foreign [Music] what's up friends how are you nice to see you for a renegade pop-up broadcast my name is Gerald Dozier and over the next I don't know say 30 minutes I am going to be digging into the nist risk management framework it's a GRC function it's used by federal I.T systems and it is a comprehensive approach to actually implementing a structured information security program I will also say that I am not a huge fan of it um to me it's it's a dinosaur the nist cyber security framework is to me a evolved more mature version but the next the nist RMF a risk management framework is still used in uh US government and stuff like that so it is very valuable to understand and we're going to be going through all of that I have I will have chat up uh so if you have any questions this is definitely a broadcast designed for the People by the people hey Jenny housing hey Emilio Garcia um so let's just jump right into it shall we so you can see I've got Chad over there on the side if you guys want to say what's up um although it's not is that the wrong chat hold on one second I'm just fully explained I don't know why the chat's not working let me know if you guys um don't see it in chat hmm one shotgun why is this chat over here not pulling in chat I see you Steve G Mel Cobbs answer all the non-nized questions okay let me hold on I want that I want the chat window to be accurate so let me let me do this can you guys see this hello oh there it is all right um give me a shotgun this is what happens when you do things on the Fly okay cool all right so really quick just to um give everybody some uh citations and stuff like that this um was provided by a guy named Aaron Lang Aaron Lang uh Aaron uh this is his uh website I'm gonna drop the Lincoln chat here this is where we um this is what we're looking at so you can bring it up yourself music by stream beats nist RMF diagram by Aaron long okay guys so check that out okay so let's dig into it right so what is nist RMF right so first if we just look at this this is the high level graphic over here let me do this okay let me move my camera off stage all right so can you still hear me let me know if you can still hear me guys can you still hear me one of my cameras off let me know because I it's easier with the camera off hello the love yeah okay thanks Tom Bishop all right guys so here's the deal this is the nist RMF and it's basically a six step process that allows you to put proper controls in place on a federal I.T system now you can implement this um you can implement this voluntarily right like it doesn't have to be a federal ID system you can do it yourself uh but a lot of times um you'll see it mostly implemented at the government level now we are going to be talking about the RMF at the information system level so there's three levels right um there's the kind of high level strategic level then the business level and then the information system level when most people think RMF they think of the information system level and like when you're doing auditing stuff that's where that's done so um I'm going to show you um I'm going to talk through this really quickly and then um you'll see like how it Maps into here right so you see this hex thing in the middle those are the six stages that that correspond to these six steps so first let me tell you what the six steps are um and then we'll drill into each of them okay so step one you do go chronologically although you'll see how it says repeat is necessary on step six it's funny that it says as necessary but so Step One is categorizing your information system what is actually in this what is in this system like what data is in it is it national security like what is the deal with the system then the next and this by the way you can do this in like 20 minutes right like Step One is a very quick step okay um let's be sex saying that's so harsh you have a face for radio anyway LOL that's funny Beast like all right so there is a document um I think it's nist 860 um version like rev one and rev 2 or or volume one volume two that will basically have a list of all sorts of um types of data to help guide you on selecting what uh level categorization you should do here is a heart hard truth okay guys there's three cat there's three categories there's low medium and higher low moderate and high right so when you're doing categorize the system this step one you're basically saying is it low moderate or high I would say 80 of all systems are moderate and here's the reason why like National Security Systems obviously classified systems those are all high obviously but the the most systems are moderate and here's why the level of control that needs to be implemented for high systems is very very robust and once system owners figure out that like oh my God it's gonna cost how much and it's going to take how long to get high they'll be like uh we're not really high like everybody wants their system and their data to be super secure and it's like super valuable and it's it's it's it's unbelievably important and then you're like all right well then it's high here's all the things are high and they're like oh actually it's not that important um let's go for moderate now um that's the case now for low systems there's a very very clear delineation of when data is not moderate okay so if you can get your data your categorization down below you can but it's usually very subjective to say between moderate and high so people can subjectively push down to moderate it's it's a little bit more objective between low and moderate right so I've done a couple low systems oftentimes the system owners for low systems are like oh my God why do I have to implement any of these controls this system is just a stupid like coffee machine or something like that but that aside that's the one thing you should know you get to categorize your own system most of the time it's moderate and there's an entire like workflow around doing that which we'll get into in a second step two is selecting your controls guys again there's a million different ways to do this the basic way is that if you've done step one and you're low moderate or high then the low moderate and high controls are already selected for you right so you can start off with that you just filter on moderate and there's your controls now I will tell you there's something called tailoring which I'll which I'll get into in a minute but that'll allow you to either add more controls or remove controls but if you're if this is your first time on the uh Gravitron your first rodeo or whatever the safe easy way to do it is to just pick the controls that map to uh the moderate or low or whatever Baseline that you've selected right so you do step one and then step two you just pick the ones that are defaulted okay it's very simple again you can do all this in like one day you can do step one and step two and have it documented in one day very very easy okay step three is where it's gonna start getting a little bit harder okay step three is implementing the controls okay this is actually like configuring systems and putting processes in place and documenting policies step three is a massive amount of work step three is a massive amount of work okay this is where you spend a bulk of your time we'll get into it in a minute step four is assessing the controls now this is basically auditing your controls step three you put all the controls in place step four you verify whether or not they're actually being done right now I will say that step four is typically done by an independent auditor right because you don't want the people who are making the widgets to audit the widgets because a lot of times they will favorably audit it right because or they'll just be like oh no it's fine it's like when I ask bsec hey do the backups work and he's like yeah of course the backups work well he's saying that because he's confident in boasting but he didn't actually check the backups and doesn't realize that he's overriding the backups uh every every hour or something like that so the backups are not actually being done well so the assessment is done independently but you you would do assessment internally as well I'm just telling you for step four step four is really talking more about an independent audit and assessment and that takes time too like depending on the size of the system guys step four could take months right because you need to do planning like you know when are we going to be on site who's going to be the Auditors are they qualified to audit who do they need to talk to when in the meeting schedule do we need to test the system does the testing need to be brought down in order to do the testing um all these things right so an audit is not um something you just flippantly do on a week like on a Wednesday you're like oh it's kind of slow maybe I'll do a renegade pop-up stream on RMF and then just audit the information system afterwards no it doesn't work that way okay so step four is a lot of work right step five is authorizing the system now what this is supposed to be is that somebody with authority somebody who's like you know you know like the CEO or the CIO or something somebody looks at the outputs from step four the assessment and says okay come a couple of these controls are not in place but I'm willing to accept that risk we're gonna put the ones that are not in place on a poem a plan of action and Milestones and we'll get them remediated but the system is authorized to go online now um this should be fairly quick right because all they have to do is read a thing uh and approve it or disapprove it now what I will tell you is that's the way it's supposed to be how I have seen it implemented in all of my career is you just you send a one page like you send all of the information to the CIO or to the system owner whoever you send all of it out and then they just and and then there's a one pager of like I Gerald Dozier authorized this system to go online on whatever Network or whatever okay most of the times those authorization authorities they don't read all the material like you just you have like a phone call with them and it's like five minutes and you're like oh there's a couple things there's nothing really egregious you might want to look at this they're like that's fine back to my golf game right so with all due respect that's how I've seen it implemented system gets authorized typically for three years this is the way it used to be I haven't been in federal I.T in about seven years but three-year authorization and then you have to re-uh re-independently audit and assess normally you would assess a third of the controls every year so you don't just have one big audit every three years okay and then step six is monitoring the controls so you're supposed to have some type of like recurring audit or whatever you want to call uh to see what's up uh all right so we're gonna dig into this what's up Professor Black Ops good to see you um hey hey Kimberly good to see you um Reggie Davis a lot of a lot of uh Squad love in here it's good to see everybody okay so this is this is RMF at like sixty thousand feet I'm eating a bagel too okay so this is what RMF is supposed to be now let's go under the hood right and take a little look okay now this is the graphic provided by Aeron long Lang again I'll drop it in chat if you want to follow along yeah IRS is three years self-assessment and cap work every year exactly exactly like it used to be every three years for a fisma audit but it's just become overwhelming and stuff like that so you'll typically do a third of controls plus if you've identified critical controls Etc all right so let's dig into this thing a little bit now that we've gone through the initial um now you recognize this part right here are the six steps in the RMF right these map one to one okay these map one to one so obviously you want to start a categorized system okay now Grant give me some Grace guys the fact that it's a little pixelated but you can see here system categorization and they dig in a little bit I love it so your inputs are your systems and then you document system characteristics you actually do the categorization and then you review the system categorization okay there's a there's a level of bureaucracy and um you know comprehensive oversight implemented here but you can see uh He's listed it as task C1 C2 C3 and he uses nist 8 SP 860. as the document right here you identify the information in the system you select provisional levels for impact you review those levels and then you finalize right so selecting reviewing and finalizing can all be done by the same people let me show you this there's two there's two uh volumes for nest eight 860. there's volume one right which is you know guide for mapping the categories and there's volume two which is the appendices for mapping okay this is really dry content guys but let me show you really quickly because it makes a lot of sense when you see it so I just randomly selected a a random one here okay so Central fiscal operations information type right so Central fiscal operations include fiscal operations at the Department of Treasury that perform uh work on behalf of the government so tax tax related functions and you could say here the security category which they map to confidentiality integrity and availability the CIA Triad all right you guys where am I we know about the CIA Triad right and that's how they do it here so you can see um hold on one second uh you can't really see it but uh yeah you can see here the security category for um you know Department of Treasury information is moderate confidentiality low Integrity low availability right so these These are the values for your and um you've identified information type here now you're selecting your provisional levels that's what these are these are provisional like this gives you a good start and then it explains like it under it defines why your um levels are that and then they give you special factors like any of this is in place then it's actually High okay now um and guys you can rinse and repeat you basically just use this as a lookup right no one's going to read nist 800 SP 860 right you would literally just find the type of data that maps to you right so Health workforce management education right Professor Black Ops is in here he said something about IRS let's see if IRS is in here oh wait [Music] um let's see internal Internal Revenue yeah there we go taxation management information activities include the implementation of the Internal Revenue code right for that type of data moderate low low okay so hopefully you guys get the idea you can use the 860 to basically look up whatever you know federal information system you're working on and then look at the type of data they have and then you get those provisional values now one thing that nist RMF says you're supposed to do is you choose the high water mark So if it's like confidentiality is high but then integrity and availability are both low you still have to have a high Baseline okay you can't just say like well two out of three are low so we'll go with low controls no you have to choose the high water mark which kind of sucks um but that's the way it works okay now with tailoring um here going back here you could say Okay so we've selected our provisional impact levels we're going to review them right so let's just pick a random one here we're looking at a Water Resource Management Justin gold all right we're doing this one so we're gonna go low low and low actually that's a terrible one I need one that has um something that's not low low low give me a second I need to find a random one that has uh okay so check this one out taxation management information system confidentially moderate Integrity low availability low you would have to choose modern for the security control levels in the nist 8 853 however there's something called tailoring where if there is a control in the 853 this is more advanced uh stuff but just follow with me for a second if you choose that moderate control selection in nist 800 um 53 they'll actually tell you if a control is specific to a certain security objective so it's just for integrity or it's just for availability if that's the case then you can tailor out that control if it's a moderate control because you're tailoring to say that like oh the the control and I'll find an example in a second the control doesn't apply because the availability needs are low and this control has nothing to do with confidence confidentiality I'm gonna take a minute to take a bite of my my bagel here and um and uh read chat here let me take off I'm so hungry I despise a little modern high too okay let me see if I can find a quick control in this 800 SP 853 I'm trying to think of a control like maybe a media protection control let me look really quickly so this is the 53 which is like a dictionary let me take my camera off oh my God it's like such a heavy document let me just jump down to some controls all right oh my gosh it's been a minute I don't think it's in the actual control it's it used to be in the control itself and now I think there's a chart somewhere um yeah I mean dude they even have a control right here for Tailoring um yeah and they actually have guidance on tailoring the 53b which is a different document um here let me let me find I'm just looking at a control right now yeah there must be a there must be a um um it used to say it in the actual control what it mapped to but now I think it's a a chart which kind of sucks but like this eye chart but give me a second I want to see if I can find it really quickly those are all the control families okay um just explaining how these controls work we're not going to get into all these controls I'll pull a couple up later but um Access Control summary table okay here we go all right well it's too bad um nist has changed it since I last did it but it used to say um it would actually have a breakout whether or not this control was for um confidentiality integrity and or availability right so if you could find a control that didn't apply to confidentiality that was moderate then you could cut it out if you were going to do tailoring anyways it's a way to save on a couple controls getting back to the RMF um you know so basically you review all your controls um and you say okay yeah or you review all your data and impact levels and you say yep we are a moderate system okay so step one we're a moderate system step one completed right again like I said this should only take you like a day or two because you know what the data is you know what's in the system okay all right so step one's done step two select the controls and I I accidentally just started doing that right so we say it's a moderate Baseline we go to nist 853 right and we say moderate whoops probably says moderate like a million times in here all right yep so here ra2 this control you basically get for free by implementing RMF okay let's see there's definitely a table that shows you um where is it also I want to point out that like they talk about fips 199 fips 200 in the categorization step but like it's all the same thing it's just basically saying what what level of um what level of security control do you want to implement for this system it's kind of annoying right now there's definitely here let's do this they definitely have a spreadsheet yeah here we go can open the spreadsheet so the spreadsheets open this I downloaded this straight from nist right now you could see here um oh this doesn't have it either so this is frustrating this is the entire control spreadsheet but we want to be able to filter on you want to be able to filter on like what controls apply to moderate bass lines like you shouldn't have to do that manually what's the oh I guess they've split it out to 53b now okay that's news so that's that's relatively new since I switched but here's the 53b okay here you can see it now [Music] this music's killing me all right so on 53b you can see like for ac1 policies and procedures ac2 account management these are controls in the nist uh 853 right and then you would say okay security control Baseline low security control Baseline moderate so all you have to do is say we're going to say it's a moderate control right oh my God you just click here you can see it's not just all X's deployed organization wide not allocated to the baselines all right so we're going to choose X and there we go these are the controls for a moderate Baseline right so you would literally just copy and paste this into a spreadsheet and now that becomes your selected controls right that becomes Step 2 select controls right step two my big head's in the way step two select controls that's all it is that's all it is guys you decided in Step One using 860 as I just showed you what categorization is and then step two you literally filter on that spreadsheet that's the basic way obviously you can do tailoring um to get a little bit more finer control but that's that's how it works okay let's keep rolling on the graphic get my face out of the way there all right here we go now step two so to get into detail on this um and guys I put a link in chat to this document if you want uh to see a cleaner view of it for yourself step two is selecting controls as I said it's just as simple as that spreadsheet but let's actually go through it so step one of selecting controls is selecting controls you can use the Baseline approach which is what he's done here the control Matrix um he goes into additional um detail here on the types of controls right preventive detective deterrent manual and automatic which is like basically you can like automate things physical technical administrative these are the three kinds of controls or the three categories of controls right so physical means like doors guards guns fire extinguisher technical means like EDR or you know antivirus or permissions active directory controls Etc administrative is like a sign that says do not enter or when you log into a computer and you get that splash page that says you're accessing a federal system like those are administrative controls they don't actually stop anyone from doing anything but it educates and provides awareness um and then you see the authority documents over here these are just buckets of control Frameworks right so you could use ISO for controls PCI for controls 853 for controls which is what we're using but you're not required to use 853 if you were going to implement nist risk management framework there is a high high high probability that you will be using 853 because there's no reason not to uh but if you were going to implement RMF but then you're like using ISO 27000 you'd have to figure out what controls made sense for whatever you categorized your system for in step one but you would select those controls right so now we've done our little control selection then we would tailor the controls I mentioned control tailoring already um like for example let's say that you're required to have okay I'll give you an excellent control tailoring example okay say you're required to have locks on all doors okay I have been to the South Pole I've been to the National Science foundation's Antarctic research facility in the South Pole and they have Federal research systems there that I got to audit so that's why I was there and we are looking at the at the controls and it's like Gotta Have locks on all the doors well there's certain doors that cannot have locks on them because it's a it's a life-threatening issue that if the door is locked and there's a storm or someone gets stuck outside they could die so that is and like either you could say it's an accepted risk or you tailor the control up because it doesn't really apply in this situation but that's more of a uh accepted risk but you could tailor the control out let's say that you um let's say that what's a good control to Taylor out I'm trying to think um let me look at the spreadsheet one more time um um hold on one second I'll give you a good one tailor a controller I I know we've tailored controls out in the past there's like a couple obvious ones um hmm media access physical survey So Physical um yeah I don't have one off the top of my head it's been a minute I don't have anyone in chats has that so question from chat um bsec asks what's the difference between 53 and 800 53b so wait hold on one second 53 is the entire um I think of 53 is like the dictionary right it's got every control conceivable right so any control that you'd want to implement anywhere in your organization if you got a problem yo they'll solve it that's what the 853 is 53b is the control Baseline so 53b is like the extraction in the identification of the controls specifically in the dictionary that can be used to meet required minimum standards for controls to be implemented to be fisma compliant hopefully that answers your question B sec [Music] okay so keep it back here we've tailored our controls which basically means let's say that there was like 200 controls that we had to implement actually let's let's actually count them we've selected a moderate Baseline controls and control enhancements all in are 287. there's 287 control and control enhancements that we need to implement to be moderate Baseline um I will tell you when you tailor control I mean you know I mean tailoring controls you maybe get to knock out five or ten I've never seen tailoring do anything more than that so now like let's say you're a 260 controls it's an awful lot of controls Jenny Housley gets my reference thanks Jenny yeah inheritance is a thing so we're going to allocate controls the system and assets okay that basically just means we're putting the controls in place where they make sense and then we're going to document how to implement them this is when you would do a security a security and privacy plan like up the plan on how you're going to implement these controls and then review those plans and then they get approved right so approving the plan is like okay we're gonna implement this Sim and we're gonna put these controls in place um again this is where reality this is where reality and practice divert step one and step two picking all these controls you can do it fairly quickly if you really wanted to be like super thorough on it it could take a couple weeks but no one is really documenting a plan on how they're going to implement their controls and then going to do it what normally happens is the system's already online or the or the the people who want the system are like push push push and you're building the plane while it's taking off right hold on one second all right so you're taking you're you're doing this while the plan's taking off now which means you're basically going to be implementing the controls and doing all this stuff in parallel with doing the the SSP so I will tell you though that the SSP or system security plan which you can get more information on on Nest 800 uh 18 I think yeah so Nest 818 is the guide for developing security plans you absolutely need an SSP like if you're going to work or support a federal system the system security plan is like the first thing that an auditor is going to ask for like literally like before they even show up they're going to say send me your system security plan because the system security plan essentially is a complete documentation of how the controls and security is implemented for your system and all the logic behind why you made um controlled decisions and selections the SSP as it's commonly referred to is typically like 300 pages long it's like massive because you have every control documented and then there's like you know uh Network topology diagrams and crap like that in there okay I'm gonna take a minute here read chat and take a bite to my my bagel give me a second all right this is like a lunch and learn is this covered in the GRC class oh cool at least I'm consistent I'm just going to deeper dive here all right Lee Zimmerman Aaliyah Zimmerman talking about the move to cyber security framework didn't really catch on zero trust I mean I would say that the nist CSF I I really believe the new CSF is Far and Away better than the RMF but rmfs what they got we're actually going to get to a section I actually interviewed with the team that designed this um and I have some problems with it and I told them my problems and I honestly think that's why I didn't get the job but I don't really care it's fine uh link for the diagram sure it's from this post from Aaron Lang there you go no problem Abdullah I have coffee for breakfast yep all right guys so continuing on you got your SSP you guys are feeling good you know we're all like high-fiving getting tacos and stuff three Implement controls okay this is where it's funny it's funny too because like look at the diagram right hold on let me move my head look at the diagram of all the steps Implement controls is the smallest one right it has the least amount of action going on it is the most complicated and busiest of the controls I mean excuse me of the steps in the RMF it is Far and Away the most work okay so it's kind of it's kind of funny that it's the smallest one but let's take a look all right all right so it says here approved security plan right so you know maybe someone reviewed your SSP unlikely because the people who would review it don't know how to read it and I mean that with all the love and respect in my heart you're gonna ask somebody who isn't really you're gonna ask someone who doesn't really understand infosec to read a 300 page document I've asked many times in my career because I have to because that's that's what you got to do you got to get the SSP approved they don't read it they don't care they actually you're there because you understand how to read it and implement it that's the reality okay all right so let's look at this Implement controls document changes okay guys this is this is it this is the grunt work okay so just looking at the controls this is the nist 853 uh security Baseline mapped for moderate controls this is dude this is what you do you'd literally say ac1 okay ac1 this is an s53 okay AC -1 right and then you have to go find it right ac1 policies and procedures right you need to develop document and disseminate this stuff okay are there any control enhancements no control enhancements okay so just so you guys know all of the dash One controls so every control family I think there's 18 or so there used to be a team every control family had the dash one control is a policy and procedure document and it's basically saying all the same stuff that you write a policy around Access Control right at-1 this is awareness training what do you do there um you write a policy and procedure for awareness training it they all read the same but basically you need to write a doc a policy document okay easy enough then ac2 account management right I'm just going to do two of these for um for demonstration purposes then move on all right oh my God [Music] ac2 account management you've gotta Implement a control that defines and documents the type of accounts are allowed assigned account managers require you know something criteria for Rolling membership now this is an interesting one like so ac2 is a big control it's basically around how do people get um user accounts what happens when they change roles what happens to user accounts when they leave the company or they leave the role like terminating accounts what's the approval process how do you disseminate um you know how do you validate that the person uh actually needs that access how do you how do you um what's the notification process when someone gets terminated around access right how long do they have the access for that's what ac2 is all about now I want to bring up a really interesting thing uh for you oh my god Black Ops your SSP was 700 Pages bro that's like I'm I'm tired just reading that wow um so here's the thing I want everyone to know you you do this rinse and repeat and that by the way this is why it's so much freaking work because like you need to interface with the business you need to Define new processes you need to get forms in place and workflows in place and Technology you have to buy technology like if you don't have a SIM you got to buy a Sim or get an MDR right and then you have to be able you got to configure all the endpoints to push logs to this Sim right you got to define the thresholds on when you're going to notify what's false positives what's the alert structure look like what's notification Windows is it if it like what's the threshold for when you call the CIO and make them aware of something right what do you do with EDR do you put it on iot devices obviously not but how are you controlling that this is where all the work is now one thing that a lot of people get flummoxed on um yeah I know I know be SEC um I mean typically you would ask the business for their process but they're gonna be like bruh I don't have a process I just I've worked here forever I know how it works okay well can you document it and then they just give you like the Palm they're like nah nah anyways one thing that I want to call out really quickly that's really important is see this see this assignment or Define attributes as required assignment org Define Personnel assignment org Define policy and procedure assignment work defined Personnel okay these assignment org defined values are all throughout the controls you have to do the exercise to define those standards for your business for your organization okay for example simple one notify account managers and who else within how long when accounts are no longer needed right well I mean what kind of accounts are we talking about are we talking about like you know General user accounts like bset quits well you know the account manager needs to notify HR and CIO within 24 hours when an account is no longer needed or when a user is terminated right maybe that's fine but maybe for like be sex role um the CIO needs to be made aware but for you know Jerry's role legal needs to be made aware right like this is where you define all these things because these are the standards and they can't like nist isn't being prescriptive to the point where they're defining for you what your um controls are right so a lot of people get mixed up on that like if you want to see like a hack like meaning someone who doesn't know how to do their job very well you'll see these placeholders in people's ssps because they literally just wholesale copy and paste the 53 and it's like oh my God what happened here they'll wholesale uh copy paste the 53 and they won't know what they're doing or what they're talking about that's a Hallmark sign of someone who doesn't know but but you again you got to go through the work and effort to Define what those controls are now technically you would have done that um in step two in step two when you define your SSP but again I told you you're usually building the plane on the fly so you're not like like it's very very seldom that someone's gonna invest like a year of time to Define all these things and then Implement all these things because a lot of times like a year ago or whatever when you made these decisions like it made sense but now it doesn't make sense times change people change process changes sensitivity the mission changes attack back uh threat actors get you know faster smarter stronger they're like Captain Marvel right so um you'll again you'll see the SSP the SSP is a living document right it always getting it's always getting updated okay so you implement um the controls and then they'll it says here document changes this is pretty important as I mentioned you can see update SSP the SSP and the Privacy plan if you're a privacy person is a living document um hold on I'll I'll answer that in a second Leo so the SSP is a living document so when you make control changes when you don't Implement something the right way when you accept risk like whatever it is it needs to be updated in the SSP again because as I told you the first document anyone auditor or new hire or whoever comes in the first document they're going to want to see is the SSP because it's supposed to be an accurate documentation of the current control structures in place protecting the system okay so that's what's going on there I mean it's simple to say but it is a a ton of work okay okay now hold on I'm gonna take another bite of my bagel here and then read some chat Leah says only the Velociraptor can keep up with container development how quickly can anyone update all the dash one policies so I mean there's usually a dedicated people who update the SSP the dash one policy shouldn't change that long uh that often you really shouldn't be writing policies so detailed and so granular that it it's out of date you know the second it it's published um procedures typically get you know kind of outdated I mean it's very seldom to see like you know like well-written accurate processes uh but it you know it is what it is I'm gonna take a bite of this Bagel really quick give me one second [Music] foreign [Music] seriously ain't nobody got time for that you said it ma'am B Tech knows what's up getting stuff documented is tricky man okay not only I.T what is that is that a bagel is that a bagel Emoji that's awesome all right facts on up sucks to be me on GRC yep just looking back at Chad if I could just do video chat with Jerry um infosec kid took an audit class and they audited an organization underwater that's pretty cool I work remote it help desk unfortunately I have to answer them okay the nist RMF helps you build your SSP so w asks does the RMF help you build the SSP kind of not really um the SSP go to nist 818 which is this one right here this will help you write an SSP but really really really really really really basic what what all you have to do is choose your controls copy and paste them into a document this is why it takes like hundreds and hundreds of pages put the network diagram at the top put a description of the system at the top and then explain for every control what you're doing to implement the control specific to your organization we Implement greylog for Sim we use sysmon for pushing logs like whatever it is document how it's being done that's all it is uh have a good one Leah thanks for hanging out all right so let me continue on here let me know if this is um useful or valuable guys um let me know or hit the like button I mean this is a renegade pop-up but there's 70 of us in here so we're party we're partying all right guys moving on next step is the assessment sus controls this is where my audit people are at get your audit on guys when I tell people listen when I say hey like you know a great great great entry-level job or breaking into cyber security job is audit this is why what I'm about to explain audit is sick because it's usually outsourced by the government to Professional Services companies professional service companies charge like you know what they pay you X and then they charge 2x right like to make this math simple a professional services company is not going to lose money on putting your butt in a seat they're only going to make money so they are highly motivated to do that okay this is where a control assessment goes now looking at it again here's a link to the uh graphic for those of you wanting to follow along [Music] thanks Aaron Carson thanks Mervin good to see party on Wayne yeah thanks Jim Lund thanks Tom Bishop okay guys so going into this now they say nist 853 a let's do that once you do this a few times it's like you don't even need to go there but the 53a is a companion document to explaining how to do the audit and you can use this uh all you want I'm going to give you the TR Dr tldr version here in a minute but this was published in January of 22 uh so this is great this is like relatively recent and relatively new uh when I used to read this back in like you know 2017 in in uh or 2018 2019 and Below um it was useful but not super useful but this will tell you like this is a great document if you want to learn foundational information security auditing okay going back to the diagram yeah exactly Black Ops yeah I was part of that well I wasn't on the IRS team but um I worked at Booz Allen and I was there when they had the um the IRS contract we had a whole team out of Charleston doing that stuff in fact we might know some some of the same people but he's 100 right there's no way that Booz Allen's paying you 250 an hour if you're a junior analyst they're definitely making money on you and again that's why it think about the perverse incentive Booz Allen can hire someone with no experience and give them less salary based on that con constraint oh you don't have any salary I mean you don't have any experience here's forty five thousand dollars here's sixty thousand dollars whatever and they're still getting 250 an hour they could hire the another person to do it and say hey I'm a hundred thousand dollars an hour they're still only going to be able to charge 250 an hour so there's a perverse incentive for the Professional Services Company to have the cheapest employee possible fill that work if you follow what I'm saying okay so looking at the audit here pre-assessment assessment post assessment if you've taken my GRC Master analyst class or Master GRC analyst class whatever I called it this should look familiar pre-assessment actual work post assessment if you're going to do an audit if you're going to do an audit guys you absolutely have to do it in this order or else you're going to be a hot mess on fire right hold on where's my dumpster fire emotes there we go this is what you'll look like if you don't do this this way pre-assessment is getting the logistics in order having a plan communicating that plan being ready to rock and roll assessment is showing up on site and doing it post assessment is reported on your findings documentation analysis Etc okay thanks be sec thanks Bishop yeah okay so first step prepare security and control assessments guys all you need to do is ask for the SSP right you get your controls thanks be SEC you get your controls right and you say okay here are all the controls here are all the controls we're going to test all of them now you could just go straight down the list one one after another but that's like a really stupid way to do it the right way to do it is you start bucketing it okay so like what controls what controls our documentation request those in advance that's all part of the pre-assessment okay like well hold on let me follow this actual workflow you've already identified all the controls that you need to assess then you come up with your plan okay we're gonna go on site it's going to be these dates we need to talk to these people we're going to request this evidence we're going to test these controls we're gonna deliver the report on these dates right it's a full project okay you can see here um the assessment plan it says approved security and privacy plans it should say approved assessment plan right you got your assessment plan you're executing on and then you actually do your assessment now at at this point your pre-assessment you're all done and you like go on site you should have meetings already scheduled you should know what you're going to be asking in those meetings and you should be thorough now here's a pro tip when you are scheduling these meetings and stuff you need to look at the actual controls in scope and you need to say okay what controls are hold on one second hold on one second give me one second stay tuned BRB [Music] [Music] [Music] thank you Okay so what you need where am I so what you need to do um what you need to do is categorize like okay like bsec is a network engineer what are the controls are network engineering related the system and communication controls are definitely in that space the networking controls right so like identify the controls that would be appropriate for bsec and then the controls appropriate for HR controls for legal controls for sys admins domain admins whatever and then say okay hey I want to talk about access control with assist admins schedule a meeting for that I want to talk about Network control schedule a meeting for that like get it all sorted out have a liaison on site right because if you're showing up as an independent auditor you're going to have like you're you know you're gonna be walking around like a fool unless you have a liaison an escort a person who's helping facilitate on site for you okay that's Pro tip one pro tip two and this is easily the most important tip I can give you and um I might I I have done this multiple times it's so valuable listen seriously if you take one I might even clip this if you if you get one thing out of this this is the most important thing when you are going to do an audit about 853 controls you have to go through the controls beforehand read what the control is trying to accomplish and then put it in your own words okay I have seen people do this and it is so cringe it's so cringe that it's like it's tough for me to even be part of okay so check this out I'll give you an example just random control that one's actually too obvious hold on let me find a better one that's like trying to illustrate my point all right here we go so this one right here information exchange ca3 we'll say it's in scope I have literally seen people who do not do the step I just told you and sit down in an audit that they have scheduled foreign the following it's painful uh yes do you have proven manage the exchange of information between the system and other systems using uh interconnection security agreements or information exchange security agreements um and do you document as part of each exchange agreement the interface characteristics requirements controls for each system and the impact of that information communicated like I've literally seen Auditors do that and you know what happens the person on the other side of the table the the B SEC on the other side of the table the Zach Hill on the other side of the table goes what the are you talking about what what does that mean I don't understand what you're asking me and then the auditor goes oh I'm asking you um do you approve and manage the exchange of information between the system and other systems using interconnection security agreements information exchange security like they don't know what they're actually talking about they're literally just puking out what it says in the control and even that one's not terribly um terribly complex but like um you know ac2 is a good one too it's just this is so important that it Bears repeating right like if you ask somebody in a meeting um well these are all too obvious guys I'm telling you there's a bunch that are not obvious right where you like you're asking someone a question and they're just like what the hell like okay access enforcement this basically means do you like this control basically means does technology is there technology in place under their authorization processes in place to make sure that only people with appropriate authorization are allowed to access data that they're allowed to that's what this question is asking or this control but I've seen people say like uh do you enforce approved authorizations for logical access to information and system resources in accordance with applicable Access Control policies yeah I can read it too you jack wagon but like no one knows what the hell that means so to put to reiterate my fine point when you are doing your assessment planning you better be ready to convey in a very clear way what controls you're trying to act uh associate or under or assess excuse me also I want to point out that it's worth noting like this control right here you wouldn't ask this question then this question then this question then this question what you would actually do is you'd sit like a good auditor would say Hey listen explain to me like when someone gets hired how do they get access like what's the process what's the workflow for Access then you have to listen and as you know they're explaining their workflows and processes you start kind of ticking off like oh yeah they do um document the different uh types and there is someone who's responsible for the accounts and they do um create accounts in accordance with their Pro their policies and they do monitor right like okay okay so that's that's the creation Now now walk me through if someone gets terminated like fired right if someone gets involuntary terminated what happens if someone retires what happens if someone switches jobs what happens like that's the right way to audit and ask questions reading the 53 verbatim to an I.T person you're going to lose massive amount of credibility you're going to look like a joke and you're not gonna actually get the data that you need in order to actually complete the assessment Pro tip 101 okay okay so anyways the blue is where you're actually doing the assessment now the final post assessment um you go on site you do all your assessments you do re speak English to them and then you come back to your your your desk you go through all of your controls this is the grind work you go through all the controls you assess whether or not the control is in place whether it's not in place whether it's partially in place even though that's a fail partial is better than nothing right um You might have to ask for additional information like oh hey during the interview you said bsec said that you guys use an author um uh like a new form that a manager fills out to get access that wasn't submitted during the pre-assessment for document review so can you send that over or even more valuable can you send over the last five people who got hired and that form filled out now you're actually testing that the workflow is in place not just the blank document right the last five people who got hired should have gone through that process if that's the process plus send me um the last person who got fired or terminated show me the form or the workflow or show me that their account was disabled on the day that they were fired right since it's or the day after right because your your standards said 24 hours right this is how you do audit and assessment okay um oh cool be SEC yeah so anyways this is the assessment part all right so we just did step four nice nice work everybody all right moving on step five authorization now guys our output of of the assessment is a report that says here's all your controls uh I've audited them independently I validated that you know most of them are in place the ones that are not in place are here now you normally the auditor the independent auditor wouldn't do this the security team would do this and um and and you would say okay for the ones that are not in place we're either going to accept the risk and document that we're going to have a plan in place to fix it like we don't have budget to fix it right now we don't have the staff to man the controls to fix it right or to to monitor it right whatever it is you have a plan in place and you start executing to it now we're about to get into where I got into a bit of a disagreement with nist and why I probably didn't get the job this step right here is authorized systems we'll walk through it and then I'll tell you what's up this the the daa or the system authorizer um they get these uh security plans summaries here's the plan of action and Milestones here's the assessment results like basically here's all the controls here's the state of all the controls here's the plan for getting everything fixed right you put an authorization package together which is basically just like a one-pager executive letter that says I accept it right here is the risk assessment which should be done okay so I don't agree with this but anyway so a risk assessment is done basically for the controls that are not in place what is the risk what is the impact and likelihood of not having that is it is is it as simple as having like a little bit of sand in your in your in your swimsuit or is it like stepping into a fire right those are two different bad situations right so what's the actual risk of the gaps in our control if some of it's unacceptable right like we're we're okay having sand in our shorts but we're not okay um being covered in Honey and rolling around in a fire ant hill so let's treat that risk right so do some risk treatment all right we cover ourselves in in uh you know Dove soap so uh honey doesn't stick to us and we go to the beach instead of going through a fire ant Park okay like again I'm just using silly metaphors to make the point the point is you mitigate risks down until the authorizing official feels comfortable with what it is and letting the system go online again in my experience I have never seen an authorizing official say oh no no this was way too risky but let's push back for a second no they're the business they're gonna rubber stamp it like as quickly as you can stick that one page under their hand they're going to stamp it and you're off and running okay they don't care and I mean that with all the love and respect in my heart you get the system authorization this blue guy and then you you basically report out to Congress right on a um annual basis right so you save that letter it's signed and anytime someone asks you you just fire it off and that's the end of it now here's what I want to tell you this risk assessment is kind of tucked away um this is where I got into the argument with this I said there really should be a step 4.5 or a uh this should be a seven step process this step right here should be a risk assessment you should do a full risk assessment on the gaps that were identified during the audit so for all the not in place controls and all the controls that were uh partially in place what is the actual risk and have someone based on threat modeling based on Intel actually do a real risk assessment and that should be provided as an input into the um executive making the decision so right here these documents over here one of these documents should say risk assessment that would actually be valuable I know if I was the authorizing official there's no way in hell I would sign anything unless it um I knew what the risks were all right all right so we've got our our AO or our our um what do they call it ATO our authority to operate in the federal government the ATO is all that matters it's the it's the great cash homie that's what an ATO is Straight Cash homie the final step we're operational everybody's high-fiving everybody's like uh celebrating our wins now we just monitor the controls which has varying levels of a degree of effort but you can see here you monitor the systems you do risk assessments periodically like once it once a year you do an Enterprise risk assessment you treat the risks you know you have your poem which is your plan of action Milestones you're implementing you're basically just operational and maintaining good security controls you don't just get the ATL scream YOLO and uh or you know or yell um cash rules everything around me and you know just piss off all the uh security controls like you you actually maintain the controls right you update documentation like the SSP as things change and uh you should be meeting with management or the information security manager on like a monthly basis or so um on what's going on you will have to reauthorize the system it used to be every three years I don't know if that's still the case um I think they moved to more of a lightweight annual instead of a heavyweight triannual but whatever and then finally system disposal when you do Legacy or Sunset a system it should be done properly this is also never done correctly most people just throw the system out the door or they just stop using it but it stays in production the data's still there uh that's a hot mess on fire a lot of people don't want to spend time and money on system disposal because they're done with it right it's like consumerism it's it's the system might as well be plastic wrapping on a kid's toy on Christmas it's like I don't need it anymore I don't care um but there is a formal process for system disposal which should be done uh when the system's done now you'll see here that they have repeat as necessary it is worth noting that sometimes sometimes a system can change what it's doing right so like like the system is originally designed for the IRS like we talked about but then they found out it's actually really valuable so then like the Department of Treasury starts using it or Department of Justice hooks into it or like whatever like the FBI hooks into it because they're going to start using it to like cross crosswalk uh the way they caught Al Capone like oh we have these criminals but we're going to try to catch them on tax evasion right weird crap happens so the type of data in the system can change and because of that you do have to iterate over this um at least every you know three years like hey is this still the same system are the controls still the same are we implementing the controls the same rinse repeat rinse repeat again um the tldr here is that it's not that hard to process and it makes sense step three is easily the most time consuming and busy step four is where audit happens and it's very important steps one two and five are usually done pretty quickly and then step six is just like ongoing work like that's that's like the job step six all right opening this up let me do this really quickly bring Chad up in here hi chat all right so thank you for coming to my TED Talk give me one second all right guys so this has been a pop-up nist risk management framework talk um I I'm Gerald Dozier I hope you've enjoyed it I've been wanting to do this talk for a little while I just didn't have time so I just threw it up here and said what's up all right let me see will Reed says they do a mix of ATO durations fold atos typically three years and ATL conditions may have shorter then there's the ongoing authorization yeah exactly yeah so there's all sorts of different ways to do it and and you know the funny thing is too that like there's interim ATO so you can get like a temporary authority to operate again this is what I'm talking about like they want the system operational now and information security especially this level of of uh granularity and complexity is seen as an impediment this is why I like this cyber security framework a lot more than this risk management framework and in the 853 because the 53 is too clunky and clumsy and awkward and slow and the cyber security framework is actually mapped to a an ongoing Security operation program that you can like quickly Implement and adapt on the Fly but that's my thing let's see thanks for another great stream my pleasure Pamela Jenny Housley hope you get to feeling better oh I didn't realize Kimberly was sick there you go Kimberly little little uh Randy for you I know you're a a Randy fan um zalia thank you very much I'm glad you enjoyed it uh thank you it was refreshing uh unknown on LinkedIn my pleasure Abdullah thanks Carrie no problem I hope you guys got value out of it there's also the ATU what is that Authority two ATU Authority let's let's figure this out authority to use oh that's a fedramp thing I didn't even get into fedramp fedramp is basically like um fisma compliance for cloud systems uh each agency that issues an ATO or ATU for cloud offering must review the Cloud's CSP of course this red ramp oh wait you guys aren't even looking at what I'm looking at does fedramp um accept ATU hold on what's an ATU man subscribe to ATU is very similar that they are both mechanisms for documented accepting readers at user intended to be used for shared systems no I mean I guess it's basically just saying that like yeah you like I've done all this work but you can you can piggyback on it no problem oh good Ashley Roundtree get up into the audit space come on in here I heart Nest yeah all right guys I'm gonna Boogie out of here be good thanks everybody for your time I hope you enjoyed the stream a bit of a renegade pop-up but you know it's sometimes it's how I roll uh if you're interested join the daily cyber threat briefing tomorrow morning at 8am it'll be a good time high fives all around thanks everybody be good and we'll see you in the next one [Music]