- RMF
- The NIST Risk Management Framework — a 7-step process for managing system security and privacy risk (SP 800-37 Rev. 2).
- GRC
- Governance, Risk, and Compliance — directing the organization, managing its risk, and meeting its obligations.
- The 7 RMF steps
- Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor (mnemonic: PCSIAAM).
- Governance
- Setting direction and accountability through policy, oversight, and defined roles.
- Compliance
- Meeting legal, regulatory, and contractual obligations.
- Risk management
- Identifying, assessing, and treating risk to the organization's mission.
- Confidentiality
- Preserving authorized restrictions on access and disclosure of information.
- Integrity
- Guarding against improper modification or destruction; includes authenticity and non-repudiation.
- Availability
- Ensuring timely and reliable access to and use of information.
- Non-repudiation
- Assurance that a party cannot deny having taken an action; provided by signatures and logging.
- Policy hierarchy
- Policy → standard → procedure → guideline (only guidelines are optional).
- Policy
- A high-level management statement of intent and direction; mandatory.
- Standard
- A mandatory, specific requirement that supports a policy (e.g., 'use AES-256').
- Procedure
- Detailed step-by-step instructions for carrying out a task; mandatory.
- Guideline
- A recommended, discretionary best practice; not mandatory.
- Qualitative risk analysis
- Subjective ranking of risk as high, medium, or low; fast but not dollar-based.
- Quantitative risk analysis
- Objective, dollar-based risk analysis using SLE, ARO, and ALE.
- SLE
- Single Loss Expectancy = Asset Value × Exposure Factor (loss from one event).
- EF (Exposure Factor)
- The percentage of an asset's value lost if a specific risk event occurs.
- ARO
- Annualized Rate of Occurrence — the expected number of events per year.
- ALE
- Annualized Loss Expectancy = SLE × ARO (the expected yearly cost of a risk).
- Cost-justified control
- A control whose annual cost is less than the reduction in ALE it provides.
- Risk
- The likelihood a threat exploits a vulnerability, and the resulting impact on an asset.
- Threat
- Any potential event or actor that could harm an asset by exploiting a vulnerability.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Risk appetite
- The broad amount and type of risk an organization will accept to pursue value (strategic).
- Risk tolerance
- The level of risk variation an organization will accept in practice (operational).
- NIST CSF
- The NIST Cybersecurity Framework — a voluntary framework to manage and reduce cyber risk.
- ISO/IEC 27001
- The standard for an Information Security Management System (ISMS).
- ISO 31000
- The standard for enterprise / organizational risk management.
- COBIT
- A framework for IT governance aligned to business objectives.
- FedRAMP
- Standardized security authorization for cloud services used by U.S. federal agencies.
- PCI-DSS
- The Payment Card Industry Data Security Standard for protecting cardholder data.
- CMMC
- Cybersecurity Maturity Model Certification for the U.S. defense industrial base.
- FISMA
- The Federal Information Security Modernization Act — drives federal security requirements.
- HIPAA
- U.S. law protecting the privacy and security of health information.
- GDPR
- The EU General Data Protection Regulation governing personal-data processing.
- SDLC
- System Development Life Cycle — requirements, design, development, testing, operations, disposal.
- Information lifecycle
- How data is created, used, stored, retained, and disposed of by type.
- CGRC (formerly CAP)
- ISC2's Certified in Governance, Risk and Compliance — the renamed Certified Authorization Professional.
- Privacy (CGRC focus)
- Protecting personal information; woven throughout every domain of the 2024 outline.
- Authorization boundary
- Everything in a system for authorization: people, processes, hardware, software, data, and connections.
- System scope
- The documented name, purpose, functionality, and boundary of the system to be authorized.
- Information type
- A category of information (e.g., financial, medical) with its own impact to C, I, and A.
- FIPS 199
- The standard for categorizing a system's potential impact (Low/Moderate/High) on C, I, and A.
- Categorize step
- RMF step 2: determine the system's impact level using FIPS 199.
- High-water mark
- The overall system category equals the HIGHEST impact across C, I, and A — never the average.
- Low impact
- A compromise would have a limited adverse effect on operations, assets, or individuals.
- Moderate impact
- A compromise would have a serious adverse effect.
- High impact
- A compromise would have a severe or catastrophic adverse effect.
- SP 800-60
- NIST guide that maps information types to provisional impact levels.
- DPIA
- Data Protection Impact Assessment — evaluates privacy risk of processing personal data.
- Security objective
- Confidentiality, integrity, or availability — each rated separately during categorization.
- CNSSI 1253
- The categorization standard used for National Security Systems.
- Boundary too broad
- Inflates cost and complexity and over-scopes the authorization.
- Boundary too narrow
- Leaves real risk unaddressed and outside the authorization.
- Impact analysis
- Assessing the potential harm to C, I, and A to set the system's category.
- Why scope matters
- Categorization drives which baseline, how much assurance, and what the AO accepts risk for.
- Select step
- RMF step 3: choose and tailor the control set based on the system's categorization.
- Control selection flow
- FIPS 199 → FIPS 200 → pick the 800-53B baseline → tailor it.
- FIPS 200
- The standard for the minimum security requirements that correspond to an impact level.
- Control baseline
- A predefined Low/Moderate/High starting control set in SP 800-53B — a starting point, not a fixed minimum.
- SP 800-53B
- The NIST publication that defines the Low, Moderate, and High control baselines.
- SP 800-53 Rev. 5
- The catalog of security and privacy controls, organized into 20 control families.
- Control family
- A group of related controls (e.g., AC Access Control, AU Audit, SC System & Communications).
- Tailoring
- Adjusting a baseline: scoping, parameterizing, supplementing, overlays, and compensating controls.
- Scoping
- Removing controls from a baseline that genuinely do not apply to the system.
- Overlay
- A fully specified set of control adjustments tailored to a community, technology, or mission.
- Common control
- A control provided once at the organization level and inherited by many systems.
- Compensating control
- An alternative safeguard providing equivalent protection when the baseline control isn't feasible.
- Hybrid control
- A control implemented partly as a common control and partly as system-specific.
- Control inheritance
- When a system receives protection from controls developed and assessed by another entity.
- Privacy control
- A safeguard to ensure compliance with privacy requirements and manage privacy risk.
- Low baseline (~150)
- The control baseline for a low-impact system (about 150 controls).
- Moderate baseline (~300)
- The control baseline for a moderate-impact system (about 300 controls).
- High baseline (~390)
- The control baseline for a high-impact system (about 390 controls).
- 20 control families
- SP 800-53 Rev. 5 organizes its controls into 20 families (AC, AU, SC, IA, and so on).
- Baseline is a starting point
- The baseline is tailored, not adopted unchanged — it is not a mandatory minimum set.
- Implement step
- RMF step 4: deploy the selected controls and document HOW each is implemented.
- SSP
- System Security Plan — the master document describing the system and how every control is implemented.
- SSP owner
- The System Owner develops and maintains the System Security Plan.
- Implementation strategy
- The plan for resourcing, funding, timeline, and measuring control effectiveness.
- Management control
- A control implemented through policy, planning, and risk management (e.g., a risk assessment).
- Operational control
- A control executed by people and procedures (e.g., training, incident response).
- Technical control
- A control enforced by technology (e.g., encryption, access control, audit logging).
- Preventive control
- A control that stops an incident before it happens (e.g., access control, encryption).
- Detective control
- A control that identifies an incident in progress or after it occurs (e.g., logging, IDS).
- Corrective control
- A control that restores a system after an incident (e.g., backups, patching).
- Deterrent control
- A control that discourages a threat actor (e.g., warning banners, visible cameras).
- Documenting implementation
- Recording purpose, scope, and how each control is implemented in policies, procedures, and the SSP.
- Alternate control
- A substitute deployed when the prescribed control cannot be implemented as written.
- Implementation & compliance
- Controls must be implemented consistent with the organization's compliance obligations.
- Review/training frequency
- How often implemented controls, documentation, and training are reviewed and refreshed.
- SP 800-18
- NIST guide for developing System Security Plans (the SSP).
- Heaviest domain
- Implementation of Controls is the largest CGRC domain at 17% of the exam.
- Encryption (technical control)
- A technical control protecting confidentiality of data at rest and in transit.
- Security awareness training
- An operational control reducing human-error risk across the organization.
- Common control reuse
- Inherited common controls are not reimplemented per system — they're inherited once.
- Assess step
- RMF step 5: determine whether controls are implemented correctly and working as intended.
- SCA
- Security Control Assessor — independently assesses and tests controls and writes the SAR.
- SCA independence
- The assessor must be independent of the System Owner to keep the assessment objective.
- SAP
- Security Assessment Plan — defines the scope, roles, evidence, and procedures for the assessment.
- Assessment methods
- Examine, Interview, Test (EIT) — defined in SP 800-53A.
- Examine
- Reviewing documents, policies, and configurations to assess a control.
- Interview
- Questioning the people who operate a control to assess it.
- Test
- Exercising a control to see how it behaves (e.g., a vulnerability scan or penetration test).
- SP 800-53A
- NIST guide for assessing security and privacy controls (the assessment procedures).
- SAR
- Security Assessment Report — the assessor's findings and recommendations.
- Satisfied (SAR)
- A SAR status meaning the control is implemented correctly and works as intended.
- Other-than-satisfied
- A SAR status meaning the control has a weakness or gap; it flows into the POA&M.
- Not applicable (SAR)
- A SAR status meaning the control does not apply to the system; document the justification.
- POA&M
- Plan of Action and Milestones — tracks unresolved weaknesses, owner, resources, and target dates.
- POA&M owner
- The System Owner owns and maintains the POA&M.
- Risk response
- How a risk is treated: avoid, accept, mitigate (reduce), or transfer/share.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transfer/share
- Shifting the financial impact of a risk to a third party (e.g., insurance).
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its residual impact.
- Residual risk
- The risk that remains after controls are applied; the AO formally accepts it.
- Transfer ≠ accountability
- Transferring a risk's financial impact never transfers your accountability or liability.
- Penetration test
- An authorized, simulated attack that exploits weaknesses to show real impact.
- Vulnerability scan
- An automated check that finds known weaknesses without exploiting them.
- Final assessment report
- Documents final compliance per control: compliant, non-compliant, or not applicable.
- Authorize step
- RMF step 6: a senior official makes a risk-based decision to authorize the system.
- Authorization package
- The SSP, SAR, and POA&M submitted to the Authorizing Official for the decision.
- AO
- Authorizing Official — the senior official who accepts residual risk and signs the ATO.
- Only the AO authorizes
- The Authorizing Official is the only role that can authorize a system to operate.
- AODR
- AO Designated Representative — coordinates the process but cannot make or sign the decision.
- System Owner
- Responsible for the system; develops the SSP, owns the POA&M, submits the authorization package.
- ISSO
- Information System Security Officer — handles the day-to-day operational security of a system.
- ISSM
- Information System Security Manager — manages ISSOs, aggregates risk, advises the AO.
- ISSE
- Information System Security Engineer — builds security into the system's design.
- Common Control Provider
- Supplies the inherited common controls used across many systems.
- Information Owner
- Sets requirements for how its information is handled; involved in categorization.
- Risk Executive
- Provides an organization-wide risk perspective to keep system decisions consistent.
- SCA assesses, AO accepts
- The separation rule: the assessor evaluates controls; the AO accepts the risk.
- ATO
- Authorization to Operate — the AO's formal decision to operate and accept residual risk.
- ATO with conditions
- Authorization to operate provided specific weaknesses are remediated on a schedule.
- DATO
- Denial of Authorization to Operate — the risk is unacceptable; the system may not operate.
- IATT
- Interim Authority to Test — permits testing in an operational setting, NOT production operation.
- IATT ≠ ATO
- An IATT authorizes testing only; only an ATO authorizes production operation.
- Risk-based decision
- Authorization is a judgment about residual risk, never a purely technical pass/fail.
- Risk acceptance criteria
- The thresholds the AO uses to decide whether residual risk is acceptable.
- Stakeholder concurrence
- Agreement from relevant parties on the risk treatment before the compliance decision.
- Reciprocity
- Mutual agreement to accept another organization's assessments and security posture.
- 3PAO
- Third-Party Assessment Organization — independent assessor used in programs like FedRAMP.
- Monitor step
- RMF step 7: continuously monitor control effectiveness and risk after authorization.
- Continuous monitoring (ISCM)
- Ongoing awareness of security, vulnerabilities, and threats to keep risk decisions current.
- SP 800-137
- NIST guide for Information Security Continuous Monitoring (ISCM).
- Ongoing authorization
- Keeping authorization current through continuous monitoring, not periodic reauthorization.
- ISCM strategy
- Defines what to monitor, how often, and the metrics that trigger action.
- Change management
- The controlled process to evaluate, approve, implement, and track system changes.
- Security impact analysis
- Evaluating how a proposed change affects the security state before approval.
- CCB
- Change Control Board — approves, defers, or rejects proposed changes to a system.
- Rollback plan
- A documented way to reverse a change if it fails or harms security.
- Significant change
- A change large enough to trigger reassessment and possibly reauthorization.
- Decommissioning
- Securely retiring a system at end of life, including media sanitization and documentation.
- Media sanitization
- Removing data from media (clear, purge, or destroy) so it cannot be recovered.
- Ongoing assessment
- Re-checking control effectiveness over time as part of continuous monitoring.
- Monitor ≠ done
- Authorization is a lifecycle; continuous monitoring feeds ongoing authorization decisions.
- Configuration management
- Controlling and documenting the configuration of an authorized system (SP 800-128).
- Incident response (Monitor)
- Detecting, responding to, and learning from incidents during operations.
- Contingency planning
- Plans to keep or restore operations after a disruption (continuity and recovery).
- Evidence collection
- Gathering ongoing documentation and test results to demonstrate continued compliance.
- Revise monitoring strategy
- Updating the ISCM strategy as laws, regulations, or suppliers change.
- Baseline configuration
- An approved, documented set of system settings used as a reference for changes.