Connuous Monitoring
Student Guide
May 2024
Center for Development of Security Excellence
May 2024 Center for Development of Security Excellence 1
Lesson 1: Course Introducon
Introduction
Welcome
Objectives
•
•
() -
•
•
•
May 2024 Center for Development of Security Excellence 2
Lesson 2: Risk Management
Introduction
Objectives
S
--
•
o
o
o
o
o
NISP Overview
National Industrial Security Program
S
May 2024 Center for Development of Security Excellence 3
Government and Industry Roles
Security Policy and Guidance for Continuous Monitoring
D
NISPOM Rule
:
•
•
•
• 117.18(a)(1)
-
-
• 117.18(b)(6)
-
• 117.18(c)(2)
• 117.18(c)(3)
May 2024 Center for Development of Security Excellence 4
• 117.18(c)(4)
• 117.18(d)(e)
NIST
• -
• -
• --
• -
May 2024 Center for Development of Security Excellence
-2
•
• -
-
•
o
o
o
-
-
•
-
•
May 2024 Center for Development of Security Excellence
DOD Policy and Guidance
DOD
D
O
•
D
•
D
• -
D
•
D
• D
-
•
•
May 2024 Center for Development of Security Excellence
Review Activities
Review Activity 1
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
Review Activity 2
Indicate the policy guidance to which the descripon applies. For each statement, select the best
response. Check your answer in the Answer Key at the end of this Student Guide.
D
D
) -
D
May 2024 Center for Development of Security Excellence
Risk Management Framework (RMF) Overview
Risk and Risk Assessment
-
RMF Purpose and Benefits
- --
;
RMF Benefits
-
-—
-
May 2024 Center for Development of Security Excellence
RMF 3-Tiered Approach
-
-
-
--
RMF 7-Step Process
:
•
•
•
•
•
•
•
Review Activity
Review Activity 3
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
-
May 2024 Center for Development of Security Excellence 10
Risk Management Roles and Responsibilities
Roles and Responsibilities Overview
CIO
o
• -
•
•
•
•
Senior Agency Information Security Officer
a
May 2024 Center for Development of Security Excellence 11
Risk Executive (Function)
-
-
Principal Authorizing Officials (PAOs)
•
•
•
• )
•
DOD Component Chief Information Officer (CIO)
•
•
•
•
May 2024 Center for Development of Security Excellence 12
DOD Component Senior Information Security Officer SISO
•
•
•
AO
•
• -
•
•
•
•
• authorizaon
•
•
•
•
AODR
•
May 2024 Center for Development of Security Excellence 13
• on --
ISO
•
•
•
•
•
System User
-
ISSM
• -
•
• --
May 2024 Center for Development of Security Excellence 14
• )
•
•
•
•
•
• -
•
ISSO
•
•
-
•
•
-
May 2024 Center for Development of Security Excellence
• -
Review Activity
Review Activity 4
Indicate the er to which the acvity descripon applies. For each statement, select the best
response. Check your answer in the Answer Key at the end of this Student Guide.
-
May 2024 Center for Development of Security Excellence
Lesson 3: Connuous Monitoring Strategy and Tasks
Introduction
Objectives
-
• -
• -
•
Information System Continuous Monitoring Overview
What is ISCM?
n -
-
ISCM Strategy
-
-
May 2024 Center for Development of Security Excellence
SSP -
-
ISCM – Three-Tiered Approach
-
--
TIER 1 Organization
-
-
TIER 2 Mission/Business Processes
-
May 2024 Center for Development of Security Excellence
•
•
• -
TIER 3 Information Systems
• -
o
o
o
o
•
o
–
–
–
• -
May 2024 Center for Development of Security Excellence
ISCM Processes
-
-
Review Activity
Review Activity 1
Idenfy the er that each ISCM strategy statement supports. Select the best response. Check your
answer in the Answer Key at the end of this Student Guide.
-
-
May 2024 Center for Development of Security Excellence 20
Continuous Monitoring Process and Major Tasks
Continuous Monitoring Process Steps
--
--
-
-
Risk Tolerance
-
May 2024 Center for Development of Security Excellence 21
•
•
•
•
•
•
•
•
ISCM Strategy – Tier 1/Tier 2 Inputs and Outputs
-
-
Available Tools
•
•
•
• -
-
May 2024 Center for Development of Security Excellence 22
•
ISCM Strategy – Tier 3 Inputs and Outputs
-
-
-
-
-
-
-
-
ISCM Program Assessment
-
-
-
May 2024 Center for Development of Security Excellence 23
Review Activity
Review Activity 2
Idenfy the step each statement describes. Select the best response. Check your answer in the
Answer Key at the end of this Student Guide.
-
-
May 2024 Center for Development of Security Excellence 24
--
May 2024 Center for Development of Security Excellence
Lesson 4: Security Configuraon Management
Introduction
Objectives
•
o -
o
o
o -
Why Configuration Management Is Needed
Configuration Management Overview
IS Changes
May 2024 Center for Development of Security Excellence
-
--
-
Review Activity
Review Activity 1
-
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
Four Phases of Security Configuration Management
What is SecCM?
-
•
•
•
•
Planning
May 2024 Center for Development of Security Excellence
•
•
:
o
E
o
o
C
o
o
U
o
o M
()
Identifying and Implementing Configurations
Controlling Configuration Changes
May 2024 Center for Development of Security Excellence
•
•
•
•
•
Monitoring
CM Policies and Procedures
P
May 2024 Center for Development of Security Excellence
Review Activity
Review Activity 2
Idenfy the SecCM phase for each acvity descripon. Select the best response. Check your answer in
the Answer Key at the end of this Student Guide.
May 2024 Center for Development of Security Excellence 30
Configuration Management Controls
CM Controls for Continuous Monitoring
-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM-
• CM--
• CM-
• CM-
• CM-
CM-1 Policy and Procedures
•
•
•
•
•
May 2024 Center for Development of Security Excellence 31
•
•
CM-2 Baseline Configuration
-
•
•
o
o
o
o
o
CM-3 Configuration Change Control
——
May 2024 Center for Development of Security Excellence 32
CM-4 Impact Analyses
•
•
•
CM-5 Access Restrictions for Change
•
•
•
•
CM-6 Configuration Settings
-
•
•
•
•
•
May 2024 Center for Development of Security Excellence 33
-
CM-7 Least Functionality
-
•
•
- -
CM-8 Information System Component Inventory
•
o
o
o
o
o -
•
May 2024 Center for Development of Security Excellence 34
:
•
•
•
CM-9 Configuration Management Plan (CMP)
•
•
•
• -
•
•
•
CM-10 Software Usage Restrictions
•
•
May 2024 Center for Development of Security Excellence
• --
-
CM-10(1): -
-
-
CM-11 User-Installed Software
-
--
•
•
•
CM-12 Information Location
• -
•
•
May 2024 Center for Development of Security Excellence
CM-13 Data Action Mapping
CM-14 Signed Components
-
Review Activity
Review Activity 3
For each queson, select the best response. Check your answer in the Answer Key at the end of this
Student Guide.
-
2
--
-
May 2024 Center for Development of Security Excellence
-
-
Patch Management
Why Do We Need Patches?
A
Patch Management and SecCM
:
May 2024 Center for Development of Security Excellence
Review Activity
Review Activity 4
Select the best response. Check your answer in the Answer Key at the end of this Student Guide.
May 2024 Center for Development of Security Excellence
Lesson 5: Auding and Log Reviews
Introduction
Objectives
-
•
o
o
o
Audit Capability
What Is Security Auditing?
-
-
-
Audits – Operational Resilience
-
May 2024 Center for Development of Security Excellence 40
:
Operational Resilience
-
-
Audits Requirements in the NISPOM Rule
-
-
May 2024 Center for Development of Security Excellence 41
Audit Log Information
•
•
•
•
•
•
Event Logs
-
Note:
Application (Program) Events
May 2024 Center for Development of Security Excellence 42
Security-Related Events
Setup Events
System Events
Forwarded Events
Security-Relevant Objects
-
-
-
-
—
-
U C
R
May 2024 Center for Development of Security Excellence 43
Review Activity
Review Activity 1
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
-on
-
-
Locating the Event Logs – A Practical Exercise
Practical Exercise Overview
11
11:
D-
May 2024 Center for Development of Security Excellence 44
Review Activity 2
Select the best response. Check your answer in the Answer Key at the end of this Student Guide.
Interpreting Audit Logs
Audit Trail Analysis
-
(SSP)
Audit Codes
-
• -
• -
• -
• -
• -
• -
May 2024 Center for Development of Security Excellence
Review Activity
Review Activity 3
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
-
May 2024 Center for Development of Security Excellence
Lesson 6: Counterintelligence and Cybersecurity in Connuous
Monitoring
Introduction
Objectives
by
•
o
o
o
Why Multiple Security Disciplines Are Needed
Hardening the DOD Information Enterprise
May 2024 Center for Development of Security Excellence
What Threats and Vulnerabilities Does CM Detect?
DCSA
-
-
Vulnerabilities and Threats to Investigate
•
•
•
•
•
•
• -
•
•
•
•
•
May 2024 Center for Development of Security Excellence
Trends – Suspicious Network Activity
– – C
Review Activities
Review Activity 1
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
Review Activity 2
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
-
May 2024 Center for Development of Security Excellence
Recognizing Possible Insider Threat Activities
What Does CM Disclose?
Cybersecurity Reciprocity
-
-
--
May 2024 Center for Development of Security Excellence
-
Implementing Information Systems Security Aspects of Configuration
Management
---
-
•
•
•
•
•
•
•
•
• ()
•
Implement Endpoint Protection Platforms (EPPs)
• -
•
• -
•
Use Cryptography
•
• - -
May 2024 Center for Development of Security Excellence
Review Activity
Review Activity 3
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
-
-
May 2024 Center for Development of Security Excellence
Lesson 7: Course Conclusion
Course Conclusion
Course Summary
-
-
Lesson Review
•
•
•
•
•
•
•
Course Objectives
Connuous Monitoring
•
•
() -
•
•
May 2024 Center for Development of Security Excellence
•
Connuous Monitoring
May 2024 Center for Development of Security Excellence A-1
Appendix A: Answer Key
Lesson 2 Review Activities
Review Activity 1
Feedback: The important roles of the NISP in connuous monitoring include ensuring cleared
industry safeguards classified informaon and informaon systems; protecng crical assets; and
thwarng foreign adversaries and insider threats.
Review Activity 2
Feedback: The NISPOM Rule implements policy, assigns responsibilies, establishes requirements,
and provides procedures for the protecon of classified informaon that is disclosed to, or developed
by, contractors of the U.S. Government.
Feedback: DOD Policy and Guidance calls for a mul-ered cybersecurity risk management process
capable of connuous monitoring for insider and foreign adversary threats and vulnerabilies.
May 2024 Center for Development of Security Excellence A-2
) -
Feedback: The NIST publicaons provide guidelines for applying the Risk Management Framework
and the development and implementaon of an ISCM program that migates the threats and
vulnerabilies to informaon systems.
Review Activity 3
-
Feedback: The RMF supports risk management by providing a process that ensures traceability and
transparency across all levels of the organizaon and emphasizes connuous monitoring and mely
correcon of deficiencies.
Review Activity 4
Feedback: Performing at the Tier 3 Informaon Systems level, the ISO categorizes the systems.
May 2024 Center for Development of Security Excellence A-3
Feedback: The DOD Component SISO has authority and responsibility for security controls
assessment at this level.
-
Feedback: Performing at the Tier 3 Informaon Systems level, Authorizing Officials (AOs) monitor and
track overall execuon of system-level POA&Ms. AOs cannot delegate authorizaon decisions.
Lesson 3 Review Activities
Review Activity 1
Feedback: Tier 2 MISSION/BUSINESS PROCESSES ISCM strategies focus on the controls that address
the establishment and management of the organizaon’s informaon security program, including
establishing the minimum frequency with which each security control or metric is to be assessed or
monitored.
-
Feedback: Tier 1 ORGANIZATION ISCM strategy focuses on high-level informaon security
governance policy as it relates to risk to the organizaon as a whole, to its core missions, and to its
business funcons.
May 2024 Center for Development of Security Excellence A-4
-
Feedback: Tier 3 INFORMATION SYSTEMS ISCM strategy focuses on ensuring that all system-level
security controls are implemented correctly, operate as intended, produce the desired outcome with
respect to meeng the security requirements for the system, and connue to be effecve over me.
Review Activity 2
-
Feedback: In Step 3: Implement an ISCM program, security-related informaon required for metrics,
assessments, and reporng is collected and, where possible, the collecon, analysis, and reporng of
data are automated.
-
May 2024 Center for Development of Security Excellence A-
Feedback: In Step 6: Review and Update the monitoring program adjusng the ISCM strategy and
maturing measurement capabilies to increase visibility into assets and awareness of vulnerabilies,
further enable data-driven control of the security of an organizaon’s informaon infrastructure, and
increase organizaonal resilience.
Feedback: In Step 2: Establish an ISCM program the metrics, status monitoring frequencies, control
assessment frequencies, and an ISCM technical architecture are determined.
--
Feedback: In Step 1: Define an ISCM strategy based on risk tolerance that maintains clear visibility
into assets, awareness of vulnerabilies, up-to-date threat informaon, and mission/business
impacts.
Lesson 4 Review Activities
Review Activity 1
-
May 2024 Center for Development of Security Excellence A-
Feedback: SecCM roles in risk management ensure adjustments to the system configuraon do not
adversely affect the security of the informaon system or the organizaon’s operaons as well as
establishing configuraon baselines and tracking, controlling, and managing aspects of business
development.
Review Activity 2
Feedback: In Phase 3, Controlling Configuraon Changes, a variety of access restricons for change
are employed, including: Access controls, process automaon, abstract layers, change windows, and
verificaon and audit acvies.
Feedback: In Phase 4, Monitoring, acvies focus on validang the IS adheres to the policies,
procedures, and approved baseline configuraon as well as to idenfy undiscovered/undocumented
system components, misconfiguraons, vulnerabilies, and unauthorized changes.
May 2024 Center for Development of Security Excellence A-
Feedback: In Phase 2, Idenfying and Implemenng Configuraons, acvies address configuraon
sengs, soware loads, patch levels, how the IS is arranged, and how various security controls are
implemented.
Feedback: In Phase 1, Planning, acvies involve developing policy and procedures including
implementaon plans, change control processes, and metrics for compliance, to name a few.
Review Activity 3
-
Feedback: The Access Restricons for Change control includes physical and logical access controls
and supports auding of the enforcement acons. Only qualified and authorized individuals are
permied to iniate changes in the system.
2
--
-
May 2024 Center for Development of Security Excellence A-
Feedback: The Soware Usage Restricons control ensures that soware use complies with contract
agreements and copyright laws, tracks usage, and documents the use of peer-to-peer file sharing
technology to prevent unauthorized distribuon, display, performance, or reproducon of
copyrighted work.
-
Feedback: The Configuraon Change Control involves the systemac proposal, jusficaon,
implementaon, tesng, review, and disposion of changes to the systems, including system
upgrades and modificaons.
-
Feedback: The Configuraon Sengs control applies to the parameters that can be changed in
hardware, soware, or firmware components that affect the security and privacy posture or
funconality of the system, including registry sengs, account/directory permission sengs, and
sengs for funcons, ports and protocols.
Review Activity 4
May 2024 Center for Development of Security Excellence A-
Feedback: Phase 3: Controlling Configuraon Changes, involves the management of change to
maintain the secure, approved baseline of a system.
Lesson 5 Review Activities
Review Activity 1
-on
-
-
Feedback: Audit requirements in the NISP include: systems that are properly managed to protect
against unauthorized disclosure of classified informaon; a risk-based set of management,
operaonal, and technical security controls; and policies that address key components of the insider
threat program.
Review Activity 2
Feedback: The progression to access the security event log is to select Windows icon; then type Event
Viewer; and then expand the Windows Logs folder.
Review Activity 3
-
May 2024 Center for Development of Security Excellence A-10
Feedback: All of these answer choices are key informaon for an audit trail analysis.
Lesson 6 Review Activities
Review Activity 1
Feedback: Counterintelligence and cybersecurity go hand-in-hand to protect DOD assets by: Sharing
and reporng unauthorized accesses aempts, denial of service aacks, exfiltrated data, and other
threats/vulnerabilies in a mely manner; Conducng trend analysis as part of the monitoring and
detecon acvies; and Implemenng cyberspace defenses to ensure DOD informaon systems and
networks are resistant to penetraon and disrupon.
Review Activity 2
-
Feedback: Through CM capabilies the following would be invesgated and analyzed: Unexplained
storage of encrypted data; Use of account credenals by unauthorized pares; and downloading or
installing non-approved computer applicaons.
May 2024 Center for Development of Security Excellence A-11
Review Activity 3
-
-
Feedback: CM supports operaonal resilience, interoperability, and operaonal reciprocity in the
following ways: Detecon of transmied informaon to foreign IP addresses; Monitoring the
collecon, transmission, storage, aggregaon, and presentaon of data that conveys current
operaonal status; Collecon and reporng on strategic cybersecurity metrics; and Analysis of
cybersecurity products (e.g., firewalls, intrusion detecon systems) that operate in a net-centric
manner.
