The first step in the six step risk management framework (RMF) process is categorizing your system. The first step in categorizing your system is establishing the system boundary. The boundaries of your system and how you categorize it will drive your risk management strategy. Your risk management strategy in turn defines your ongoing risk posture assessment, continuous monitoring program, the critical elements of successful use of RMF. Choose your boundary carefully.
Flexibility To Optimize Your Boundaries
Program managers, solutions architects, security engineers, risk management executives and authorizing officials have a great deal of flexibility in defining what constitutes an information system. This is a opportunity to optimize system boundaries to maximize the effectiveness of risk-based cybersecurity. Selecting reasonable system boundaries avoids systems that are overly complex and difficult to defend or having too many systems that require their own system security plans, plans of action and milestones (POAMs), continuous monitoring plans, reporting and dashboards, and risk assessments. Selecting system boundaries requires careful analysis of the complexity of the physical system, the data it stores and moves around, the end-points that allow humans and other systems to interact with it, and the people and organizations that use, maintain, and protect it.
The process of establishing boundaries for information systems and the associated security implications is an agency-level activity that should include discussion and careful negotiation among all key participants—taking into account the mission/business requirements of the agency, the technical considerations with respect to information security, and the programmatic costs to the agency. Stakeholders need to agree and know the system boundaries at the beginning of the RMF process so that everyone shares the same understanding of where a system begins and ends and who is responsible for what..
The system boundary is the security perimeter of what you are protecting. The system boundary defines what you will be present in your security plan, the controls you select and the controls you inherit, the monitoring technology you acquire, the scope of what your independent assessors will test and assess, and what you will be continuously monitoring to determine your risk posture. The system boundary defines what you will be protecting from threats and emerging vulnerabilities. Choose your boundary carefully.
The System Boundary in Two Parts
There are two important and integrated parts of a system boundary — the system boundary and the authorization boundary. Here is a look at both.
The System Boundary
At the simplest level, the system boundary covers all the components of an information system. Defining the boundary is the process of uniquely assigning information resources to an information system.
Identify all of the technical assets that the system is comprised of:
- Hardware and firmware devices included within the information system;
- System and applications software resident on the information system;
- Hardware, software, and system interfaces (internal and external);
- Subsystems (static and dynamic) associated with the information system;
- Information flows and paths (including inputs and outputs) within the information system;
- Cross domain devices/requirements;
- Network connection rules for communicating with external information systems;
- Interconnected information systems and identifiers for those systems;
- Encryption techniques used for information processing, transmission, and storage; and,
- Cryptographic key management information (public key infrastructures, certificate authorities, etc.).
Once the digital assets are defined you need to broaden the definition to include other information and related resources — personnel, contractors, equipment, funds to manage and maintain the system. Include the assets you use to backup your system and store its data archive. Define who will use your system, what supporting equipment do you need to operate your system and where will the funds come from to pay for the system.
The Authorization Boundary
Next define the boundary of the information system that the Authorizing Authority will approve during the Authority to Operate (ATO) process. The authorization boundary is the boundary where the authorizing official (AO) has management control.
Management control involves budgetary, programmatic, or operational authority and associated responsibility. Information resources identified as within the information system boundary should be under the same management control. For new information systems, management control can be interpreted as having budgetary/programmatic authority and responsibility for the development and deployment of the information systems. For existing systems information systems management control means having budgetary/operational authority for the day-to-day operations and maintenance of the information system.
Make sure that what you are defining within your system boundary is what you will be asking your Authorizing Official (AO) will be approving and what the AO has authority to approve. Look back at your technical definition and make sure you have all of the components and data and that all of the potential participants in the process are identified. The stakeholders and the roles they perform with respect to your system is part of the system boundary. Having this information as part of the boundary definition will help you identify who has management control over the information system. It will also help identify any special conditions that may need to be incorporated in the system decision package that will impact the on-going authority to operate (ATO). Determining the authorization boundary early in the process will ensure the participation of the right stakeholders throughout the system development life cycle.
Together the technical system information and the authorization boundary information form the system boundary for your system. Having a well defined system boundary when building a risk management-based cybersecurity strategy is an important first step.
Want to learn more about RMF and cFocus Software’s Authority to Operate as a Service? Contact us.