When it comes to implementing security controls throughout an organization, there are a lot of cases where the work may be doubled, tripled, quadrupled or more by having to “reinvent the wheel” multiple times. It’s a common problem, but fortunately, it also has a common solution: common controls.
What does all of this mean? Let’s dig in.
BLUF - Bottom Line Up Front
The Risk Management Framework (RMF) by NIST is a seven-step process for organizations to manage cybersecurity, meeting FISMA standards. It includes steps like preparing, categorizing, selecting, implementing, assessing, authorizing, and monitoring security controls. Controls fall into three types: system-specific, common, and hybrid. Common controls, essential but challenging, require significant attention and designated ownership. Federal agencies and contractors must manage these controls, while others may choose to do so for improved security standards.
What Is the RMF?
First, let’s talk about the RMF. What is it?
The RMF is the Risk Management Framework. This is a framework initially developed by the National Institute of Standards and Technology (NIST) to be a standard security procedure for government agencies. Since NIST is good at collective broad industry feedback, it is now widely used throughout various industries as they work with the government for their contracts, it has been more broadly adopted throughout many industries for managing cybersecurity.
The NIST RMF is a seven-step process designed to allow any company, agency, or entity to meet the requirements of FISMA security standards. This can allow companies to proceed along the path to certification to work with government agencies as contractors, or it can simply be used as a way to define and maintain consistent and comprehensive organizational security.
The RMF is a seven-step process. Those steps are:
- Prepare the process of preparing an organization for implementing security controls.
- Categorize: the process of defining each system and process throughout a company and what level of security controls they need to be implemented to be secure.
- Select: the process of assigning appropriate security controls to each categorized business system.
- Implement: the process of putting the selected security controls into practice.
- Assess: the process of a third party auditor analyzing g and determining whether or not the security controls are in place and effective.
- Authorize: the process of a company official or the “Authorization OfficiaL”(AO), formally allowing the company to use the system for government purposes.
- Monitor: the ongoing process of watching security, responding to issues, and keeping everything up to date.
All of this centers around security controls.
What are Security Controls?
Security controls are individual controls that fall into one of 20 control families. They can also be considered one of three types, though each control can be assigned a different type depending on the organization implementing it.
The three types of control are:
- System-Specific Controls. These are controls that are unique to a single system within an organization and are not in use anywhere else in the organization.
- Common Controls. These are controls that are implemented in several different systems throughout an organization and are subject to the same overarching processes no matter which system is using them. For example, if a company develops one single comprehensive Incident Response Control, which is then used in five different systems, each of those five systems will use it the same way, treating it as an inherited control.
- Hybrid Controls. These are controls that start as common controls but have elements of them customized for a specific system. Incident reporting as a hybrid control might mean that each system has a common incident report form to fill out, but specific systems have additional incident report duties to perform that are specific to their system.
The tricky part of common controls is that each individual control can be system-specific, common, inherited, or hybrid, depending on the system and the organization. What might be a common control for one organization might be a system-specific control for another. In other words, the categorization of a control is organization-dependent and not global.
Security controls, as mentioned, fall into 20 overarching umbrellas. These are defined by NIST SP 800-53. They are:
- AC – Access Control
- AT – Awareness and Training
- AU – Audit and Accountability
- CA – Assessment, Authorization, and Monitoring
- CM – Configuration Management
- CP – Contingency Planning
- IA – Identification and Authentication
- IR – Incident Response
- MA – Maintenance
- MP – Media Protection
- PE – Physical and Environmental Protection
- PL – Planning
- PM – Program Management
- PS – Personnel Security
- PT – Personally Identifiable Information Processing and Transparency
- RA – Risk Assessment
- SA – System and Services Acquisition
- SC – System and Communications Protection
- SI – System and Information Integrity
- SR – Supply Chain Risk Management
Each of these families of controls has a list of specific controls within it. By clicking through to NIST SP 800-53, you can browse them yourself. For a shorter example, here are the specific controls within PS – Personnel Security:
- PS-01 Policy and Procedures
- PS-02 Position Risk Designation
- PS-03 Personnel Screening
- PS-04 Personnel Termination
- PS-05 Personnel Transfer
- PS-06 Access Agreements
- PS-07 External Personnel Security
- PS-08 Personnel Sanctions
- PS-09 Position Descriptions
Some control families have more or fewer controls within them. Further, NIST is continually developing their framework and may periodically add, consolidate, remove, or redefine specific controls. Being aware of changes made to the standards over time is a key part of maintaining compliance.
How Do Common Controls Work?
Two parts of the RMF / risk management framework are critical to the use of common controls: Categorize and Select.
The categorization process involves identifying each element of your organization according to what kind of information it may be handling and what kind of access it governs. Your front-desk receptionists will be subject to different kinds of controls than your IT developers, who will be subject to different kinds of controls than your physical security staff.
Once your organization is broken down and categorized in this manner, the Select process becomes. In this process, the entire set of controls across all 20 families is assigned as appropriate to each element of your organization.
Some controls will be system-specific. For example, your server administrators will generally need to follow certain procedures that no one else in your organization will typically need to because no one else will ever want or need to have access to specific secure servers within your organization.
Conversely, many controls will be replicated throughout your organization. Examples might include:
- Physical door access and badging systems. Each department in your organization will have its own set of badges and levels of access, with some able to get further into your facility than others, but they will all be subject to the same access control system and thus fall under common control.
- USB access to computer systems. Since plugging in unknown USB devices is a common threat vector, everyone – from your receptionists to your developers – will generally have limited ability to use USB devices and will thus fall under the same common control.
- Cybersecurity training. As part of awareness and training, everyone in your organization will get at least some amount of the same training, such as phishing awareness training. Some parts of your organization may get more specific training pertaining to their areas, which makes this a hybrid control.
By defining these as common controls, you can then maintain them centrally. For example, if an issue arises with your physical access badging system – like the system itself has a bug that makes it vulnerable to attack – it’s only one common control that needs to be fixed and adjusted, not multiple iterations of the same control across your organization.
Why Are Common Controls a Challenge?
Common Controls are one of the most challenging aspects of implementing the overall RMF. This is because they touch virtually every aspect of your organization and each system, but determining which controls are common, hybrid, or system-specific can take a surprising amount of analysis.
There’s also the fact that more than one control can be targeted toward the same security risk. There may be different sets of permissions for applications that grant access to the same services and different levels of physical access that access the same areas with different levels of nuance. All of this means that analyzing your suite of common controls requires significant attention to be paid towards the function and effectiveness of each control as it relates to your unique security situation.
A key part of understanding common controls is understanding who owns each common control. Every control will have a designated individual responsible for that control, who makes decisions related to it and is responsible for maintaining it, reporting incidents about it, and monitoring standards about it. Sometimes, a lot of responsibility falls on the shoulders of one individual, such as your head of IT security.
Other times, smaller-scale controls are the responsibility of individuals who aren’t in charge of much else.
The person in control of each common control is responsible for documenting the control, ensuring that the controls are developed and implemented appropriately and that they can be verified by independent assessors, that documents are provided and maintained, that a plan of action and milestones document is created if necessary and available, and that the appropriate kind of monitoring is in place for the control.
Is Managing Common Controls Required?
After reading through the very daunting task of going through the entire Risk Management Framework and compliance process, you may wonder: is any of this actually required or mandatory?
The answer is yes for certain agencies. In broad terms:
- Any federal government agency.
- Any Department of Defense agency.
- Any contractor working for the federal government.
Other agencies, even those who have decided to adopt the RMF as a broad framework, are not actually required to go through every single security control definition and implementation process.
That is, following the RMF is a good way to make sure your organization meets at least a certain level of modern cybersecurity and physical security standards, but unless you plan to be working with the federal government on a contract and handling CUI (Controlled Unclassified Information) or have FISMA as a contract clause, you don’t need to follow every detail.
If you are seeking the ability to work with the government, you’ll need to go through the RMF process and be certified by a 3PAO (Third-Party Assessment Organization) to validate your implementation of all of the controls defined and assigned to your processes. This is a very lengthy and complex process, which is why many organizations, even if they think the RMF is a good idea, fall short of the mark until such time as they decide to pursue government contracts.
Assistance with RMF Compliance
The seven steps of the Risk Management Framework are all complex, and any mistakes along the way can be devastating to your organization’s timeline and hopes of winning government contracts. Fortunately, we can help.
Ignyte Platform was developed as a way to centralized documentation and monitoring for your organization’s controls, both system-specific and common controls.
- In step one, we help you prepare for the organization and implementation of security controls by providing a framework you can use to input and track the information you need for every aspect of compliance.
- In step two, we help you by providing a centralized location for the categorization of each element of your organization.
- In step three, those same centralized locations are the perfect place to define each security control that applies to each segment of your organization, and we make it easy to identify which ones are system-specific, which ones are common controls, and which ones have enough variance that they can be defined as hybrid controls.
- With the implementation step four, our platform helps you track the process from identification to the milestones of implementation through to the successful implementation of each control, with an easy-to-read dashboard that can identify overall milestones and the specific processes necessary to obtain compliance.
- Even step five, the assessment step, we can help with. While the platform itself isn’t capable of auditing, it can help quite a bit when generating the documentation for your designated 3PAO to review; further, we’ve obtained 3PAO designation and can help with FedRAMP certification as well.
- While step six, the authorization, isn’t ours to deliver, we can then help with step seven and the ongoing monitoring you’ll need to have in place for the future as well.
If you’re interested in seeing how all of this works specifically and how it can work for you, just book a demo or reach out to talk to us directly. We’re always happy to help!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.