP Template attached to Section 2, 3, 4 5, and Appendix D as it relates to your system. Feel free to come up with the Business Impact and Disaster Recovery requirements. Try to justify the requirements. Refer to the ISACA book for a refresher on requirements like RPO, RTO, WRT, MTD, etc. This link provides high-level explanations:
Step 5 Activity:
This is the final step that makes or breaks the entire system. It determines if the system will go into production or not. It is imperative you follow these instructions carefully. Because of the importance of this part and how it is considered the most significant risk related to NIST RMF processes. I will take 5 points off if any of the requirements are missing. Also, the 5points do not include points I will take off due to activity errors.
- Submit an ATO package (refer to Step 5 slide for ATO package requirements) – Basically, every deliverable you created during the NIST RMF steps. You should include the screenshot from step 4, but do not include the video evidence.
- Your ATO package must include an ATO memo and also an SSP
- Encrypt your ATO package. Do not encrypt every single file, but instead, you should put all the files in a folder and encrypt the folder.
- Use a minimum of 128bits encryption key – this means whichever encryption algorithm you are using should support up to 128bits. I highly recommend using AES, considering you are encrypting at rest. There are tools like Encrypto, VeraCrypt, WinZip that supports AES. Whichever tool you decide to use, be sure it is cross-platform, meaning it works on both Windows and OSX. I use OSX Catalina.
- Upload your encrypted ATO package to Canvas. But DO NOT upload the Encryption Key.
- Save your encryption key is a .txt format – Please careful not to add space to your encryption. It creates an unnecessary struggle.
- Email me the encryption key using Marymount’s default GMail (not Canvas, and not your personal email). The subject should follow this format: “firstname.lastname-SystemNameATOPackageKey” An example is: “Ibrahim.WaziriJr-IT727SystemATOPackageKey” – The body should only mention the name of the tool you use to encrypt and the .txt file attached. Remove any name signature in the body. (Again, be careful with the tool you use. Ensure it is supported both in Windows and Mac. Also, do not use a paid encryption tool unless you plan to pay for my license. I use VeraCrypt and Encrypto)
- If I am confident with your ATO package, I will authorize your system and sign your package. Thereby issuing you an ATO approval. I will send it back using the same email channel. If I run into ANY issue with your package or your ATO artifacts, do not make sense. I will FAIL you by denying your ATO approval. (Believe it or not, the main reason systems fail to achieve ATO is not because of technical implementation, or difficulty in following NIST processes. It is due to agencies, contractors, and security personnel not following requirements, policies, and regulations.) – The same applies if I am unable to decrypt your package, or you missed any deliverable within the package.