[ Pobierz całość w formacie PDF ]

Component (referred to in this instruction as the  owning organization ) based on a need to use
26 ENCLOSURE 6
DoDI 8510.01, March 12, 2014
the same information resources (e.g., IS or services provided by the system). The DoD
Component AO reviews the owning organization s security authorization package as the basis
for determining risk to the leveraging organization before accepting the authorization. It is DoD
policy that the reciprocal acceptance of existing DoD and other federal agency and department
system authorizations (i.e., leveraged authorizations), and the artifacts contributing to the
authorization decisions, must be employed to the maximum extent. See Enclosure 5 of this
instruction and the KS for additional procedural guidance regarding reciprocity.
d. Security Plan. DoD IS and PIT systems must have a security plan that provides an
overview of the security requirements for the system and describes the security controls in place
or planned for meeting those requirements. The security plan should include implementation
status, responsible entities, resources, and estimated completion dates. Security plans may also
include, but are not limited to, a compiled list of system characteristics or qualities required for
system registration, key security-related documents such as a risk assessment, privacy impact
assessment, system interconnection agreements, contingency plan, security configurations,
configuration management plan, and incident response plan.
2. RMF STEPS. The RMF consists of the steps depicted in Figure 3. This process parallels the
system life cycle, with the RMF activities being initiated at program or system inception (e.g.,
documented during capabilities identification or at the implementation of a major system
modification). However, failure to initiate the RMF at system or program inception is not a
justification for ignoring or not complying with the RMF. IS and PIT systems without ATOs
must initiate the RMF in accordance with Enclosure 8 of this instruction and Tables 3 and 4, as
appropriate, regardless of the system life-cycle stage (e.g., acquisition, operation). Chapter 3 of
Reference (c) details the steps of the RMF, and paragraphs 2a through 2f provide amplifying
DoD implementation guidance for those steps.
27 ENCLOSURE 6
DoDI 8510.01, March 12, 2014
Figure 3. RMF for IS and PIT Systems
a. Step 1 - Categorize System
(1) Categorize the system in accordance with Reference (e) and document the results in
the security plan. Categorization of IS and PIT systems is a coordinated effort between the
PM/SM, ISO, IO, mission owner(s), ISSM, AO, or their designated representatives. In the
categorization process, the IO identifies the potential impact (low, moderate, or high) resulting
from loss of confidentiality, integrity, and availability if a security breach occurs. For
acquisition programs, this categorization will be documented as a required capability in the
initial capabilities document, the capability development document, the capabilities production
document, and the cybersecurity strategy within the program protection plan (PPP). Specific
guidance on determining the security category for information types and ISs is included in the
KS.
(2) Describe the system (including system boundary) and document the description in
the security plan.
(3) Register the system with the DoD Component Cybersecurity Program. See DoD
Component implementing policy for detailed procedures for system registration.
(4) Assign qualified personnel to RMF roles. The members of the RMF Team are
required to meet the suitability and fitness requirements established in DoD 5200.2-R (Reference
(y)). RMF Team members must also meet appropriate qualification standards in accordance with
Reference (p). RMF team member assignments must be documented in the security plan.
28 ENCLOSURE 6
DoDI 8510.01, March 12, 2014
(5) To avoid potential conflicts of interest or undue influence in RMF roles, certain
designations or relationships will not be allowed. The AO or SCA cannot be or report to the
PM/SM or program executive officer. The UR cannot be or report to the PM/SM.
b. Step 2 - Select Security Controls
(1) Common Control Identification. This task is the responsibility of the DoD CIO,
DoD Component CIOs, and other organizations and entities that provide solutions for
common controls. Common controls are selected as  common and provided via the KS
based on risk assessments conducted by these entities at the Tier 1 and Tier 2 levels. By
identifying the security controls that are provided by the organization as common solutions
for IS and PIT systems, and documenting the assessment and authorization of the controls in a
security plan (or equivalent document), individual systems within those organizations can
leverage these common controls through inheritance. See the KS for identification of
common controls for DoD and additional information on how they are documented within the
security authorization package.
(2) Security Control Baseline and Overlay Selection. Identify the security control
baseline for the system, as provided in Reference (e), and document in the security plan. The
baselines identified in Reference (e) address the overall threat environment for DoD IS and
PIT systems. In this step, the applicable security controls baseline and relevant overlays for a
system are assigned. See Reference (e) and the KS for detailed procedures. In brief, the
process consists of:
(a) Selecting the applicable initial security control baseline from Reference (e) based
on the IS categorization. These security control baselines identify the specific security controls
from Reference (f) that are applicable to the system categorization. [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • sloneczny.htw.pl