RMF Step 3: Implement Flashcards
Control implementation
include functional description of the control implementation (planned inputs, expected behavior, expected outputs)
Input and Output of RMF Step 3: Implement
INPUT
- SSP, with final selection of controls
- Implementation Guidance
- Configuration Guidance
OUTPUT
- Security controls implemented within system
- All supporting documents
Guidances
800-53 Recommended controls
800-53A Guide for assessing controls
800-70 Configuration checklists
Other guidances - NIST SP 800-34
CP
Other guidances - NIST SP 800-61
IR
Other guidances - NIST SP 800-63
IA
Other guidances - NIST SP 800-16/800-50
AT
Other guidances - NIST SP 800-40
SI-2 Patch mgmt
Other guidances - NIST SP SP 800-41
AC-4 & SC-7 Firewall Mgmt
Common control and example
control that provides capability for multiple systems
i.e. Organization’s Firewall
System specific Controls and example
controls that provide capability for particular system only
i.e. Host-based IDS
Hybrid Controls and example
controls that have both system specific and common characteristics
i.e. MS AD Group policies
Functional descriptions include
- planned inputs
- expected behavior
- expected outputs
Level of effort spent in documenting a system should be commensurate with system’s
purpose
scope
impact
Three types of controls and examples
1) technical controls - hw sw fw
2) operational and mgmt - personnel or processes