3.11.1 has a weight of -3 points
(Risk Assessment Family) 1/3
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational system and the associated processing, storage, or transmission of CUI
What Does This Control Mean? :
What Does This Control Mean? This control mandates that you periodically evaluate risks, especially those related to:
- Operational Continuity: Assess how disruptions in the system might impact daily operations, strategic objectives, and organizational milestones.
- Organizational Image and Reputation: Examine potential damages or benefits to the organization’s public image and reputation based on the management (or mismanagement) of CUI.
- Asset Integrity: Evaluate the vulnerability of both tangible (like hardware) and intangible (like software or data) assets.
- Personnel Security: Analyze risks pertaining to personnel who have access to the CUI and the potential consequences of insider threats.
- External Threat Landscape: Continually update the awareness of evolving external threats, including cyber threats, that could compromise the CUI’s integrity or confidentiality.
- Regulatory and Compliance Implications: Ensure understanding of legal, regulatory, or contractual obligations related to CUI and the consequences of non-compliance.
Video:
Example of System Security Plan (SSP):
System Security Plan (SSP) – Risk Assessment and Management
1. Introduction:
This SSP details the steps and protocols our organization has put in place to periodically assess the risk to our operations, assets, and individuals. This stems from the operation of our system and the associated processing, storage, or transmission of CUI (Controlled Unclassified Information).
2. Periodic Risk Assessment:
-
Frequency: Quarterly risk management meetings are held.
-
Scope: All facets of organizational risk are evaluated, which includes operations, mission, functions, reputation, assets, and associated individuals.
-
Procedure: The exact methodologies employed during these meetings are outlined in our ‘Standard Operating Procedure for Risk Management’. [Attachment: SOP RISK standard operating procedure document]
-
Outcome: Risks are consistently reviewed, evaluated, and adjusted as needed, with the ultimate goal of proactively managing and minimizing threats throughout the organization.
3. Annual Review:
-
Frequency: An annual review of the Cybersecurity & CUI Plan and this System Security Plan is conducted.
-
Participants: Spearheaded by our COO, FSO, and department heads.
-
Agenda: This review critically evaluates potential risks and our incident response strategies. Changes in mission, assets, people, or systems that could compromise the secure management of CUI are discussed in detail.
-
Outcome: Necessary modifications are made to the Cybersecurity & CUI Plan and this SSP to maintain alignment with NIST SP 800-171 and other relevant government regulations.
4. System Boundaries:
-
Definition: Our organization emphasizes the clear delineation of system boundaries to conduct efficient risk assessments.
-
Scope: Risks associated with threats, vulnerabilities, likelihood, and impact to our operations, assets, and individuals are assessed. This encompasses risks from external parties such as service providers, contractors, and entities we outsource to.
-
Levels of Assessment: Be it formal or informal; risk assessments are conducted at different tiers: organization-wide, mission/business process-focused, or system-centric. These can be initiated at any juncture of the system development life cycle.
-
Guidance: Our protocols are in alignment with the [SP 800-30] guidelines for conducting risk assessments.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M)
Organization: [Organization Name]
System: [System Name/Identifier]
1. Introduction:
This POA&M provides a detailed roadmap for addressing vulnerabilities related to the operation of our system and the associated handling of Controlled Unclassified Information (CUI).
2. Risk Management and Periodic Assessment:
-
Action Item: Quarterly Risk Management Meetings
- Description: Conduct meetings to assess and manage risks.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [End of Each Quarter]
- Status: Ongoing
-
Action Item: Review and Update Risk Management SOP
- Description: Ensure the Standard Operating Procedure for Risk Management reflects current practices and challenges.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed]
3. Annual Review of Cybersecurity & CUI Plans:
-
Action Item: Annual Review of Cybersecurity & CUI Plan and System Security Plan
- Description: Ensure plans are in compliance with NIST SP 800-171 and other regulations.
- Responsible Party: COO, FSO, and Department Heads
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed]
-
Action Item: Incident Handling Action Test
- Description: Conduct a drill or test to evaluate the company’s incident handling actions.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed]
4. System Boundaries:
- Action Item: Define and Document System Boundaries
- Description: Ensure system boundaries are clearly defined for effective risk assessment.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed]
5. External Entity Risk Assessment:
- Action Item: External Entity Risk Evaluation
- Description: Assess and manage risks from external entities such as service providers and contractors.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed]
6. Review and Alignment with SP 800-30 Guidelines:
- Action Item: Ensure SP 800-30 Compliance
- Description: Review and align risk assessment practices with the guidelines of SP 800-30.
- Responsible Party: [Designated Person/Team]
- Estimated Completion Date: [Specific Date]
- Status: [Not Started/In Progress/Completed
Example of Risk Management Standard Operating Procedure (SOP) :
Risk Management Standard Operating Procedure (SOP) for CUI Handling
1. Purpose: Establish procedures for the systematic assessment, monitoring, and management of risks related to CUI handling within the organization.
2. Scope: This SOP covers organizational interactions with CUI, including its processing, storage, and transmission.
3. Responsibilities:
- COO: Provide overall direction and oversight for risk management initiatives.
- FSO: Lead the implementation of security measures and risk mitigation strategies.
- Department Heads: Collaborate with teams to ensure department-level compliance and risk assessment.
- IT Department: Maintain and enhance the secure technical infrastructure.
4. Quarterly Risk Management Meetings:
- Objective: To evaluate current risks and formulate response strategies.
- Agenda Items:
- Review of action items from the previous meeting.
- Presentation of new risks, vulnerabilities, and concerns.
- Risk discussions, including Operational Continuity, Organizational Image, Asset Integrity, Personnel Security, External Threat Landscape, and Regulatory Compliance.
- Formulation of action items for the next quarter.
- Documentation of discussions and decisions.
5. Annual Cybersecurity & CUI Plan Review:
- Objective: Comprehensive review of the organization’s cybersecurity stance and CUI handling protocols.
- Activities:
- Compilation of departmental reports.
- Discussion and analysis of regulatory changes.
- Evaluation of changes and their impacts on CUI.
- Incident handling and response simulation.
- Implementation of changes based on findings.
6. System Boundaries:
- Objective: Maintain clarity and security at system interfaces.
- Activities:
- Periodic mapping of physical and logical boundaries.
- Documentation and review of system boundary descriptions.
7. External Entity Risk Assessment:
- Objective: Assess and manage risks associated with third-party interactions with CUI.
- Activities:
- Regular assessment of third-party entities handling CUI.
- Documentation and tracking of assessments.
8. SP 800-30 Guidelines Adherence:
- Objective: Ensure continuous alignment with NIST’s risk management guidelines.
- Activities:
- Regular review of SP 800-30 guidelines.
- Adjustments to organizational practices based on guideline updates.
9. Reporting & Documentation: Ensure that all risk management activities are well-documented. All documentation should be securely stored and readily accessible for review.
10. SOP Review and Updates:
- Objective: Ensure the SOP remains current and effective.
- Activities:
- Annual review of this SOP.
- Incorporate changes in organizational processes, regulatory updates, or system modifications.
11. Implementation of the Risk Management Framework (RMF):
- Objective: Systematic integration of the RMF into organizational practices.
- Activities:
- Regularly categorize the information system.
- Select, implement, and assess security controls.
- Seek authorization for the information system.
- Monitor the system and its security controls continuously.
Key points for NIST SP 800-30 :
Here are some key points about NIST SP 800-30:
-
Purpose and Scope: The document provides a detailed framework for conducting risk assessments, which are essential for understanding threats and vulnerabilities to organizational operations (i.e., missions, functions, image, or reputation), organizational assets, individuals, and the nation resulting from the operation and use of federal information systems.
-
Three-Step Risk Assessment Process:
- Prepare for the Assessment: This includes identifying the purpose of the assessment, the scope, assumptions/constraints, and the sources of information to be used.
- Conduct the Assessment: This step focuses on identifying threats and vulnerabilities, determining likelihood and impact, and determining risk.
- Communicate and Share Assessment Results: This involves the distribution of risk-related information to organizational officials to help inform risk responses.
-
Risk Factors: The guidelines lay out various risk factors that can influence the risk assessment, such as threat sources, vulnerabilities, impact levels, likelihood of occurrence, and the presence of threat events.
-
Risk Determination: Risk is determined by considering the likelihood that a threat will exploit a vulnerability and the resulting impact on the organization.
-
Risk Response: After risks have been assessed, organizations can decide on appropriate risk responses, including accepting the risk, avoiding the risk, mitigating the risk, sharing or transferring the risk, or a combination of the aforementioned.
-
Roles and Responsibilities: NIST SP 800-30 also clarifies roles and responsibilities for different individuals within an organization, ensuring that all key stakeholders are involved in the risk assessment process.
-
Continuous Monitoring: The document emphasizes the importance of continuous monitoring to ensure that risk assessments remain valid over time and reflect the current risk environment.
-
Use in the Risk Management Framework (RMF): NIST SP 800-30 is one of several documents that support the NIST Risk Management Framework (RMF), a six-step process that provides a disciplined and structured methodology for integrating information security and risk management activities into the system development life cycle.
Here’s a breakdown of the RMF’s six steps:
-
Categorize the Information System:
- Assign an impact level (low, moderate, high) to the system based on the potential impact on organizational operations should the system be compromised.
- Use NIST SP 800-60 as a guide for categorization.
-
Select Security Controls:
- Choose appropriate security controls from NIST SP 800-53, which provides a catalog of security and privacy controls.
- Document the controls in a System Security Plan (SSP).
-
Implement Security Controls:
- Deploy the selected controls in the information system.
- Describe how the controls are employed within the system and its environment of operation.
-
Assess Security Controls:
- Evaluate the controls to ensure they are functioning correctly and producing the desired outcome.
- Use assessment procedures from NIST SP 800-53A.
- Document findings in a Security Assessment Report (SAR).
-
Authorize the Information System:
- A senior official reviews the security package (which includes the SSP, SAR, and a Plan of Action and Milestones (POA&M) that lists any unmitigated vulnerabilities).
- Based on the risk to organizational operations, assets, or individuals, the official decides whether to authorize system operation (often referred to as an “Authority to Operate” or ATO) or deny its operation.
-
Monitor Security Controls:
- Continuously monitor the system to ensure security controls remain effective over time.
- Report the security state of the system to senior organizational officials on an ongoing basis.
- Revise the system’s security controls and documentation as necessary.
RELEVANT INFORMATION:
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.