Splunk for Risk Management Framework
The term Risk Management Framework (RMF) can mean many things to many people. As the paper ‘Beyond Compliance —Addressing the Political, Cultural and Technical Dimensions of Applying the Risk Management Framework’ from MITRE Corporation points out it could mean a replacement of DIACAP within the DoD, it could mean a replacement to the C&A process or it could be an evolution from compliance to a more risk based approach.
In 2014, the Department of Defense (DoD) introduced the Risk Management Framework (RMF) to help federal agencies better manage the many risks associated with operating an information system. It is clear that a compliance-only oriented approach is not enough for a robust security posture, especially in the face of today’s threats. The core premise behind RMF is that systems carry an inherent risk based on many factors including criticality, sensitivity and the evolving threat landscape and preaches an approach where it is a continuous process than a one-time execution for accreditation.
The Risk Management Framework (RMF) is a paradigm shift for agencies from the traditional Certification and Accreditation (C&A). And change is not always seamless, and there are always challenges. The MITRE paper I referenced above goes into some analysis of other challenges and I would highly recommend it to people who want to take the time to understand a more holistic picture. Chief among them seems to be on how to get started and what exactly needs to be done. It can be a daunting proposition when there is a paradigm shift that affects every system within the organization.
The NIST SP800-37 publication offers guidance on RMF over a discrete set of 6 steps
- Categorize – your systems based on impact assessment which is detailed in the FIPS Publication 199
- Select – baseline controls that apply to the system tailoring guidance based on risk assessment
- Implement – apply the controls and document their deployment
- Assess – determine the control’s effectiveness and the extent to which they have been implemented correctly
- Authorize – determine risk and if acceptable, approve operation
- Monitor – continuously observe, track changes and reassess effectiveness
To help agencies that need to implement RMF get up and going, Splunk offers a cost effective, flexible and integrated solution that focuses on Stages (4) and (6). The Assess stage helps you ensure that you have implemented the controls correctly and it will be effective in ensuring your risk tolerance. If this stage is not instrumented properly then you would not be able to get through Stage 5 – Authorize. At the same time, when you have an organization with multiple systems assessments can get challenging.
Compared to prior compliance initiatives, RMF calls for continuous monitoring (Stage 6). The purpose of Monitor is to keep a tab on the effectiveness of the controls in managing risk as originally defined for that system under changing conditions. This step is best done in real-time and with automated monitoring tools.
Some of the specific ways Splunk helps you embrace RMF include:
- Continuous monitoring of security controls and their effectiveness
- Audit trail collection and reporting
- Help determine acceptability of security controls in terms of risk
- Enable assessment of implementation and effectiveness of controls
- Collect, retain, search, alert and report on logs from all assets and activities
With Splunk, federal agencies have better access to their data and can interpret it to ensure agency transparency. Additionally, audits are made much simpler with quick generation of reports and dashboards that offer an instant, real-time view into implementations and their effectiveness.
Learn more about how Splunk can help federal agencies ease the adoption of RMF. Of course, you can always give us a call!
Federal Security Strategist