RMF Control AT-5: Contacts with Security Groups and Associations requires organizations to establish and institutionalize contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel; maintain currency with recommended security practices, techniques, and technologies; and share current security-related information including threats, vulnerabilities, and incidents.
Supplemental Guidance
The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk to systems and organizations. RMF Control AT-5: Contacts with Security Groups and Associations is one of the controls in the AT family, which addresses awareness and training.
Contacts with security groups and associations can help organizations to:
- Stay up-to-date on the latest cybersecurity threats and vulnerabilities.
- Learn about new security practices, techniques, and technologies.
- Get help from other cybersecurity professionals in responding to security incidents.
Benefits of Implementing RMF Control AT-5
There are a number of benefits to implementing RMF Control AT-5, including:
- Improved security posture: Contacts with security groups and associations can help organizations to improve their security posture by providing them with access to the latest cybersecurity information and resources.
- Reduced risk of security incidents: Contacts with security groups and associations can help organizations to reduce the risk of security incidents by helping them to stay up-to-date on the latest cybersecurity threats and vulnerabilities and by providing them with access to help from other cybersecurity professionals in responding to security incidents.
- Increased compliance: Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to have a plan in place for responding to security incidents. Contacts with security groups and associations can help organizations to comply with these regulations by providing them with access to help from other cybersecurity professionals in responding to security incidents.
How to Implement RMF Control AT-5
To implement RMF Control AT-5, organizations should:
- Identify the security groups and associations that they want to establish contact with. There are a number of different security groups and associations available, such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Information Systems Security Association (ISSA).
- Establish contact with the selected security groups and associations. This can be done by attending industry events, joining online forums, or subscribing to email newsletters.
- Participate in activities and events sponsored by the security groups and associations. This can help organizations to learn about the latest cybersecurity threats and vulnerabilities, as well as new security practices, techniques, and technologies.
- Share information with the security groups and associations. This can help to raise awareness of cybersecurity threats and vulnerabilities and to share best practices for responding to security incidents.
Examples of Security Groups and Associations
Here are some examples of security groups and associations that organizations can establish contact with:
- Cybersecurity and Infrastructure Security Agency (CISA)
- National Institute of Standards and Technology (NIST)
- Information Systems Security Association (ISSA)
- Cloud Security Alliance (CSA)
- The Open Web Application Security Project (OWASP)
- SANS Institute
- International Information Systems Security Certification Consortium (ISC)²
- Information Systems Audit and Control Association (ISACA)
Conclusion
RMF Control AT-5: Contacts with Security Groups and Associations is an important control that can help organizations to improve their security posture, reduce the risk of security incidents, and increase compliance with regulations. By implementing RMF Control AT-5, organizations can establish and institutionalize contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel; maintain currency with recommended security practices, techniques, and technologies; and share current security-related information including threats, vulnerabilities, and incidents.
Additional Tips for Implementing RMF Control AT-5
- Identify a point of contact for each security group or association: This will help to ensure that there is a single person within the organization who is responsible for maintaining contact with each security group or association.
- Develop a plan for sharing information with security groups and associations: This plan should identify the types of information that will be shared, the frequency with which information will be shared, and the methods that will be used to share information.
- Monitor the security groups and associations that the organization has contact with: This will help to ensure that the organization is in contact with the most relevant and up-to-date security groups and associations.
By following these tips, organizations can effectively implement RMF Control AT-5 and improve their security posture.