In this four part podcast series, CSIAC subject matter experts (SMEs) conduct a roundtable discussion of the first step of the Risk Management Framework (RMF) process, Categorization, focused specifically on Industrial Control Systems (ICS). The main objective of the categorization phase is to project the potential negative effects upon an organization should certain assets become compromised. This would include the CIA Triad – Confidentiality, Integrity and Availability (CIA) – involving the systems within an enterprise and the associated data those systems may process, store or transmit. Based upon the assessment of the possible risks, certain processes or tasks may be employed to mitigate the potential adverse impacts.
In part four of the RMF Categorization podcast series, the SMEs discuss the various roles and responsibilities as well as the operating environment. Any individual that interacts with a system has a certain role or responsibility in the implementation of the system security program. These roles and responsibilities are propagated across three tiers: 1) the organization, 2) mission/business processes and 3) information systems. The operating environment consists of the system authorization boundary as well as all external entities interacting with the system information types. The operating environment should result in a specific implementation of prescribed security requirements and provide a measurement of a security program’s effectiveness.
CAC/PIV holders can watch or download the podcast here: https://www.dodtechipedia.mil/dodwiki/download/attachments/600342610/2020-02-csiac-podcast-risk-management-framework-rmf-categorization-part-4.mp4