With second revision of NIST (SP) 800-37 risk management framework, new Security & Privacy Controls in NIST (SP) 800-53 Revision 5 & new Assessment Procedures facilitated by NIST (SP) 800-53A Revision 5, it was about time to update the Archer Public Sector solution to incorporate the changes from all NIST special publications. While we completely revamped the Public Sector solution to align with the changes, we took this opportunity to incorporate some of the best practices, address existing gaps within the solution & make the solution easier to use.
Out of the three use cases within Public Sector solution, the changes in the NIST RMF had impacted the Assessment & Authorization use case by large . The Public Sector Release 6.11 is complete overhaul of Assessment & Authorization use case with modifications in the user interface, advanced workflow, control evaluation, new applications to support E-Authentication, Control Implementation & Cloud Services. The Plan of Action & Milestone use case was also updated to include Findings application. There were no changes to Continuous Monitoring use case. More details to follow:
The NIST (SP) 800-53 Revision 5 security & privacy controls will be available in Control Catalog application along with NIST (SP) 800-53 Revision 4 control set. Assessment Procedures from NIST (SP) 800-53A Revision 5 will be available in Assessment Objectives Library. NIST Rev 5 controls are not available for FedRamp, CNSS & ICS methodologies as these publications had not released their control set by the time the use case was being updated but the moment control set are made by available by publications we will be adding & releasing it within the solution.
Assessment & Authorization Use Case Modifications:
One of the key changes to the RMF was addition of Prepare step to achieve efficient & effective security and privacy risk management process. This is added as Step 0 within the Assessment & Authorization application which will enable system owners to document the essential activities to be performed at the beginning of the risk management process i.e Identifying Stakeholders, Defining Boundary, Determine Information Types, Documenting Requirements & System Registration. The next set of tasks within the RMF which are Categorize, Select, Implement, Assess, Authorize and Monitor have been broken down from Step 1 to Step 7 within the application to provide a clean & structured approach to execute the risk management process. User Interface was redesigned to simplify the application & make it more intuitive for end users.
Along with the changes in the interface, advanced workflow in the application was also modified. The movement between different steps of the framework have been made more flexible. Unlike previous version, system will now allow to move forward & backward within the workflow at any point of time in the lifecycle without any restrictions though the movement will be sequential.
Assessment & Authorization use case will house following new applications to enable better management & utilization of information being stored within the system:
Digital Identities: This application was introduced in Public Sector Release 6.11 to support NIST (SP) 800-63 Revision 3 guidelines for digital identity. E-Authentication section in previous version of the use case will be replaced by digital identity application to incorporate new guidelines.
Control Implementation: This application was introduced to enable control implementation at individual parts. This is one the best practices to provide more granularity and better accounting for control implementation.
Cloud Services: This application was introduced within Enterprise Infrastructure solution area to document cloud service provider & offerings being leveraged by information systems.
Release 6.11 also provides an option to use Policies, Authoritative Sources & Risk Project applications within Public Sector solution. Organizations will require licenses for the use cases to be able to leverage these applications within Public Sector solution. If any organization has existing licenses, they will be able to see cross-references to these applications in Step 0 of the Assessment & Authorization use case. This was done to enable organizations to be able to carry out some of the activities within Archer which they have been doing offline.
Improved Control Evaluation:
Controls implementation & assessment can now be performed at sub-system level within Assessment & Authorization use case for the controls being maintained at Information System level. Assessors are not required to access each control individually to provide implementation & assessment details which was a time-consuming activity in previous version. The assessment results will roll up from sub-systems to authorization package to provide the overall assessment status of the controls. Inheritance functionality was modified to flag organization wide controls & allow inheritance by other authorization packages within the organization.
Findings & Findings Folder Applications:
The Plan of Action & Milestone application allows to centrally manage a plan of action and track costs & milestones but before these plans are created to remediate the issues, organizations are required to log observations & triage those observations to identify the issues which was not possible in the previous version of the solution. This is now addressed by incorporation of Findings application within POA&M use case, observations can now be logged in the findings application which will act as a placeholder during the triage process and tracked before the POA&Ms are finalized and created. Also, similar findings can be grouped together in Findings Folder application.
Along with the updates made to use case & applications, there are also updates made to mail merge templates for NIST & Fedramp to align with the changes in the risk management framework. New charts & reports like Sankey and Metric cards have been introduced to enhance control monitoring capabilities.
We look forward to hearing your feedback about these updates and any additional capabilities you would like us to consider for future updates in the Public Sector solution.