Practice RA.L3-3.11.4e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

RA.L3-3.11.4E – SECURITY SOLUTION RATIONALE =

SECURITY REQUIREMENT

Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] The system security plan documents or references the security solution selected;
[b] The system security plan documents or references the rationale for the security solution; and
[c] The system security plan documents or references the risk determination.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: system security plan; records of security plan reviews and updates; system design documentation; security planning policy; procedures addressing security plan development; procedures addressing security plan reviews and updates; enterprise architecture documentation; enterprise security architecture documentation; system interconnection security agreements and other information exchange agreements; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for developing, implementing, or approving system interconnection and information exchange agreements; personnel managing the systems to which the Interconnection Security Agreement/Information Exchange Agreement applies; system developers; organizational personnel responsible for security planning and plan implementation; organizational personnel responsible for boundary protection; system developers; system/network administrators].

Test

[SELECT FROM: Organizational processes for security plan development, review, update, and approval].

DISCUSSION [NIST SP 800-172]

System security plans relate security requirements to a set of security controls and solutions. The plans describe how the controls and solutions meet the security requirements. For the enhanced security requirements selected when the APT is a concern, the security plan provides traceability between threat and risk assessments and the risk-based selection of a security solution, including discussion of relevant analyses of alternatives and rationale for key security-relevant architectural and design decisions. This level of detail is important as the threat changes, requiring reassessment of the risk and the basis for previous security decisions.

When incorporating external service providers into the system security plan, organizations state the type of service provided (e.g., software as a service, platform as a service), the point and type of connections (including ports and protocols), the nature and type of the information flows to and from the service provider, and the security controls implemented by the service provider. For safety critical systems, organizations document situations for which safety is the primary reason for not implementing a security solution (i.e., the solution is appropriate to address the threat but causes a safety concern).

[NIST SP 800-18] provides guidance on the development of system security plans.

FURTHER DISCUSSION

The System Security Plan (SSP) is a fundamental component of an organization’s security posture. When solutions for implementing a requirement have differing levels of capabilities associated with their implementation, it is essential that the plan specifically document the rationale for the selected solution and what was acquired for the implementation. This information allows the organization to monitor the environment for threat changes and identify which solutions may no longer be applicable. While not required, it may also be useful to document alternative solutions reviewed and differing levels of risk associated with each alternative, as that information may facilitate future analyses when the threat changes. In addition to the implementations required for Level 2 certification, which may not be risk based, at Level 3, the SSP must carefully document the link between the assessed threat and the risk-based selection of a security solution for the enhanced security requirements (i.e., all CMMC L3 requirements derived from NIST SP 800-172).

Example

You are responsible for information security in your organization. Following CMMC requirement RA.L3-3.11.1e – Threat Informed Risk Assessment, your team uses threat intelligence to complete a risk assessment and make a risk determination for all elements of your enterprise. Based on that view of risk, your team decides that requirement RA.L3-3.11.2e – Threat Hunting is a requirement that is very important in protecting your organization’s use of CUI, and you have determined the solution selected could potentially add risk. You want to detect an adversary as soon as possible when they breach the network before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and each solution has a different set of features that will provide different success rates in identifying IOCs.

As a result, some solutions increase the risk to the organization by being less capable in detecting and tracking an adversary in your networks. To reduce risk, you evaluate five threat hunting solutions and in each case determine the number of IOCs for which there is a monitoring mechanism. You pick the solution that is cost effective, easy to operate, and optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its use; and document the risk-based analysis of alternatives in the SSP. In creating that documentation in the SSP, you follow the guidance found in NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems [a,b,c].

Potential Assessment Considerations

  • Has the organization completed a risk assessment and made a risk determinations for enterprise components that need to be protected [c]?
  • Can the organization identify what is being protected and explain why specific protection solutions were selected [a,b]?
  • Have all the decisions been documented in the SSP [a,b,c]?

KEY REFERENCES

  • NIST SP 800-172 3.11.4e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_RA.L3-3.11.4e_Details&oldid=1239"