Block 1 Day 4
RMF Steps
Step 1 Prepare - carry out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.
18 tasks
Step 2 Categorize the System - During categorization, the impact to confidentiality, integrity, and accessibility is categorized into one of three designations (low, moderate, or high) to address the impact of a loss.
Register in appropriate system...UNCLASS, NIPR eMASS, SECRET, SIPR eMASS, TS/SCI, XACTA.
Step 3 Select Security Controls - There are three distinct types of designations related to the securitycontrols. These designations include common controls, system-specific controls, and hybrid controls.
Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
System-specific controls are the primary responsibility of information system owners and their respective authorizing officials.Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific.
Step 4 Implement Security Controls - Implement the security controls specified in the security plan in accordance with DoD implementation guidance found on the KS.
Step 5 Assess Security Controls - Develop, review, and approve a plan to assess the security controls.
An assessment methodology provided in the KS as a model for use or adaptation.
The risk assessment will be used by the SCA to determine the level of overall system cybersecurity risk and as a basis for a recommendation for risk acceptance or denial to the AO.
If no vulnerabilities are found through the process of executing the assessment procedures, the security control is recorded as compliant.
If vulnerabilities are found, the control is recorded as non-compliant (NC) in the POA&M.
The SCA must determine and document in the SAR an assessment of overall system level of risk and
identify the key drivers for the assessment.
Prepare the SAR, documenting the issues, findings, and recommendations from the security control assessment.
Conduct remediation actions on NC security controls based on the findings and recommendations of the SAR and reassess remediated control(s), as appropriate.
Step 6 Authorize System
Accreditation decisions
Authorization to Operate (ATO) - Authorization granted by an AO for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls, requirements, and safeguards to the point where residual risk is acceptable to the AO.
ATOs may be issued for up to 3 years. CAT I weaknesses will be corrected before an ATO is granted.
CAT II weaknesses will be corrected or satisfactorily mitigated before an ATO can be granted. CAT III weaknesses will not prevent an ATO from being granted if the AO accepts the risk associated with the weaknesses.
Authorization to Operate with conditions - An accreditation decision that allows the system to operate under conditions and time frames outlined by the AO.
Interim Authorization to Test (IATT) - The IATT accreditation decision is a special case for authorizing testing in an operational information environment or with live data for a specified time period.
IATTs should be granted only when operational environment/live data is required to complete specific test objectives.An IATT may not be used to avoid ATO or IATO validation activity and certification determination requirements for authorizing a system to operate.
Denial of Authorization to Operate (DATO) - An AO decision that a DoD IS cannot operate because of an inadequate IA design, failure to adequately implement assigned IA controls, or other lack of adequate security. If risk is determined to be unacceptable when compared to the mission assurance requirement, then the AO, in collaboration with all program stakeholders, will issue the authorization decision in the form of a DATO.
If the system is already operational, the responsible AO will issue a DATO and operation of the system will cease immediately. Network connections will be immediately terminated for any system that is issued a DATO.
Severity Categories - Assigned to a system security to identify weaknesses or shortcoming as part of a certification analysis to indicate the risk level associated with the security weakness and the urgency with which the corrective action must be completed. CAT I, CAT II, or CAT III,” with CAT I indicating the greatest risk and urgency.
CAT I weaknesses shall be corrected before an ATO is granted.
Allows primary security protections or perimeters to be bypassed.
Allows unauthorized access to security or administrator level resources or privileges.
Allows unauthorized disclosure of, or access to, classified data or materials.
Allows unauthorized access to classified facilities.
System can operate with CAT I ONLY IF it is critical to military operations.
Classified systems POA&Ms with a CAT I must be submitted on SIPRNET.
CAT II weaknesses shall be corrected or satisfactorily mitigated before an ATO can be granted.
Allows access to information that could lead to a CAT I vulnerability.
Allows unauthorized access to user or application level system resources.
May result in the disruption of system or network resources that degrades the ability to perform the mission.
Can be mitigated to a point where any residual risk is acceptable.
Must be corrected /mitigated before and ATO can be granted.
CAT III weaknesses do not prevent an ATO.
Weaknesses will not prevent an ATO from being granted if the AO accepts the risk associated with the weaknesses.
Weakness that if corrected will improve the system’s IA posture but does not prevent an ATO.
Connection Approval Decisions
AFNIC, now HQ CCC, performs an IA review, validates the implementation of the IA controls, and provides comments. The AF-AO will then issue a decision for an ATC. By awarding an ATC, the AF- AO ensures the IS is certified as well as accredited (it has an approved accreditation decision prior to the ATC decision) and is in compliance with the assigned IA controls to perform mission related activities.Connection approval decisions are limited to an Authorization to Connect (ATC) and a Denial of Authorization to Connect (DATC).
Authorization to Connect (ATC) - An Authorization to Connect (ATC) is granted to allow a system to connect to the AFIN or DODIN.
Denial of Authorization to Connect (DATC) - A Denial of Authorization to Connect (DATC) is an AF-AO determination that an IS cannot connect to the AF-GIG because of an inadequate IA design, failure to adequately implement assigned IA Controls, or other lack of adequate security.
If the IS is already connected, the connection of the IS must be terminated. All denial decisions must be signed by the AF-AO, not delegated to AFCA as for certain approval decisions.
Step 7 Monitor Security Controls - Continuously monitor the system or information environment for security-relevant events and configuration changes that negatively affect security posture.
Periodically assess the quality of security controls implementation against performance indicators.
Report any significant change in the security posture of the system, and recommended mitigations, immediately to the SCA and AO.
Recommend to the SCA or AO a reassessment of any or all security controls at any time.
Implement a system decommissioning strategy, when needed, which executes required actions when an IS or PIT system is removed from service. When a system is removed from operation, a number of RMF-related actions are required. Before decommissioning, any control inheritance relationships should be reviewed and assessed for impact.
Consent to Monitoring for Official IT Resources
Overview
Electronic System Security Assessment (ESSA) - provides commanders with an assessment as to the type and amount of information traversing Department of Defense (DOD) electronic communication systems that is at risk to adversary collection and exploitation.
The AF monitors, collects, and analyzes information from DOD electronic communications systems to determine if any critical or classified information transmitted via unsecured and unprotected systems could adversely affect US (and allied/coalition) operations.
CDA Missions: The CDA WS currently conducts three separate missions: Active Indicator Monitoring (AIM) in support of cyberspace network defense and ESSA in support of OPSEC mission sets and Cyberspace Operations Risk Assessment (CORA) in support of Cybersecurity.
AIM – Protect the Air Force, DOD and government networks. AIM missions identify and report disclosed information that could be used to gain authorized access to compromise Air Force Networks and devices. AIM tools include, but are not limited to e-mail and IbC.
ESSA- Protect information pertaining to Air Force, DOD and government operations, capabilities, and resources. ESSA missions identify and report disclosed information that could be used to compromise missions, gain access to sensitive capabilities, and deny knowledge of critical resources. ESSA utilizes the following tools: telephony, e-mail, IbC, radio frequency (RF), and web risk assessment (WRA).
CORA - Mitigate the effects of lost Air Force, DOD and government operations, capabilities, and resources. CORA missions analyze potential and confirmed compromised data from adversary exfiltration or friendly transmission outside of U.S. Government control, with the objective of determining the associated impact to Air Force operations and technology resulting from the data loss.
Notice and Consent - legal requirement before monitoring can be conducted.
Telephones
The DD Form 2056, Telephone Monitoring Notification Decal, must be affixed on the front of all official telephones, including Voice over Internet Protocol (VoIP) phones.
For telephones with secure voice capability that can be used in the unsecure mode, such as Secure Terminal Equipment (STE), etc., remove the words “DO NOT DISCUSS CLASSIFIED INFORMATION” from the form.
Facsimile Machines and Multi-Function Devices
The DD Form 2056 must be affixed on all facsimile machines and multi-function print devices. Locally generated notice and consent stickers are permitted as long as the wording matches the DD Form 2056 exactly.
Use the AF Form 3535, Facsimile Electro Mail Transmittal.
Information Systems
Put users of unclassified AF information systems (e.g., any electronic device connecting to the AFIN, stand-alone electronic devices, and portable electronic devices) on notice that their use constitutes consent to monitoring.
The notice and consent log-on banner, Attachment 2, must be installed on all computers. The banner is automatically displayed upon boot-up and/or initial log-on for the computer system regardless of the access methodology (physical, network, remote access, dial-in, etc.).
Place the banner on the computers in such a way that the user must press a key to get beyond it, thereby demonstrating acceptance of its provisions.
Private or Intranet Web Home pages
Prominently display the exact notice and consent banner on the first page of all private and intranet web home pages (to include SharePoint sites); the banner is not required on subsequent pages.Notice and consent requirements do not apply to public web pages
Applications
The DOD Banner/User Agreement policy memorandum only applies to DOD information systems, not applications.
Portable Electronic Devices (PED)
E.g. text pagers, cell phones, smartphones, tablets, satellite phones, and hand-held radios/land mobile radios [LMR].
All PED users must sign an AF Form 4433, US Air Force Unclassified Wireless Mobile Devise User Agreement. LMR users are exempt from this requirement if the LMR has a DD Form 2056 attached to it.
The signed form will be retained by the organizational Cybersecurity office or designated representative for a minimum of six months after the device has been returned to the issuing office.
Other Information Technology
Any telecommunication devices not otherwise referenced must have a signed AF Form 4433 or AF Form 4394 on file.
The signed forms will be retained by the Organizational Cybersecurity office or the designated representative for a minimum of six months after the device has been returned to the issuing office.
Optional Notice and Consent Awareness Methods
Optional methods to provide users with legally sufficient notice of their use of electronic communications and information systems constitutes consent to monitoring for authorized purposes is outlined as follows:
Correspondence from the base or facility commander, addressing notice and consent provisions, to all assigned organizations for dissemination to unit personnel.
Addressing notice and consent provisions to newcomers during in-processing, periodic OPSEC awareness briefings, and commander’s calls.
Using base bulletins, base newspapers, E-mails, web pages, and similar publications on a periodic basis.
Incorporating notice and consent provisions in operating procedures, instructions, information system security rules of behavior or acceptable use guidance, etc., that are periodically reviewed by users.
Any other actions deemed appropriate by the base or facility commander or the commander’s
RMF Steps
Step 1 Prepare - carry out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.
18 tasks
Step 2 Categorize the System - During categorization, the impact to confidentiality, integrity, and accessibility is categorized into one of three designations (low, moderate, or high) to address the impact of a loss.
Register in appropriate system...UNCLASS, NIPR eMASS, SECRET, SIPR eMASS, TS/SCI, XACTA.
Step 3 Select Security Controls - There are three distinct types of designations related to the securitycontrols. These designations include common controls, system-specific controls, and hybrid controls.
Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
System-specific controls are the primary responsibility of information system owners and their respective authorizing officials.Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific.
Step 4 Implement Security Controls - Implement the security controls specified in the security plan in accordance with DoD implementation guidance found on the KS.
Step 5 Assess Security Controls - Develop, review, and approve a plan to assess the security controls.
An assessment methodology provided in the KS as a model for use or adaptation.
The risk assessment will be used by the SCA to determine the level of overall system cybersecurity risk and as a basis for a recommendation for risk acceptance or denial to the AO.
If no vulnerabilities are found through the process of executing the assessment procedures, the security control is recorded as compliant.
If vulnerabilities are found, the control is recorded as non-compliant (NC) in the POA&M.
The SCA must determine and document in the SAR an assessment of overall system level of risk and
identify the key drivers for the assessment.
Prepare the SAR, documenting the issues, findings, and recommendations from the security control assessment.
Conduct remediation actions on NC security controls based on the findings and recommendations of the SAR and reassess remediated control(s), as appropriate.
Step 6 Authorize System
Accreditation decisions
Authorization to Operate (ATO) - Authorization granted by an AO for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls, requirements, and safeguards to the point where residual risk is acceptable to the AO.
ATOs may be issued for up to 3 years. CAT I weaknesses will be corrected before an ATO is granted.
CAT II weaknesses will be corrected or satisfactorily mitigated before an ATO can be granted. CAT III weaknesses will not prevent an ATO from being granted if the AO accepts the risk associated with the weaknesses.
Authorization to Operate with conditions - An accreditation decision that allows the system to operate under conditions and time frames outlined by the AO.
Interim Authorization to Test (IATT) - The IATT accreditation decision is a special case for authorizing testing in an operational information environment or with live data for a specified time period.
IATTs should be granted only when operational environment/live data is required to complete specific test objectives.An IATT may not be used to avoid ATO or IATO validation activity and certification determination requirements for authorizing a system to operate.
Denial of Authorization to Operate (DATO) - An AO decision that a DoD IS cannot operate because of an inadequate IA design, failure to adequately implement assigned IA controls, or other lack of adequate security. If risk is determined to be unacceptable when compared to the mission assurance requirement, then the AO, in collaboration with all program stakeholders, will issue the authorization decision in the form of a DATO.
If the system is already operational, the responsible AO will issue a DATO and operation of the system will cease immediately. Network connections will be immediately terminated for any system that is issued a DATO.
Severity Categories - Assigned to a system security to identify weaknesses or shortcoming as part of a certification analysis to indicate the risk level associated with the security weakness and the urgency with which the corrective action must be completed. CAT I, CAT II, or CAT III,” with CAT I indicating the greatest risk and urgency.
CAT I weaknesses shall be corrected before an ATO is granted.
Allows primary security protections or perimeters to be bypassed.
Allows unauthorized access to security or administrator level resources or privileges.
Allows unauthorized disclosure of, or access to, classified data or materials.
Allows unauthorized access to classified facilities.
System can operate with CAT I ONLY IF it is critical to military operations.
Classified systems POA&Ms with a CAT I must be submitted on SIPRNET.
CAT II weaknesses shall be corrected or satisfactorily mitigated before an ATO can be granted.
Allows access to information that could lead to a CAT I vulnerability.
Allows unauthorized access to user or application level system resources.
May result in the disruption of system or network resources that degrades the ability to perform the mission.
Can be mitigated to a point where any residual risk is acceptable.
Must be corrected /mitigated before and ATO can be granted.
CAT III weaknesses do not prevent an ATO.
Weaknesses will not prevent an ATO from being granted if the AO accepts the risk associated with the weaknesses.
Weakness that if corrected will improve the system’s IA posture but does not prevent an ATO.
Connection Approval Decisions
AFNIC, now HQ CCC, performs an IA review, validates the implementation of the IA controls, and provides comments. The AF-AO will then issue a decision for an ATC. By awarding an ATC, the AF- AO ensures the IS is certified as well as accredited (it has an approved accreditation decision prior to the ATC decision) and is in compliance with the assigned IA controls to perform mission related activities.Connection approval decisions are limited to an Authorization to Connect (ATC) and a Denial of Authorization to Connect (DATC).
Authorization to Connect (ATC) - An Authorization to Connect (ATC) is granted to allow a system to connect to the AFIN or DODIN.
Denial of Authorization to Connect (DATC) - A Denial of Authorization to Connect (DATC) is an AF-AO determination that an IS cannot connect to the AF-GIG because of an inadequate IA design, failure to adequately implement assigned IA Controls, or other lack of adequate security.
If the IS is already connected, the connection of the IS must be terminated. All denial decisions must be signed by the AF-AO, not delegated to AFCA as for certain approval decisions.
Step 7 Monitor Security Controls - Continuously monitor the system or information environment for security-relevant events and configuration changes that negatively affect security posture.
Periodically assess the quality of security controls implementation against performance indicators.
Report any significant change in the security posture of the system, and recommended mitigations, immediately to the SCA and AO.
Recommend to the SCA or AO a reassessment of any or all security controls at any time.
Implement a system decommissioning strategy, when needed, which executes required actions when an IS or PIT system is removed from service. When a system is removed from operation, a number of RMF-related actions are required. Before decommissioning, any control inheritance relationships should be reviewed and assessed for impact.
Consent to Monitoring for Official IT Resources
Overview
Electronic System Security Assessment (ESSA) - provides commanders with an assessment as to the type and amount of information traversing Department of Defense (DOD) electronic communication systems that is at risk to adversary collection and exploitation.
The AF monitors, collects, and analyzes information from DOD electronic communications systems to determine if any critical or classified information transmitted via unsecured and unprotected systems could adversely affect US (and allied/coalition) operations.
CDA Missions: The CDA WS currently conducts three separate missions: Active Indicator Monitoring (AIM) in support of cyberspace network defense and ESSA in support of OPSEC mission sets and Cyberspace Operations Risk Assessment (CORA) in support of Cybersecurity.
AIM – Protect the Air Force, DOD and government networks. AIM missions identify and report disclosed information that could be used to gain authorized access to compromise Air Force Networks and devices. AIM tools include, but are not limited to e-mail and IbC.
ESSA- Protect information pertaining to Air Force, DOD and government operations, capabilities, and resources. ESSA missions identify and report disclosed information that could be used to compromise missions, gain access to sensitive capabilities, and deny knowledge of critical resources. ESSA utilizes the following tools: telephony, e-mail, IbC, radio frequency (RF), and web risk assessment (WRA).
CORA - Mitigate the effects of lost Air Force, DOD and government operations, capabilities, and resources. CORA missions analyze potential and confirmed compromised data from adversary exfiltration or friendly transmission outside of U.S. Government control, with the objective of determining the associated impact to Air Force operations and technology resulting from the data loss.
Notice and Consent - legal requirement before monitoring can be conducted.
Telephones
The DD Form 2056, Telephone Monitoring Notification Decal, must be affixed on the front of all official telephones, including Voice over Internet Protocol (VoIP) phones.
For telephones with secure voice capability that can be used in the unsecure mode, such as Secure Terminal Equipment (STE), etc., remove the words “DO NOT DISCUSS CLASSIFIED INFORMATION” from the form.
Facsimile Machines and Multi-Function Devices
The DD Form 2056 must be affixed on all facsimile machines and multi-function print devices. Locally generated notice and consent stickers are permitted as long as the wording matches the DD Form 2056 exactly.
Use the AF Form 3535, Facsimile Electro Mail Transmittal.
Information Systems
Put users of unclassified AF information systems (e.g., any electronic device connecting to the AFIN, stand-alone electronic devices, and portable electronic devices) on notice that their use constitutes consent to monitoring.
The notice and consent log-on banner, Attachment 2, must be installed on all computers. The banner is automatically displayed upon boot-up and/or initial log-on for the computer system regardless of the access methodology (physical, network, remote access, dial-in, etc.).
Place the banner on the computers in such a way that the user must press a key to get beyond it, thereby demonstrating acceptance of its provisions.
Private or Intranet Web Home pages
Prominently display the exact notice and consent banner on the first page of all private and intranet web home pages (to include SharePoint sites); the banner is not required on subsequent pages.Notice and consent requirements do not apply to public web pages
Applications
The DOD Banner/User Agreement policy memorandum only applies to DOD information systems, not applications.
Portable Electronic Devices (PED)
E.g. text pagers, cell phones, smartphones, tablets, satellite phones, and hand-held radios/land mobile radios [LMR].
All PED users must sign an AF Form 4433, US Air Force Unclassified Wireless Mobile Devise User Agreement. LMR users are exempt from this requirement if the LMR has a DD Form 2056 attached to it.
The signed form will be retained by the organizational Cybersecurity office or designated representative for a minimum of six months after the device has been returned to the issuing office.
Other Information Technology
Any telecommunication devices not otherwise referenced must have a signed AF Form 4433 or AF Form 4394 on file.
The signed forms will be retained by the Organizational Cybersecurity office or the designated representative for a minimum of six months after the device has been returned to the issuing office.
Optional Notice and Consent Awareness Methods
Optional methods to provide users with legally sufficient notice of their use of electronic communications and information systems constitutes consent to monitoring for authorized purposes is outlined as follows:
Correspondence from the base or facility commander, addressing notice and consent provisions, to all assigned organizations for dissemination to unit personnel.
Addressing notice and consent provisions to newcomers during in-processing, periodic OPSEC awareness briefings, and commander’s calls.
Using base bulletins, base newspapers, E-mails, web pages, and similar publications on a periodic basis.
Incorporating notice and consent provisions in operating procedures, instructions, information system security rules of behavior or acceptable use guidance, etc., that are periodically reviewed by users.
Any other actions deemed appropriate by the base or facility commander or the commander’s
