Resolve security control issues on a PaaS with this risk management framework

Identifying, implementing, and assessing security controls for an information system can be a burden. Ease your mind by following this six-step risk management framework.


Risk management provides a framework to help you select security controls to protect an information system anywhere in the development life cycle on a Platform as a Service (PaaS) -- it doesn't matter whether it's an engineering, procurement, or personnel system.

The security controls are implemented after the risks are identified, assessed, and reduced to a low level. The implementation criteria include cost effectiveness, technological efficiency, and regulation compliance. You must document the criteria in a security plan.

The National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) breaks down into six steps of applying security controls to a US federal information system. In a simplistic scenario, each step is described from the perspectives of a Senior Information Security System Officer (ISSO) managing a team of Information System Owners (ISOs) (also the System ISSOs), and a Security Control Assessor (SCA). Also included in the team is an authorizing official who is a departmental or organizational head.

Step 1: Categorize information systems

The ISO categorizes information systems in his department, and documents the results in the security plan in the format provided by the Senior ISSO. The security plan typically covers assets, such as:

  • Information processed, stored, and transmitted;
  • Hardware and software interfaces;
  • PaaS developer access rights;
  • Encryption techniques;
  • Data sensitivity (classified or unclassified); and
  • Incident response point of contact.

The Senior ISSO ensures information systems are registered in the appropriate office (e.g., the Program Management Office).

Step 2: Select security controls

The Senior ISSO works with the ISO on tailoring baseline security controls as system specific or hybrid. The officer ensures the controls are cost effective, technologically efficient, and regulatory complaint.

The security controls specific to an information system include:

  • Access control policy and procedures;
  • Separation of duties;
  • Penetration testing;
  • Personnel screening and training;
  • Vulnerability scanning;
  • Denial of service protection;
  • Configuration settings;
  • Incident response plan;
  • Contingency planning;
  • Emergency shutoff;
  • Protection of information at rest; and
  • Information system inventory.

Step 3: Implement security controls

The Senior ISSO assists the ISO to:

  • Describe functions of each security control. They cover inputs, behavior, and outputs. For example, a security control accepts users' names as inputs, checks each user's file permission level, and generates a log of all users permitted and denied to access which files.
  • Document in the security plan how the security controls should be implemented.

Step 4: Assess security controls

The Senior ISSO ensures the SCA:

  • Prepares an assessment report on security control issues;
  • Develops, reviews, and approves a plan of actions on assessing the security controls;
  • Follows assessment procedures in the plan;
  • Recommends remediation actions on defective security controls; and,
  • Updates the security plan based on the findings and recommendations in the report.

Step 5: Authorize the information system

The Senior ISSO prepares an Authority to Operate (ATO) letter, which confirms security controls for an information system are technologically efficient and regulation compliant. The Senior ISSO submits it along with the accreditation package to the authorizing official for approval of the information system to operate within an agreed time frame (usually three years).

If the security control assessment report shows negative results, either the Senior ISSO or the authorizing official issues an Interim Authorization to Operate (IATO) letter. This letter allows a System ISSO to operate the information system while resolving issues with security controls for a shorter time frame (usually up to six months). After fixing the problem, the System ISSO updates the accreditation authorization package and resubmits it to the Senior ISSO for consideration.

Step 6: Monitor security controls

The Senior ISSO assists the ISO, where necessary, to:

  • Assess security impacts of hardware and software changes to the information system on the PaaS;
  • Fix newly discovered security control deficiencies as a result of the changes on the PaaS; and,
  • Update risk management documents, security plan, security assessment report and plan of action.

The Senior ISSO submits at specified dates the security status of the information system to the authorizing official for review of the security control effectiveness.

If the monitoring report shows new deficiencies within the three years since the ATO letter was issued, the Senior ISSO or an authorizing official issues an IATO letter to:

  • Return the information system to the PaaS to fix the problem;
  • Start over from either the first or second RMF step; and
  • Document the results in an updated security plan.


The RMF is your best bet for resolving security control issues on the PaaS. You can get an ATO letter confirming security controls are cost effective, technologically efficient, and regulation compliant.

By Judith Myerson

Judith M. Myerson is a Systems Engineering Consultant and Security Professional. She is the editor of Enterprise System Integration and the author of RFID in the Supply Chain. She has researched and published articles on a wide range of cloud computi...