Risk Assessment -Holistic Review (site/environment/information systems)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32541	PH-02.02.01	SV-42878r3_rule		Medium

Description
Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. REFERENCES: DoD 5200.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chap 1, Section 2, para 1-207a.(1) & b.; Chap 8 Sec 1, para 8-100.a., d. & e., 8-101., 8-102., 8-201., 8-202., 8-301., and 8-304.b. NIST Special Publication 800-53 (SP 800-53) Controls: PE-18(1), PL-1, PL-2, PS-1, RA-1 RA-3 DoD 5200.8-R Physical Security Program Definitions: 1.13, 1.14., 1.15., 1.22.; Chap 1, C1.2.3. C1.2.4. and Chap 2, C2.1.3.3. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl 2, para 10.; Encl 3, para 4.: Appendix to Encl 3, para 2.a. and Encl 7 para 4.c. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 12; Encl B, para 2.d(3), 2.g., and 3.h.; Encl C, para 3.a., 6.b.(6) and 33. DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 13, 2014 DoD Instruction 8500.01, “Cybersecurity,” March 13, 2014 Encl 2, paragraph 2.k., 9.q., 15.e. and Encl 3, paragraph 2. (*2.f.) & 9.b.(5) NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

Description

Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. REFERENCES: DoD 5200.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chap 1, Section 2, para 1-207a.(1) & b.; Chap 8 Sec 1, para 8-100.a., d. & e., 8-101., 8-102., 8-201., 8-202., 8-301., and 8-304.b. NIST Special Publication 800-53 (SP 800-53) Controls: PE-18(1), PL-1, PL-2, PS-1, RA-1 RA-3 DoD 5200.8-R Physical Security Program Definitions: 1.13, 1.14., 1.15., 1.22.; Chap 1, C1.2.3. C1.2.4. and Chap 2, C2.1.3.3. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl 2, para 10.; Encl 3, para 4.: Appendix to Encl 3, para 2.a. and Encl 7 para 4.c. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 12; Encl B, para 2.d(3), 2.g., and 3.h.; Encl C, para 3.a., 6.b.(6) and 33. DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 13, 2014 DoD Instruction 8500.01, “Cybersecurity,” March 13, 2014 Encl 2, paragraph 2.k., 9.q., 15.e. and Encl 3, paragraph 2. (*2.f.) & 9.b.(5) NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

STIG	Date
Traditional Security Checklist	2020-08-26

Details

Check Text ( C-40983r9_chk )
1. Check that there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment. 2. Check to ensure the RA is revalidated/updated at least annually. 3. Check to ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the Authorizing Officials (AOs) for resident system(s), signifying acceptance of any residual risk. NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others. NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA. NOTE 5: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. NOTE 6: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance. Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk. The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation. NOTE 7: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/ or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Check Text ( C-40983r9_chk )

1. Check that there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment.

2. Check to ensure the RA is revalidated/updated at least annually.

3. Check to ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the Authorizing Officials (AOs) for resident system(s), signifying acceptance of any residual risk.

NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document.

NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.

NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others.

NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA.

NOTE 5: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program.

NOTE 6: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance.

Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk.

The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation.

NOTE 7: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/ or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-36459r6_fix)
1.Ensure there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment. 2. Ensure the RA is revalidated/updated at least annually. 3. Ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the AOs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others. NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA. NOTE 5: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance. Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk. The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation. NOTE 6: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.

Fix Text (F-36459r6_fix)

1.Ensure there is a “Holistic” Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment.

2. Ensure the RA is revalidated/updated at least annually.

3. Ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the AOs for resident system(s), signifying acceptance of any residual risk.

NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document.

NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments.

NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others.

NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA.

NOTE 5: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance.

Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk.

The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation.

NOTE 6: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.