Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 1

CHAPTER ONE

INTRODUCTION

Lines which reads: "Information systems can include a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems)." The phrasing here doesn't clearly indicate that these are not systems in and of themselves. Given widespread confusion regarding how to determine boundaries every effort should be made to prevent any confusion on this matter. Recommend sentences begin with a phrase like, "Information systems can include as constituent elements ..." Dan Philpott 04:26, 16 December 2009 (UTC)


 * Is it really necessary to spell this out for readers of the document? Shouldn't we expect them to be able to ascertain what we meant from what we said? Dan Philpott 04:26, 16 December 2009 (UTC)


 * No, assuming that a reader starting at the beginning isn't going to have their understandings colored by a misinterpretation here depends on an expectation that is unlikely to be met. Dan Philpott 04:26, 16 December 2009 (UTC)

1.1 BACKGROUND
Bullet point which reads: "Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;". The continuous monitoring described later in this document does not rise to the level of a robust continuous monitoring process which can support real-time risk management. Additional technical detail in support of continuous monitoring for real-time risk management needs to be included to support this concept later in this document. Dan Philpott 04:26, 16 December 2009 (UTC)

Line which reads: "... changes the traditional focus from the stove-pipe, organization-centric, static-based approaches to C&A ..." C&A was previously very system-centric and lacked the organization-centric functions of the new Risk Management Hierarchy. The adjective fest here seems a little out of place. It might be more accurate to describe C&A as a static, procedural activity which provided inadequate guidance to support ongoing risk based decisions. Recommend dropping dramatic flourishes and have a simple statement that RMF moves the process of FISMA compliance away from a procedural, documentation of C&A focus to a process focused on risk management that leads to FISMA compliance. Dan Philpott 04:26, 16 December 2009 (UTC)

1.2 PURPOSE AND APPLICABILITY
Bullet point which reads: "To ensure that managing risk from the operation and use of federal information systems is consistent with the organization's mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);" The concept of mission/business objectives is not well defined in the RMF or SP's 800-30, 800-37 or 800-39. Recommend that as this mission/business objective concept is central to understanding the risk posed from a failure in the security objectives for a system a clear process for establishing the mission/business objectives for an organization in the context of information systems security should be described as part of the risk strategy established by senior leadership. Dan Philpott 04:26, 16 December 2009 (UTC)

Bullet point which reads: "To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results; and". The focus on security authorization decision deemphasizes awareness of and acceptance of risk. Speaking to the authorization decision emphasizes the process. Speaking to awareness of and acceptance of risk in consideration of whether to grant a security authorization emphasizes the management of risk. Recommend that as RMF is trying to place the emphasis on risk management and away from the empty process of making a decision this should be reworded to emphasize awareness of and acceptance of risk and relate the authorization decision only as a consequent of this awareness and acceptance. Dan Philpott 04:26, 16 December 2009 (UTC)