ISC(2) CAP: RMF Roles & Responsibilities
Security Control Assessor
- Conduct SSP Assessments - Conduct Control Assessments - Provide Assessment of Deficiencies (findings) - Recommend Corrective Action - Prepare Security Assessment Report (SAR) - Independence of these people lead to: (i) Unbiased Assessment Processes (ii) Objective Information for Risk Determination
Authorizing Official Designated Representative
- Assists the Authorizing Official (AO) - Can NOT grant an ATO
Information Owner/Steward
- Authority for Specified Information - May or May not be the same as System Owner - Provide Input to Information System Owners - Rules of Behavior - Single System May Contain Information from Multiple Information Owners/Stewards
Senior Information Security Officer (aka CISO)
- Carries out the CIO FISMA Responsibilities - Primary Liaison for CIO to Organization's Senior Officials - Possesses Professional Qualifications - Heads Office that Conducts FISMA Reporting
Chief Information Officer (CIO)
- Designating SISO (aka CISO) - Information Security Policies - Ensuring Adequately Trained Personnel - Assisting Senior Officials with their Security Responsibilities - Appropriate Allocation of Resources - FISMA Reporting
Common Control Provider
- Documenting Common Controls - Validating Required Control Assessments - Documenting Assessment Findings in SAR - Producing POAMs
Information System Security Officer (ISSO)
- Ensures Appropriate Security Posture - Principal Advisor - Day-to-Day Security Operations - incluidng: (i) Environmental; (ii) Physical; (iii) Personnel; (iv) Incident Handling; (v) Training and Awareness - Policies and Procedures - Active System Monitoring
Risk Executive (Function)
- Ensures Risk-related Considerations are Organization-wide - Consistent Across Organization - Coordinates with Senior Leadership to: (i) Provide Comprehensive Approach; (ii) Develop a Risk Management Strategy; (iii) Facilitate Sharing of Risk Information; (iv) Provides Oversight; and (v) Provide Forum to Consider All Risk Sources
Information System Owner
- Focal point for Information System (IS) - Responsible for IS throughout the SDLC - Addressing the operational interests of user community - Ensuring Compliance with Information Security Requirements - SSP development and maintenance - Deciding who has access to the system - Works with Assessor to Remediate Deficiencies (findings) - aka "Program Manger"
Authorizing Official (AO)
- Formally Assumes Responsibility for system - Budgetary Oversight - Accountable for Security Risks - Senior Management Position - Approve Security Plans (SSP) and Plan of Actions and Milestones (POAMs) - Information System May Involve Multiple of these people - Authorizing Official Designated Representative - The only person that can grant an ATO
Head of Agency (Chief Executive Officer)
- Highest-level Senior Official - Overall Responsibility: Information & Information Systems - Security Integrated with Strategic and operational Processes - Sufficiently Trained Personnel - Establishes Appropriate Accountability - Provides Active Support - Oversight of Monitoring
Information System Security Engineer (ISSE)
- Part of the Development Team - Employ Security Control Best Practices - Coordinate Security-related Activities Also responsible for: a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information system through purposeful security architecting, design, development, and configuration
Information Security Architect
- Security Requirements Adequately Addressed in Enterprise Architecture: (i) Reference Models; (ii) Segment and Solution Architectures; (iii) Resulting Information System. - Liaison between the Enterprise Architect and Information System Security Engineer - Advisor to Senior Officials on: (i) System Boundaries; (ii) Assessing Severity of Deficiencies (findings); (iii) POAMs; (iv) Risk Mitigation Approaches; (v) Security Alerts