Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Chris Hoover
1 2 Previous Next

RSA Archer Suite

26 Posts authored by: Chris Hoover Employee

Great news! The RSA Archer Platform version 6.1 just received an Evaluation Assurance Level ( EAL) of 2+ from a Common Criteria lab. The RSA Archer platform has carried this designation across many years and many versions, but was just retested and recertified against our latest platform changes and enhancements.

What is an EAL?

It is the designation that an impartial third party assessor has tested the design and functionality of RSA Archer software to prove that the internal security features of the platform work as intended (and as advertised!).

Why should you care?

This gives the end user assurance that a tool with an EAL can be used to safely store and process sensitive data. For example, EAL testing gives the assurance that RSA Archer provides not just rigid access control between authorized and unauthorized users, but also rigid and nuanced access enforcement between different levels of authorized internal users. These CC EAL certifications are important to our public sector buyers. Even if you’re in the private sector, however, you can get a little extra piece of mind knowing that this EAL 2+ has enabled RSA Archer to be implemented in a wide range of federal environments, including in highly sensitive and classified environments.

Our evaluation was performed by Leidos' Common Criteria Testing Laboratory within its Commercial Cybersecurity practice. Leidos is one of the top evaluation and testing laboratories approved by the National Information Assurance Partnership (NIAP).

A full announcement is available here, but I wanted to share the update too. We’re all proud of the progress we are making in moving the platform forward with new features, but maintaining our strict security standards as we go!

Thanks for reading and, as always, email me with questions or comments



As I mentioned in my last blog, one of the important benefits of our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature Information Assurance (IA) program in the public sector takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
At RSA, we have developed a maturity model that we use a communication tool with our prospects and clients to recommend changes and correlate them to stages of the maturity journey.


I very recently did a webcast that walks through this mapping of Public Sector use cases to steps in the maturity model in a detailed. I would encourage you to view that recording here if you’re interested in more information.

With the release of RSA Archer 6.1 we are making individual Public Sector use cases available that align to this maturity journey.  With RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IA program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The Public Sector use cases are as follows:
• Plan of Actions and Milestones (POA&M)
• Assessment and Authorization (A&A)
• Continuous Monitoring (CM)

We realize that FISMA and OMB compliance and risk management are not challenges that can be solved simply with technology. They are mission imperatives that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”
To see how these use cases can enable the stakeholders in your organization to own risk, remember to watch the webcast or you can visit the Public Sector page for general information.  

Thanks for reading.
Email me with comments or questions.
Chris Hoover



An important benefit from our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature IT and Security Risk Management program takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
The progression of an organization’s IT and Security Risk Management program maturity can be characterized in stages:

Less-mature organizations are typically very reactive and compliance-oriented. They attack individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. 
Organizations at this level have the basic capabilities to detect and remediate threats and defects and they can manage incidents, but their tools and process are siloed. This leads to poor reporting and visibility and maximum pain and stress for the security admins. Another effect of this culture is that the organization is exposed to individual threats and defects for longer than necessary.

In order to transition from the Siloed to the Managed stage of maturity, organizations need to focus on integration between tools and how to use automation where possible to streamline assessments and compliance activities.  When tools and people are better integrated and share data more freely, visibility is improved, new insight s can be made, and these insights lead to better decision making.
Another hallmark of this stage of maturity is the transition from compliance-driven to risk-driven. This means that instead of prioritizing things based on which compliance activity is due (or overdue), decisions are made using meaningful security metrics (ex: what can I fix right now that is introducing the most risk?) For these reasons, the Managed stage of maturity is the point where processes become more repeatable, consistent, and less painful for the security team to perform.

In order to transform an organizations program from Managed to Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  They do root cause analyses to prevent repeats of findings. They also need to strive to roll business context into all risk decisions.  Lastly, the frequency of control assessments needs to change based on this business context. This means that the Advantaged organization has a risk view that is current and complete but does not overwhelm the staff.
An organization in this position is now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”. 

With the release of RSA Archer 6.1 we are making individual IT and Security Risk Management use cases available that align to this maturity journey.  
Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1 we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IT and Security Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The IT and Security Risk Management -related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

RSA Archer IT and Security Policy Program Management
provides the framework for establishing a scalable and flexible environment to manage corporate and regulatory policies and ensure alignment with compliance obligations. This includes documenting policies and standards, assigning ownership, and mapping policies to key business areas and objectives. Out-of-the-box content includes the most current security frameworks and control catalogs, such as the ISO 27000 series, COBIT 5, NIST 800 series, and PCI-DSS.

RSA Archer IT Controls Assurance
provides the ability to assess and report on the performance of controls across all IT assets and automate control assessment and monitoring.

RSA Archer IT Security Vulnerabilities Program
offers security teams a big data approach to identify and prioritize high risk threats. Proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflows in one place. IT assets can be cataloged with a full business context overlay to prioritize scanning and response. The consolidated research platform for vulnerability management enables centralized tracking and remediation of related issues.

RSA Archer IT Risk Management
enables you to comprehensively catalog organizational hierarchies and IT assets to ensure all business critical connections are documented and understood in the proper context of IT risk management. This use case forms the basis for completeness when populating the included Risk Register with all relevant IT risks. Pre-built IT risk assessments, threat assessment methodology, and IT control repository enable you to document and assess IT controls.

RSA Archer PCI Management
enables organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost. It allows organizations to jumpstart a PCI compliance program by conducting continuous assessments and providing visibility to manage and mitigate risk. PCI Management guides merchants through the completion of relevant self-assessment questionnaires (SAQs). It also provides packaging and export of compliance program results and attestation articles in a properly formatted PCI Report on Compliance (ROC) for easy submission and review.

RSA Archer Security Incident Management
enables you to address security alerts through managed processes designed to effectively escalate, investigate, and resolve security incidents. Organizational and IT assets can be centrally cataloged with a full business context overlay to drive appropriate prioritization of security events. Built-in workflows streamline the process and enable teams to work effectively through their defined incident response and triage procedures. Any issues related to incident investigations can be tracked and managed in a centralized portal to enable full visibility and reporting.

RSA Archer Security Operations and Breach Management
enables you to centrally catalog organizational and IT assets, to establish a full business context overlay to drive incident prioritization.  Built-in workflows and reporting for security incidents enable security managers to stay on top of the most pressing issues. Best practices and procedures for incident handling help security analysts effectively and efficiently triage alerts. Any issues related to incident investigations can be tracked and managed in a centralized portal, enabling full visibility and reporting. Finally, the security operations manager can effectively monitor key performance indicators, measure control efficacy, and manage the overall SOC team.

RSA Archer IT Regulatory Management
provides organizations with the necessary tools and capabilities to document external regulatory obligations. Organizations can establish a systematic review and approval process for tracking changes to regulatory obligations, understand the business impact, and prioritize a response.

RSA Archer Information Security Management System (ISMS)
allows you to quickly scope your information security management system (ISMS) and document your Statement of Applicability for reporting and certification. You can also catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, and facilities, and document and maintain related policies, standards, and risks. This centralized view of your ISMS makes it easier to understand asset relationships and manage changes to the infrastructure. Issues identified during assessments can be centrally tracked to ensure remediation efforts for gaps are consistently documented and monitored and effectively addressed.
The RSA Archer IT and Security Risk Management solution pulls all of the use cases mentioned above to enable greater business context, greater cohesion between the elements of the program, and better visibility.

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in IT security and risk processes, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”


For more information about RSA Archer IT&SRM, click here.


Thanks for reading.
Email me with comments or questions.


Findings. Defects. Whatever you call them, your organization’s security posture is full of them. At RSA, we use the umbrella term “Issues Management”. So many organizations handle their vulnerabilities, misconfigurations, failed controls, and policy and process gaps the same way: the hard way. The hard way is the reactive way, the just-in-time way, and the kick-the-can-down-the-road way.


The “now” version of you, who is always at risk of falling behind at work, is dealing with these findings and defects in what you think is a reasonable way. “Sometimes you have to kick the can down the road,” you tell yourself, just to keep your sanity and keep things moving now. Periodically, however, these kicked cans pile up and cause a lot of stress for the “future” you and probably some lost free time on nights and weekends as well. At those times, the “future” you is thinking that you’re a real jerk.


I know. I’m preaching to the choir. You’ve already heard this or thought this, and right now I’m just giving advice that’s easy to say, but hard to do. Early in my career, when I was broke, I asked my insurance agent how I could cut some coverage to reduce my rates. He gave me the “you can’t afford not to have good coverage” speech. Financial gurus give the same advice about saving for emergencies and saving for retirement. “You can’t afford not to.” It sounds contrary at the time. You already don’t have enough money, so how does taking more of each paycheck out of circulation supposed to help you? It’s annoying to hear, and hard to work through, but the plain, ugly truth is that they’re right. It takes personal maturity to learn lessons like this, and just like we as individuals can mature and learn hard lessons, so can our organizations.


So, how does this same “you can’t afford not to” lesson apply our organizations?
Well, in the case of issues management, it means several things. You have to streamline the issues management process so all the stakeholders can do their part with less effort. You also need to bring these stakeholders’ data and tools together so they can share information easier and learn more from each other. This provides new insights. New insights and metrics mean that you can prioritize your issues and work on the things that bring the largest security improvement. Visibility creates accountability. Visibility into trends and metrics across all domains of issues will also facilitate root cause analysis, and ultimately, reduce repeats of the same findings in the future.


This is breaking the cycle, and making things better for your future self. It is similar to eastern philosophy, when they speak of Samsara, the Wheel of Suffering, and karma, they are saying to quit doing things that you know will just cause you more pain later. This also reminded me of what Andrew Jaquith once called the “Escaping the Hamster Wheel of Pain” or what my colleague Patrick Potter recently compared to Groundhog’s Day.


Feel a little pain right now. Do the little bit of extra work, use the right tools like RSA Archer’s Issues Management and make your future self a happy person.


Thanks for reading!

Feel free to email me with questions or comments



Through the years, as federal information assurance professionals, we’ve seen a lot of adjustments and evolution. We had an arms race in buying newer and better firewalls, more secure networking devices, IDSs, IPSs, and SIEM tools. We bought generations of scanners and sensors. We watched several iterations of C&A and A&A methodologies come and go. FISMA took its first lumbering steps, and about a dozen VERY expensive years later, it was rewritten.  The evolution in each case was toward a more dynamic and risk-based approach. From bastion to defense in depth. From rules-based to heuristic. From a mountain of logs to a prioritized few. FISMA is trying to do the same thing: to move from a checklist exercise to embracing continuous monitoring and from crusty, three-year-old ATOs to using tangible risk metrics.


Since the economic crash of 2008, the message has begun to sink in that war time spending increases are gone, and even thought the missions seem to grow and grow, the budget has either finally hit a ceiling or a very slow increase for the foreseeable future. The DoD and Intelligence Community may get a little consideration for their classified systems, but overall, the federal community knows we cannot throw resources at security problems like we have in the past.


Fortunately, this fits in with the evolution examples I just gave. Moving to embrace real risk management and real risk-based allocation doesn’t just save money, it will actually force federal organizations to think and behave in ways which make them more secure.


To this end, at RSA, we strive to make tools to enable true risk management and inspire it within organizations. This is why I’m happy to announce the upcoming launch of RSA Archer GRC 6. I don’t want to derail the risk message I’m building up to by stopping to describe the new features, so here is a short video that hits the high points and shows the new interface, etc.


Back to my point: Federal organizations need to continue to infuse more risk-based decision making into their cultures. What do I mean by that? As part of the launch of RSA Archer GRC 6, we had a virtual launch event. I would recommend you watch the launch video here . I mention the video because my colleagues centered the event on the theme “Inspire Everyone to Own Risk”. This theme strikes the perfect tone because, first, it showcases the best new features of Archer v6, but, more importantly, it ties in with the evolution thread above.


Federal organizations must empower more, if not all, employees to understand risk, and to make risk decisions and help manage risk at their own respective levels within the organization. In the launch video I mentioned, one of my colleagues points out an excellent white paper from COSO related to this subject. It is similar in many ways to federal documents like NIST SP 800-37 and 39, but adds a few extra elements and is refreshing and enlightening to hear these topics being discussed by a different community, with a slightly different perspective. This doesn’t just mean FISMA and OMB compliance. It means getting the teams within your organization to agree on a common risk taxonomy and common goals. It means ORM/ERM and using resources like AFERM and the Maroon Book in your organization.


It is for all of these reasons that when I see our new RSA Archer GRC 6, I notice and appreciate most the new features focused on role-based views and reports, task-driven landing screens, and advanced workflow capabilities. These features break down the silos between teams and empower each layer in the organizational hierarchy to own and manage their piece of the risk.


Inspire everyone to own risk.


Thanks for reading. Comments or questions? Email me.



NIST just hosted Cloud Computing Workshop and Forum VIII at their headquarters in Gaithersburg, MD. It is part of the larger NIST ITL Cloud Computing Program. It was an impressive event, with four days of multiple simultaneous tracks. As security professionals, we all know it’s hard to juggle and stay abreast of all the topics and updates – new threats, new guidance, etc., and I’ll be frank, I had turned my attention away from cloud computing and cloud security for a large portion of the last year to work on other things. I’ll admit I was really surprised at how much the breadth, depth, and maturity of this field has grown in that time. As a federally focused practitioner, and given the location, I was expecting to show up and hear about FedRAMP and cloud security controls. Though they did cover those topics, it was a small portion of the event overall.


The list of presenters was diverse: academia, NIST and many other federal employees, implementers, consultants, and vendors (including RSA - our CTO, Zulfikar Ramzan gave one of the keynotes). They covered a hue range of topics, so I’ll just mention a few takeaways from the event I’d share:


Maturing library of standards. Just as the first wave of real cloud guidance (dating back to roughly 2011) is being adopted, there are so many new cloud computing guidelines and standards and updates either just coming out or in draft at the moment. As you’d expect, NIST and ISO, like with other IT and security standards and guidance, are at the forefront, but add to that Cloud Security Alliance, the Open Group, IEEE, and others, you get the scope of players and each of them introducing new standards and considerations.


New challenges, new taxonomy. There was a significant amount of time given to discussing the developing taxonomy for dealing with new challenges presented by cloud computing. Don’t feel bad, however, if you can’t articulate the difference between a cloud broker, cloud service manager, cloud provider, and cloud carrier – I couldn’t either, but NIST SP 500-292 started this conversation years ago and ISO is augmenting it with standards currently in development like ISO 19944. To effectively manage new cloud paradigms we need new ways to describe new data types, new architecture, and new customer scenarios.


Collaborative effort, diversified risk. I think I heard the acronym “SLA” almost as many times during the event as I did the word “cloud”. There was a lot of emphasis on business to business implications, specifically SLAs, because of the transference and ownership of risk across the lines of multiple organizations. SLAs in the past were viewed as just an annoying bit of paperwork, or an item to have for an audit checklist, but the number of players and moving parts in a cloud environment are going to make closer friends of your IT staff, legal staff, and acquisition office going forward. SLAs are critical to managing cloud computing risk and the number of teams and organizations involved can create a “cascading SLA” effect to make things even more challenging. ISO has several standards under development for this area (ISO 19086-1, 2, and 3).


There were many other one-off questions and topics like cloud forensics, deleting data in the cloud, privacy vs. security, etc., too many, in fact, to cover here - but for the curious: a link to the slides and presentation from the event. Wrapping up, the message I got from this event and from the industry, is that processes and security are mature enough that real adoption of the cloud is underway. We are finally past the phase where everyone is dipping their toe in but waiting for someone else to take the first plunge.


Thanks for reading and email me with comments or questions.

At RSA Archer, we are now officially announcing our GRC maturity assessments. I personally would like to announce the Assessment & Authorization (A&A) and Continuous Monitoring maturity assessment for the federal community and federal adjacent customers, like contractors. In addition, we have maturity assessments that correspond to most of our other offerings and domains of interest:

  • Operational Risk Management
  • IT Security Risk Management
  • Regulatory and Corporate Compliance
  • Business Resiliency
  • Third Party Governance
  • Audit Management


So what is it?

You answer a questionnaire and send us the results. We perform the analyses and provide charts, reports, and artifacts in a formal briefing. This is all FREE. You can invite other stakeholders to this briefing or at least have the reports and materials to take back to your team to prompt some serious discussion.


Why do you need it?

In the context of A&A and Continuous Monitoring, we know they are mandatory activities. FISMA and OMB have told us so. We have been doing A&A (and C&A) for many years. Most people are still figuring out what they are going to do about Continuous Monitoring. Very few have attempted to achieve Ongoing Authorization.


The maturity assessment doesn't just force you to examine each little piece you’re doing or not doing, it forces you to see the activities’ relationships, and how they impact each other. Beyond just a litany of checklist activities, you have to at some point examine the maturity of your processes, tools, and staff. Without this, you will likely never meet the minimum, and if you do, it will be at the maximum cost in stress and pain to your staff. To put it another way: an organization with a mature information assurance program will have efficiencies and visibility in place that will allow them to achieve more than a less mature organization with the same amount of resources.


What's next?

If you are interested in learning more about our process, we have white papers posted here for you to learn more.

Or contact me directly and we can discuss next steps.


As always, thanks for reading and email me with comments or questions


Gartner just released their IT Risk Management Magic Quadrant results. RSA is at the front, as usual, but when I saw the results I was immediately struck by a question: How closely do Gartner’s and the federal community’s visions of IT Risk Management align? There has been discussion around redefining these categories and some have been broken out into new MQs. So, for my federal security professional colleagues, I just wanted to run through Gartner’s definition of ITRM and compare them to current federal thinking and initiatives.



When Gartner is evaluating tools against the topic or domain of IT Risk Management their site says they focus on “software products that support the ITRM discipline through automating common workflows and requirements”. Automation is key theme. The increased complexity and acceleration in the speed of the IT threat world requires automation these days. Automation is mentioned several other times on the ITRM page, including: “It is important to note that these products automate good, existing processes. Organizations should seek automation when they have sufficient maturity to take advantage of its benefits.”


This fits in very well with current federal emphasis on continuous monitoring (both manual and automated). The federal community is now fairly mature at the FISMA/OMB compliance paradigm and C&A/A&A. Logically, continuous monitoring is one of the areas where automation can help enhance the process. This emphasis can be seen in many new releases in the last year. OMB Memos 14-3 and 15-1 have touched on this topic in the last 18 months. FedRAMP updated its continuous monitoring guidance last summer. The NIST 800-53A Rev4 that just came out is MUCH more granular than previous revisions. This provides more granular reporting, but good luck trying to implement it without some automation.


Gartner’s definition of “IT risk management" is based on customer feedback, funneled through a working group of analysts. It is comprised of the following components:

Policy Management

      • Authoring, change management and version control
      • Development and approval workflow
      • Mapping policy statements into regulatory requirements

Compliance Mapping/Reporting – the ability to link the appropriate controls, assets, and assessment results and reports

Security Operations Analysis and Reporting

      • Ability to leverage diverse scanner and sensor data
      • Turn security metrics into actionable, meaningful reports and dashboards
      • Defect remediation workflow

IT Risk Assessment –providing a risk assessment workflow, and linkage between assets, risk assessments, context, and metrics.

Incident Management – manage, remediate, and report on incidents


It’s not hard to see that these very closely align with the current concerns in the federal community. Continuous monitoring or what DHS calls Continuous Diagnostics and Mitigation for its CDM Dashboard, addresses many of these pieces, as do NIST RMF and CNSSI 1253. The point I wanted to make is that Gartner has many MQs, and RSA has done well in all of them, as you can see here, here, and here. The ITRM MQ is, I would argue, the most applicable to the largest portion and intent of federal cybersecurity efforts and in this MQ, RSA is not just in the Leader’s quadrant, but at the leading edge.


Thanks for reading.

Email me with comments and questions.


Enterprise Risk Management (ERM) is a large and sometimes confusing topic. It’s difficult to put boundaries around, by which I mean we have different tools, processes, and regulations to manage different types of risk. Questions arise, such as: if we already have tools, processes, and regulations to manage financial risk and IT Risk, for example, do they still fall under the umbrella term “ERM”? If yes, is there another ERM layer of tools, processes, and regulations that we must also use and follow? The underlying question then is “what is ERM?”.


So let's start with examples of federal enterprise risks. The “Maroon Book”, which I will discuss more below, gives many examples:

  • cyber attacks on our critical infrastructure
  • strategic human capital management
  • the BP oil spill a few years back
  • unfunded/underfunded pension programs
  • protecting public health through oversight of medical products and food safety
  • managing spending and acquisition programs that are constantly over budget
  • financial viability of postal service


You can see that previous examples of financial and IT risk do fall under ERM, as do so many others. In the past some of these types of risk were poorly managed, or not managed at all. Even knowing where to start was confusing. This was made worse in the federal space where the Intelligence Community and DoD have invented so many unique risk management processes to protect sensitive areas, operatives, and operations. The federal government is so big and diverse that it has in the past had a schizophrenic understanding about what risk is, how to classify it, how to manage it, etc. Fortunately, that era seems to be coming to an end.


As a practitioner, I have personally seen a lot of meaningful development in the last 2-3 years, and I feel like 2015 is going to be the turning point for federal ERM. Some developments I would point out:               

  • The Association of Federal Enterprise Risk Management (AFERM) started small in 2008 as a steering group, but has built a lot of momentum in the last few years in terms of membership, visibility, and influence.
  • The recent release of Enterprise Risk Management - A Guide for Government Professionals aka the “The Maroon Book” provides a single authoritative position on what federal ERM is and how to use it
  • Embrace of ISO 31000 . The US federal government loves to create processes (even redundant layers of them) and to embrace this international standard without reinventing the wheel is a huge step forward and enables the federal space to be aligned with so many potential vendors, partners, industries, etc. and share a common taxonomy and processes.
  • OMB repeatedly stating that risk management is a top management priority for federal agencies, and to that affect releasing revised version of circulars A-11, A-129, and working on an update for A-123 all with new language stressing risk-based decision making and
  • Many Departments and agencies have recently created and filled positions titled “Chief Risk Officer” and “Risk Management Officer”
  • Most compelling to me personally as an employee of a GRC company, is that we are starting to get regular invites from large federal civilian Departments and agencies to discuss RSA Archer’s approach to ERM through our solutions. This was not something that was happening even two years ago.


For more information on ERM visit the links above. You can also check out my colleagues’ blogs on RSA’s take on Operational Risk Management here and here and see Gartner's latest report which is also relevant. 


As always, thanks for reading, and email me with questions or comments.


Who do you do business with, associate with, outsource to, and share information with? How can those relationships hurt you and how can relying on them in a critical moment impact your mission? Will their security posture save you from peril or kick you while you’re down? How many of your partners, vendors, and suppliers are soft targets and vectors to use to attack you from a trusted source? These are issues that are coming to the forefront more and more.


To address these issues, just this summer, NIST released the second draft of its related publication, NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.


There have been many workshops and events in Washington DC this year already on supply chain risk management (SCRM) and, even as I write this, there is another underway this week in McLean, VA, Winter 2014 Software and Supply Chain Assurance Working Group, involving NIST, DHS, MITRE and the usual cast of federal players and vendors.


The NIST Cybersecurity Framework (CSF) was written to help the critical infrastructure sectors. Although it was intended to foster/build/manage an entire comprehensive cybersecurity program, it has had increasing attention and focus as a way for organizations to share information about their security posture with their partners, vendors, and intra-organizationally.


I did a webcast earlier this year on Vendor and Supply Chain Management with my colleague, Marshall Toburen, that goes further into this topic, especially focusing on how it applies to the federal community. And if you’re more interested in the private sector perspective, here are several recent related posts from team mates: here, here, here, and here.


Now, for the good news:

In Gartner’s latest IT Vendor Risk Management Magic Quadrant, analysts Christopher Ambrose, Kris Doering, and Gayla Sullivan evaluated 10 enterprise-class IT Vendor Risk Management solutions. 104056


As you can see in the report, RSA Archer is again ahead of the pack - something we’re very proud of. We take these analyses and use them to continually improve, as well as using inputs from our customers and prospects and our working group members. If you are interested in seeing a demo or being a member of the Vendor Management working group please feel free to contact .


Thanks for reading. As always, email me with questions or comments.




@chrish00ver on Twitter

I just got back from NIST’s 6th Cybersecurity Framework Workshop in Tampa and wanted to share some of the really positive signs of progress. This was the sixth workshop, but the first in another sense. By this I mean that it’s been eight months since the release of the framework. This workshop really had the feel that it was the first post-release workshop where a significant number of organizations have had enough time to assimilate the document, message it throughout their organization, plan, implement, debate, etc. For all these reasons, unlike previous sessions, which were more about tinkering with the framework itself, this was a lot more about getting meaningful feedback from the early adopters and discussing the value people have realized by implementing it.


What are the strengths?


Intentional Development

Several panel speakers made the same point that just discussing and planning the use of the CSF had multiple positive results. It forced them to bring stakeholders together that had not been communicating previously. It forced them to define what risk means to each of the stakeholders. Finally, it forced them to define their risk appetites.



While NIST continuously points out that there is no such thing as “CSF-compliant”, many people want to use it for vetting.  This point came up several times in the context of vendor-to-vendor relations and supply-chain, that the CSF could be used for business partners or prospective clients to show each other where they are in their security programs.   One of the panel speakers, who works for a collective that approves funding for large-scale utility investments, said that they want to see evidence of prudent decision making before they invest. They have embraced the CSF as an indicator for prudent decision-making in IT security, an area where they are not experts.



“Flexibility is the core strength of the framework”. This was the most common message of the workshop, repeated by many panel speakers and throughout the working sessions. Tim Casey, a risk executive from the chip-maker Intel, gave several examples of how they tailored the categories and subcategories provided by NIST to their own needs. This included adding an entirely new category: Threat Intelligence. They did all of this while in contact with NIST, who consistently offer the message of “tailor it to work for your organization”. Another panel speaker, from Chevron, specifically cited the DHS CSET tool, a precursor to NIST CSF that also targets critical infrastructure, was not customizable and pointed out that the CSF gave him the flexibility he needed to build the appropriate in-house solution.



How hard is it?

A lot of the questions from the audience to the session panel speakers were around the level of effort in implementing the framework. On this subject, Chris Boyers from AT&T said that “NIST had created a great product, one that industry can largely support”. A more enthusiastic endorsement came from Intel, who said that for their enormous, multi-billion dollar company, that defining their internal process and stakeholders, and completing their first, high-level assessment had taken less than 150 work hours. Most of the audience (including myself) was pretty obviously surprised by that number.


Where is it going?

Ari Schwarz, from the National Security Council, headed off questions about a CSF version 2. He essentially said there was no change in the near future, and to implement it as it stands, don’t wait for v2, etc. I think confusion around this subject comes from the NIST CSF Roadmap which can be found here. These were areas for planned improvement that NIST released almost at the same time that the CSF was released. They were just acknowledging that they knew there were areas that would grow, but that implementation of the CSF would still be valuable in the meantime.


There were also delegates from the UK government and European Union present. The short take away from them: First, the UK likes the CSF and is encouraging its use to its companies. Second, the CSF will be most successful when it’s embraced globally. This is really just a supply chain comment, since we live in a global economy.


Lastly, RSA was present in the tech expo area, which was restricted to only five vendors. We provided demos of our NIST CSF proof of concept. That’s all for now.


Email me with comments or questions or if you would like to a demo of our CSF POC.


Thanks for reading.





At last! Here is the third and final part of my continuous monitoring white paper series. I hope this is the most useful to you because the subject is strictly focused on managing assessment costs. CM has the potential to make your IA program either 1) vastly more expensive and/or 2) work your current staff to death. This paper will hopefully provide ways to lessen the impact and probability of both.


In other related CM news, RSA Archer has the won the DHS CDM Dashboard bid, which is a huge victory! It feels great to know our offerings will be helping the federal government better manage operational risk.


Our VP for Public Sector announces the win here and Government Computer News ( covered the announcement here.


Very exciting times! I hope you have enjoyed the CM white paper series. If you have questions or comments, please email me.


Or let’s connect on

Twitter  / @chrish00ver



Thanks for reading!


To begin, I wanted to provide the link to Part 2 of 3 of the Continuous Monitoring white paper series, available here.


I also wanted to mention some of the developments in the CM world since my last blog.


As mentioned previously, the Dept. of Homeland Security (DHS) is using the term Continuous Diagnosis & Mitigation (CDM) to refer to CM. DHS is working to build a CDM dashboard for the entire federal government. The CDM dashboard contract is moving forward. An integrator has been chosen for the project: InfoReliance, a current RSA Archer partner. Read more here. Potential solutions are being considered. RSA Archer is, of course, among these candidates.


On a related note, “Ongoing Authorization (OA)” is becoming the de facto term to describe the use of CM to maintain security authorizations. A few weeks ago, NIST released implementation guidance on this subject, available here.


I will be posting another blog before the end of the month to announce the third and final part of the CM white paper series. I think at that time, I will also hopefully have some news to share regarding RSA Archer’s upcoming Continuous Monitoring v2.


Thanks for reading. As always, please email with comments or questions.



Continuous monitoring (CM) continues to be a hot topic in the information assurance world. DHS CDM and CMaaS purchases and planning continue to lumber forward.  Version 2 of our CM solution will launch this year and reflects the latest thinking in CM risk scoring and presentation.


So, I wanted to make some updates to a three-part blog on continuous monitoring I did last year.


I have decided to create a three-part series of white papers on the subject to allow for greater detail and to include some reference tables. There were a lot of things I couldn’t cover in enough detail and some new developments have unfolded in the meantime.


Part 1 covers common misconceptions and provides definitions, an introduction and brief history of CM and is available here.


Part 2 in this series will address monitoring strategy including the frequency and method of assessments, and will be available in early June.


Part 3 will cover strategies for managing assessment costs and will be available in late June.


Lastly, there is still plenty of time to register for RSA Archer’s 2014 GRC Summit.  I will be at the summit, giving demonstrations of our forthcoming A&A and CM version 2 solutions. Hope to see you there!



As always, please email me with comments or questions




So, NIST just released the final draft of their Cybersecurity framework.


You can read it here, or I can give you a synopsis for now:

The federal government is concerned about the 16 critical infrastructure sectors identified by DHS. If you are in one of these sectors, the concern is that the collection of security tools you have and the security compliance activities that you do, do not add up to a totally comprehensive Cybersecurity program. If a nation state were to engage us in a cyber-war tomorrow, they would certainly target our critical infrastructure. That’s where the NIST CSF comes in. They provide a list of capabilities and goals that an organization should include in their Cybersecurity program. They provide a list of references to use to implement and achieve those capabilities and goals, and they provide a method for assessing and measuring yourself along the way.


I gave a webcast on this subject a few months ago if you’re interested, and will be giving an updated webcast with new material on March 13


Anyone familiar with RSA Archer would recognize that as a GRC platform, we are well-equipped for the sort of use case presented by the NIST CSF. So, in response we did two things:


  1. We consumed the mappings defined in the CSF between the security goals (called Categories and Subcategories ) and the references (called Informative References). This would provide the owners of the RSA Archer Policy Management solution with the core to build their own NIST CSF solution. [DEAD LINK /docs/DOC-32101]Here is a blog from Mason Karrer, our content strategist, on the subject.
  2. We built a proof of concept NIST CSF solution, which we will be showing at the RSA Conference in a few weeks. I will be giving demos at the RSA booth, so please stop by if you’re attending, and if you’re not registered to attend,

Thanks for tuning in, hope to see you at the RSA Conference


Email me with comments or questions



Filter Blog

By date: By tag: