Description
Please follow the attached Steps and complete the attached Risk Management Report using the steps. Please also complete any of the Templates within the steps to be included in addition to the Risk Management Report. For example, step 7. Also, please include references in APA 7 format for the report at the end of Section 6. This is a capstone project and will require excellent attention to detail as well as a in depth knowledge of Cybersecurity and Risk Management Reports. Please let me know if you do not feel comfortable doing the steps and report in its entirety. Thank you
Unformatted Attachment Preview
Advanced Cybersecurity Risk Management Report
CYB-670
Student Name:
Instructor Name:
Section 1: RMF Preparation
1.1 Roles and Responsibilities
Authorizing Official:
Name:
Title:
Work Phone:
Responsibilities:
Chief Information Officer:
Name:
Title:
Work Phone:
Responsibilities:
System Owner:
Name:
Title:
Work Phone:
Responsibilities:
Information Systems Security Officer:
Name:
Title:
Work Phone:
Responsibilities:
System Administrator:
Name:
Title:
Work Phone:
Responsibilities:
Information Owner:
Name:
Title:
Work Phone:
Responsibilities:
System User:
Name:
Title:
Work Phone:
Responsibilities:
Control Accessor:
Name:
Title:
Work Phone:
Responsibilities:
Security Architect:
Name:
Title:
Work Phone:
Responsibilities:
1.2 Possible Risks for a Cloud-based Application
List and describe risks associated with a cloud-based application. Be sure to include references for your
sources of information.
1.3 System Categorization
The categorization has already been determined by another team as:
SC information system = {(confidentiality, LOW), (integrity, MODERATE), (availability, LOW)}
This results in a high water mark of MODERATE.
Section 2: Selecting Security Controls
List the security controls that have been selected based on the System categorization using FIPS-200
guidance and the NIST SP-800-53 baseline security controls.
Table 1. Selected Security Controls
ID
Control or Control Enhancement Name
Provide appropriate organization-assigned parameters for these specific controls.
Table 2. Security Control ID and organizational-controlled parameters to complete
Security Control ID
AT-1
AU-4
CA-3
Organization-controlled Parameters
a. Develop, document, and disseminate to [Assignment: organization-defined
personnel or roles]
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and following
[Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following
[Assignment: organization-defined events].
Control: Allocate audit log storage capacity to accommodate [Assignment:
organization-defined audit log retention requirements].
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a
different system, system component, or media other than the system or
system component conducting the logging.
a. Approve and manage the exchange of information between the system
and other systems using [Selection (one or more): interconnection security
agreements; information exchange security agreements; memoranda of
understanding or agreement; service level agreements user agreements;
CP-4
IR-4
nondisclosure agreements; [Assignment: organization-defined type of
agreement]];
c. Review and update the agreements [Assignment: organization-defined
frequency].
a. Test the contingency plan for the system [Assignment: organizationdefined frequency] using the following tests to determine the effectiveness
of the plan and the readiness to execute the plan: [Assignment: organizationdefined tests]
Control Enhancements:
(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
Support the incident handling process using [Assignment: organizationdefined automated mechanisms].
(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM
Implement a configurable capability to automatically disable the system if
[Assignment: organization-defined security violations] are detected.
PE-2
PM-23
(11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM
Establish and maintain an integrated incident response team that can be
deployed to any location identified by the organization in [Assignment:
organization-defined time period]
(2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION
Require two forms of identification from the following forms of identification
for visitor access to the facility where the system resides: [Assignment:
organization-defined list of acceptable forms of identification].
(3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS
Restrict unescorted access to the facility where the system resides to
personnel with [Selection (one or more): security clearances for all
information contained within the system; formal access authorizations for all
information contained within the system; need for access to all information
contained within the system; [Assignment: organization-defined physical
access authorizations]].
Control: Establish a Data Governance Body consisting of [Assignment:
organization-defined roles] with [Assignment: organization-defined
responsibilities]
Section 3: Implement and Assess Security Controls
Using the templates provided in this attachment, complete the policies and documents for each of the
following:
•
•
•
•
Configuration Management Policy (CM-1)
Maintenance Policy (MA-1)
Acceptable Use Policy (PS-6)
Contingency Planning Policy (CP-1)
•
•
Identification and Authentication Policy (IA-1)
Security Awareness Training Policy (PM-13)
In your submission submit the completed templates as an upload for your instructor to review.
Describe the process associated with implementing and documenting security controls. Estimate the
timeline and number of people you might need to complete all 238 controls.
Section 4: Assess Security Controls
A representative table of your results is shown below.
Security Control
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
Examine
Interview
Test
Section 5: Continuous Monitoring
Table X. Automation Tools and alignment with Security Controls
Functionality
Vulnerability Scanning
Malware detection
Security Information
and Event
Management (SIEM)
Incident Management
Certificate
Management (e.g. SSL)
Patch Management
Section 6: References
Tool name and
description
Main features
Security Control
Step 1: Risk Management Threats
Have an understanding of The fundamentals of RMF This lists 7 different organization-level
preparation steps including P1 – risk management roles, P2 – risk management strategy, P3 risk assessment – organization, P4 – organization-tailored control baselines and cybersecurity
framework profiles, P5 – common control identification, P6 – impact-level prioritization and
P7 – continuous monitoring strategy.
Step 2: Start your Advanced Risk Management Report
Now, that you have conducted some initial reading and activities supporting Advanced Risk
Management, use the Advanced Risk Management Report template to complete section 1 –
roles and responsibilities.
Use the following organization chart for the fictitious organization Advanced Cyber Risk
Management Agency. Be sure to add a description of each role.
You can also summarize the possible risks for the system as part of a risk assessment process.
Since the system will be deployed in the cloud, you can begin to gather risks specific to the
cloud. Risks can also come in the form of human error such as misconfigurations or be as
egregious as data breaches. Research and prepare a list of possible risks for a cloud-based
application. Be sure to describe the risk include references for your sources of information.
Use section 1.2 of the Advanced Risk Management Report template to record your results.
Step 3: Categorize the System
The second step of the RMF process involves categorizing the system. This includes
categorizing not only the system, but the information processed, stored, and transmitted. An
impact analysis is conducted in this step to determine the potential adverse impact to the
security objectives including confidentiality, integrity, and availability.
Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of
Federal Information and Information Systems is the foundation document for this step.
Table 1 aligns security objectives with potential impact. The overall security categorization is
determined by the highest values (i.e., high water mark) from among those security categories
that have been determined for each type of information resident on the information system.
For example, the following general formula is used to categorize an Information system.
SC information system = {(confidentiality, impact) , (integrity, impact) , (availability,
impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH.
If analysis was performed on an information system resulting in a low confidentiality im pact,
moderate integrity and low availability impact the resulting security categorization would be
moderate as this is the high water mark.
Table 1. Potential Impact for each Security Objective
Security Objective Potential Impact
Low
Moderate
Confidentiality
The unauthorized
The unauthorized
disclosure of
disclosure of
Preserving authorized information could be information could be
expected to have a
expected to have a
restrictions on
information access and limited adverse effect serious adverse effect
on organizational
disclosure, including on organizational
operations,
means for protecting operations,
personal privacy and organizational assets, organizational assets,
or individuals.
or individuals.
proprietary
information.
Integrity
The unauthorized
The unauthorized
modification or
modification or
destruction of
destruction of
High
The unauthorized
disclosure of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
organizational assets, or
individuals.
The unauthorized
modification or
destruction of
Guarding against
improper information
modification or
destruction, and
includes ensuring
information
non-repudiation and
authenticity.
Availability
information could be
expected to have a
limited adverse effect
on organizational
operations,
organizational assets,
or individuals
information could be
expected to have a
serious adverse effect
on organizational
operations,
organizational assets,
or individuals.
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
organizational assets, or
individuals.
The disruption of
The disruption of
The disruption of access
access to or use of
access to or use of
to or use of information
information or an
or an information
Ensuring timely and information or an
information system
system could be
reliable access to and information system
could be expected to could be expected to expected to have a
use of information.
have a limited adverse have a serious adverse severe or catastrophic
effect on organizational effect on organizational adverse effect on
operations,
operations,
organizational
organizational assets, organizational assets, operations,
or individuals.
or individuals.
organizational assets, or
individuals.
NIST SP-800-60v1 provides an overview of the steps associated with categorizing a system
(see figure 3).
Figure 3 – Categorizing a system (NIST)
Identifying the types and impact levels is often an iterative process involving subject matter
experts, multiple teams, and individuals who will be using the system or have some interest in
the system. The information types will vary based on the industry, or organization. Example
Mission-based information types are shown in NIST SP-800-60v1 and include:
•
•
Defense and National Security
Homeland Security
•
•
•
•
•
•
•
•
•
•
Intelligence Operations
Disaster Management
International Affairs & Commerce
Natural Resources
Energy
Environment Management
Economic Development
Community & Social Services
General Sciences & Innovation
and more
The process for categorization will vary from organization to organization. However, it is not
uncommon for a spreadsheet to be available that provides all of the relevant information types
along with a drop down to select if the impact is low, moderate or high for each information
type.
To determine the high water mark, the highest level is selected across each category and row.
For example, if the highest impact levels were as follows:
SC information system = {(confidentiality, LOW), (integrity, MODERATE), (availability,
LOW)}
The high water mark for this system would be Medium. Note, the impact levels for each
category are determined from the highest impact for all information types. It is not unusual to
have dozens of information types contributing to the security classification of the system.
For this project, the system categorization has already been provided by another team as
SC information system = {(confidentiality, LOW), (integrity, MODERATE, (availability,
LOW)} with the high water mark as MODERATE. You will use this information in the
subsequent steps to select the security controls.
Step 4: Select Security Controls
The third step in the RMF process is to select the set of NIST SP 800-53 controls to protect
the system based on risk assessment and categorization. Systems labeled as high impact -level
require more security controls than those labeled as moderate- or low-impact level.
This step also include documenting the security controls selected. This not only includes
listing the controls in the system security plan (SSP) but also defining organization -defined
parameters such as frequency of collection of data, and updating policies and procedures as
well as selecting security controls that will be part of the continuous monitoring plan.
The document defining the details of all available security controls is the NIST SP-800-53
rev5.
An overview of the structure, type and organization is found in the fundamentals chapter of
NIST SP-800-53 rev5. This foundational chapter is critical in knowing how to select and
implement security controls. The grouping into families as shown in table 2 supports a logical
grouping of security controls by functionality and type.
Table 2. Families of Security Controls
ID Family
ID Family
AC Access Control
PE Physical and Environment Protection
AT Awareness Training
PL Planning
AU Audit and Accountability
PM Program Management
CA Assessment, Authorization, and Monitoring PS Personnel Security
CM Configuration Management
PT PII Processing and Transparency
CP Contingency Planning
RA Risk Assessment
IA Identification and Authentication
SA System and Services Acquisition
IR Incident Response
SC System and Communications Protection
MA Maintenance
SI System and Information Integrity
MP Media Protection
SR Supply Chain Risk Management
Each family of security control has dozens of controls and control enhancements along with
related controls. The concept of organizational-defined parameters is important to understand.
These parameters need to be defined as part of this step and often require coordination with
other teams and members to validate the recommended values. The references for each
control help to align applicable, laws, standards and policies.
The processing of Personally Identifiable Information (PII) may complicate some systems
where coordination is needed between privacy advocates, system administrators and security
analysts. Log and audit analysis requirements provide an example of this issue. What
information is logged needs to be sufficient to identify individuals but information that is used
to identify individuals is often considered PII. Therefore, auditing of logs needs to be strictly
controlled or perhaps even masked in certain cases.
Chapter 3 of NIST SP-800-53 Rev 5 is hundreds of pages in length as it lists and describes all
security and privacy controls and control enhancements. You should briefly review these
pages to understand the format, the organization, and the relationships among controls
within each family.
FIPS 200 provides guidance on the minimum security requirements for Federal Information
and Information Systems. Specific guidance for the selection of controls associated with each
impact level is provided:
•
•
Low-impact – Employ appropriately tailored security controls from the low baseline of
security controls defined in NIST Special Publication 800-53
Moderate-impact – Employ appropriately tailored security controls from the moderate
baseline of security controls defined in NIST Special Publication 800-53
•
High-impact – Employ appropriately tailored security controls from the high baseline
of security controls defined in NIST Special Publication 800-53 and must ensure that
the minimum assurance requirements associated with the high baseline are satisfied.
Security baselines help us to select the specific security controls that need to be selected based
on the impact level. Since this system has been categorized as moderate, we can use
the baseline controls for the Security-Control-Baseline-Moderate to reduce the total number
of controls that need to be selected.
Source: NIST sp800-53 control-baselines.xlsx
Filtering the baseline controls spreadsheet reveals there are 149, 287, 370 required controls
for the low, moderate and high baselines, respectively. The security control selection for a
low-impact is a subset of the moderate-impact security controls.
The number of security controls can quickly grow as additional applications, operating
systems and databases are added to the system. This includes the use of Security Technical
Implementation Guides (STIGs).
Step 5: Select the Moderate-impact Security Controls
For this step, you will select the moderate-impact security controls from the baseline
controls and each control ID and name to section two of the reporting template.
You should also provide reasonable parameter “guesses” for the following security controls
that require organization-related parameters. You should conduct some research to make
reasonable approximations for these parameters, always keeping in mind security best
practices. The specific security controls that you should provide parameter values are shown
below in Table 4. Look for the key word: “Assignment” and fill in the appropriate parameter
value. Be sure to read the descriptions of the controls to help determine reasonable parameter
values.
Table 4. Security Control ID and organizational-controlled parameters to
complete
Security Organization-controlled Parameters
Control
ID
AT-1
a. Develop, document, and disseminate to [Assignment:
organization-defined personnel or roles]
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and
following [Assignment: organization-defined events]; and
AU-4
2. Procedures [Assignment: organization-defined frequency] and
following [Assignment: organization-defined events].
Control: Allocate audit log storage capacity to accommodate
[Assignment: organization-defined audit log retention requirements].
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO
ALTERNATE STORAGE
CA-3
CP-4
IR-4
Transfer audit logs [Assignment: organization-defined frequency] to
a different system, system component, or media other than the
system or system component conducting the logging.
a. Approve and manage the exchange of information between the
system and other systems using [Selection (one or more):
interconnection security agreements; information exchange security
agreements; memoranda of understanding or agreement; service
level agreements user agreements; nondisclosure agreements;
[Assignment: organization-defined type of agreement]];
c. Review and update the agreements [Assignment: organizationdefined frequency].
a. Test the contingency plan for the system [Assignment:
organization-defined frequency] using the following tests to
determine the effectiveness of the plan and the readiness to execute
the plan: [Assignment: organization-defined tests]
Control Enhancements:
(1) INCIDENT HANDLING | AUTOMATED INCIDENT
HANDLING PROCESSES
Support the incident handling process using [Assignment:
organization-defined automated mechanisms].
(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF
SYSTEM
Implement a configurable capability to automatically disable the
system if [Assignment: organization-defined security violations] are
detected.
(11) INCIDENT HANDLING | INTEGRATED INCIDENT
RESPONSE TEAM
Establish and maintain an integrated incident response team that can
be deployed to any location identified by the organization in
[Assignment: organization-defined time period]
PE-2
(2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF
IDENTIFICATION
Require two forms of identification from the following forms of
identification for visitor access to the facility where the system
resides: [Assignment: organization-defined list of acceptable forms
of identification].
(3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT
UNESCORTED ACCESS
PM-23
Restrict unescorted access to the facility where the system resides to
personnel with [Selection (one or more): security clearances for all
information contained within the system; formal access
authorizations for all information contained within the system; need
for access to all information contained within the system;
[Assignment: organization-defined physical access authorizations]].
Control: Establish a Data Governance Body consisting of
[Assignment: organization-defined roles] with [Assignment:
organization-defined responsibilities]
Step 6: Implement Security Controls
In step 4 of the RMF process, the security controls are implemented and documented to
include updating security and privacy plans associated with the system and the organization.
Selecting and determining the organization-defined parameters are a precursor to this step.
For our specific use case, we would need to implement approximately 287 baseline security
controls as listed in the SP-800-53B control baselines. Clearly, we can’t implement all of
these controls in our available timeline. It is not unusual for this step to take several months to
complete. However, we can pick a few security controls and work attempt to implement and
document the results.
Templates can be found at a number of sites including SANS and CIS. For your convenience,
several templates have been uploaded from the cissecurity site that can be used for
implementation. These can be found in this assignment itself. To use the templates, you will
need to modify the placeholder values typically found in red.
Here are some tips to help you replace those values:
•
•
•
Entity – is typically the organization or system.
Personnel or roles – are organization specific roles. You previously defined these. You
just need to assign specific roles as appropriate.
Needs, numbers, conditions and other details will typically be document specific. You
may need to conduct some research on what might be the most appropriate value to
enter. However, often the solution is simple. For example, for the following statement
found in the Access Control Policy template, “Displays system use information [entity
defined conditions], before granting further access. “, a possible replacement for
“entity defined conditions” could be “upon initial login and”. This would yield the
following policy statement. “Displays system use information upon initial login and
before granting further access.”
Additional documentation related to specific policies and procedures that may be useful to
review include NIST SP 800-34: Contingency Planning Guide for Federal Information
Systems, NIST SP 800-61: Computer Security Incident Handling Guide and NIST SP 800128: Guide for Security-Focused Configuration Management of Information Systems. Each of
these documents are rather lengthy so they aren’t meant to be read in one setting but are
useful for extracting just in time information to help support your security control
implementation related to contingency planning, incident handling and configuration
management.
Step 7: Implement Controls Assignment Submission
Instructions
Using the templates provided in this attachment, complete the policies and documents
for each of the following:
•
•
•
•
•
•
Configuration Management Policy (CM-1)
Maintenance Policy (MA-1)
Acceptable Use Policy (PS-6)
Contingency Planning Policy (CP-1)
Identification and Authentication Policy (IA-1)
Security Awareness Training Policy (PM-13)
Once complete, submit the completed templates as an upload for your instructor to review.
In section 3 describe the process associated with implementing and documenting security
controls. Estimate the timeline and number of people you might need to complete all 238
controls.
Submit the reporting template for grading and feedback from your instructor. Use
the Advanced Risk Management Report Template. Be sure to apply any feedback you
received from your professor related to section 2 in this submission as well. For this step, you
should have completed section 3, uploaded your policies, and updated previous sections as
appropriate.
Step 8: Assess Security Controls
In the Assess step of the RMF process, you determine if the controls are in place, operating as
intended, and producing the desired results. Implementation can be challenging with different
interpretations as the specific details required to properly implement. This step ens ures the
security controls are implemented correctly.
Assessment is always conducted by a third party outside or different from the group that
implemented the security controls. This provides an unbiased assessment. Documentation of
testing along with automation are key to success of this step. Assessment involves going
through the details of each control to make sure if it fully implemented and implemented
correctly. For example, the end result of AC-1 is to create and document an access control
policy. To verify this, an external party will ask to see that policy and any supporting
guidelines for its development and confirm if it exists and meets those requirements. To
confirm AC-2 compliance, logs have to be provided showing that when a user account is
expired on a system they have been disabled within the specific timeline. To validate
hundreds of security controls, a third party could take 1-4 months or more depending upon the
complexity of the system.
Step 9: Prepare an Assessment Methodology Document for AC Security
Controls
Instructions
For this exercise, you will use Assessment methods consisting of examination, interviewing
and testing procedures.
Security control assessment procedures specific to some of the AC controls have been
extracted for you to complete your assignment. You should list recommended assessment
methods and objects for the following security controls to complete this exercise.
•
•
•
•
•
AC-1
AC-2
AC-3
AC-4
AC-5
•
AC-6
Note, you will find recommended assessment methods and objects in the “Potential
Assessment Methods and Objects” section in the NIST 800-53Ar5 document.
You should complete a table with the specific details and selections you made for each
method as applicable. If your method includes a select from option (e.g., [SELECT FROM:
Organizational personnel with account management responsibilities; system/network
administrators; organizational personnel with information security with information security
and privacy responsibilities].) you should select the role, document or other process so the
tester will know exactly what to do. You may need to assume that certain documents are
available for examination.
A representative table of your results is shown below.
Security
Control
Examine
Interview
Test
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
Submit the reporting template for grading and feedback from your instructor. Use
the Advanced Risk Management Report Template. Be sure to apply any feedback you
received from your professor related to section 3 in this submission as well. For this step, you
should have completed section 4 and updated previous sections as appropriate.
Step 10: Authorize
In the authorize step, a senior official makes a risk-based decision to authorize the system (to
operate) based on the documents he/she has received to date. The documentation required is
substantial as it is required to determine if sufficient security controls are in place to approve
the system for operation for its intended use.
One of many documents required for this package is the system security plan (SSP).
An example template from FedRAMP for approval for a cloud-based application or system
shows the depth and breadth associated with just one document of comprehensive package.
This example SSP template shows the level of detail and exactness expected in an ATO
package.
Once the authorizing official (AO) approves the system is officially eligible to go live.
A sample ATO approval from FedRAMP shows the typical correspondence associated with
the approval.
However, the work is still not complete. A continuous monitoring plan must be implemented
and if you want your system to stay operational, you must begin preparing for the next ATO
as they only last a couple of years before expiration.
Step 11: Continuous Monitoring your System
This last step is one of the most important. Assuming, you have done an excellent job of
selecting, implementing and accessing your security controls and you have a memo from your
AO authorizing your system to operate, you still have to update the policies, plans and
procedures and conduct regular vulnerability scans and other activities to keep up with an
ever evolving threat landscape.
In this step you will maintain an ongoing situational awareness about the security and privacy
posture of the system and organization to support risk management decisions. Figure 4
illustrates the overall process in continuous monitoring that includes defining, establishing,
implementing, analyzing/reporting, responding and reviewing/updating a continuous
monitoring plan.
Figure 4. Source: Information Security Continuous Monitoring for Federal information
Systems and Organizations
Automation is critical in supporting a comprehensive continuous monitoring
plan. Technologies for automation of continuous monitoring include vulnerability
management, patch management, event management, incident management, malware
detection, asset management, configuration management, network management, license
management, information management, software assurance, certificate management,
password management and more.
Many security controls require some form of continuous monitoring. Consider the following
examples:
•
•
•
•
•
RA-5a – Scan operating systems, web applications and databases monthly. All scan
reports must be sent to the Reviewer monthly.
SI-2C – Install security-relevant software and firmware updates within 30 days of the
release of the updates.
IA-5g – Change/refresh authenticators/passwords at least every 60 days.
AC-22d – Review content on publicly accessible system and look for non-public
information.
AU-6 – Review and analyze information system audit records for indications of
inappropriate or unusual activity.
Cybersecurity tools help in automating the continuous monitoring process. Consider this list
of tools to determine alignment with specific RMF tasks such as vulnerability scanning, virus
scanning, threat intelligence, security information and event management (SIEM) and other
functionality.
In the final step of this project, you will make recommendations for specific tools to help in
automating the continuous monitoring of your system.
Step 12: Finalize your Advanced Risk Assessment Report Template
For your final exercise, you need to review available literature from vendors and other
reviewer to select several tools to automate the continuous monitoring of your system. You
need to name and describe the tools functionality, identify its key features and align it with
specific controls you previously selected. Table 5 shows a possible representation of your
results. Be sure to include the references you used to compile your results. You can select
more than one tool for each functionality. However, select no more than 10 tools total. You
should use the Functionalities as listed and complete the remaining columns.
Table 5. Automation Tools and alignment with Security Controls
Functionality
Tool name and
Main
description
features
Vulnerability Scanning
Malware detection
Security Information and Event
Management (SIEM)
Incident Management
Certificate Management (e.g. SSL)
Patch Management
Security
Control
Submit the reporting template for grading and feedback from your instructor by using the
Final Project Submission link following Step 16. For this step, you should have completed
section 5 and updated any previous sections as appropriate.
Step 1: Risk Management Threats
Have an understanding of The fundamentals of RMF This lists 7 different organization-level
preparation steps including P1 – risk management roles, P2 – risk management strategy, P3 risk assessment – organization, P4 – organization-tailored control baselines and cybersecurity
framework profiles, P5 – common control identification, P6 – impact-level prioritization and
P7 – continuous monitoring strategy.
Step 2: Start your Advanced Risk Manag
