National Information Assurance Partnership
Download
Report
Transcript National Information Assurance Partnership
Information System Security
Control Architecture (ISSCA)
Stuart Katzke, Ph.D.
Senior Research Scientist
National Institute of Standards & Technology
100 Bureau Drive; Stop 8930
Gaithersburg, MD 20899
(301) 975-4768
[email protected]
fax: (301) 975-4964
National Institute of Standards and Technology
1
Presentation Contents
• Background/motivation
– System security C&A (historical perspective)
– OMB A-130; Appendix III
– Federal Information Security Management Act 2002
(FISMA)
• NIST FISMA implementation project
• ISSCA
• Significance of NIST’s activities to the
commercial sector
----------------------------------------------• Supporting detail
National Institute of Standards and Technology
2
Background/Motivation
• NIST’s system security C&A guidance
aging (FIPS 102--1983)
• OMB A-130Appendix III: Security of
Federal Information Resources (1996)
• Proliferation of C&A guidance
– FIPS 102 (NIST)
– DITSCAP (DoD)
– NIACAP (NSTISSC/NSS)
• Federal Information Security Management
Act 2002 (FISMA)
National Institute of Standards and Technology
3
OMB A-130, Management of Federal
Information Resources
• Requires Federal agencies to:
– Plan for security
– Implement controls commensurate with the risk
and magnitude of harm resulting from the loss,
misuse, or unauthorized access to or
modification of information (called adequate
security)
– Ensure that appropriate officials are assigned
security responsibility
– Authorize system processing prior to operations
and periodically, thereafter.
• Consistent with FISMA
National Institute of Standards and Technology
4
Federal Information Security
Management Act (FISMA)
Title III of E-Government Act of 2002
(Public Law 107-347)
National Institute of Standards and Technology
5
FISMA Requirements
• Federal agency information security (IS)
program requirements
• NIST requirements
• Others (not to be addressed today)
National Institute of Standards and Technology
6
Federal Agency Information Security
Programs Must Include (1):
• Periodic assessments of the risk
• Policies and procedures that are:
– Risk-based
– Cost-effective
– Reduce IS risks to an acceptable level
– Ensure IS is addressed throughout the system life cycle
• Plans for providing adequate IS for networks,
facilities, & information systems (i.e., security
planning)
• Security awareness training to inform personnel
(including contractors and other users of
information systems) of the IS risks and their
responsibilities
National Institute of Standards and Technology
7
Federal Agency Information Security
Programs Must Include (2):
• Periodic testing and evaluation of the effectiveness of
information security policies, procedures, and practices
with a frequency depending on risk, but no less than
annually
• Plans and procedures to ensure continuity of operations
• Procedures for detecting, reporting, and responding to
security incidents including:
– Mitigating risks before substantial damage is done
– Notifying/consulting with the Federal IS incident response center , law
enforcement agencies, IG, other agency or office, in accordance with law
or as directed by the President
• A process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies
in the information security policies, procedures and
practices of the agency
National Institute of Standards and Technology
8
FISMA Tasks for NIST
Standards to be used by Federal agencies to categorize
information and information systems based on the
objectives of providing appropriate levels of information
security according to a range of risk levels
Guidelines recommending the types of information and
information systems to be included in each category
Minimum information security requirements (management,
operational, and technical security controls) for information
and information systems in each such category
National Institute of Standards and Technology
9
FISMA Implementation Project
Phase I: To develop standards and guidelines for:
Categorizing Federal information and information
systems
Selecting minimum security controls for Federal
information systems
Assessing the security controls in Federal information
systems
Phase II: To create a national network of accredited
organizations capable of providing cost effective,
quality security assessment services based on the
NIST standards and guidelines
National Institute of Standards and Technology
10
FISMA Implementation Project
Standards and Guidelines
FIPS Publication 199 (Security Categorization)
NIST Special Publication 800-37 (C&A)
NIST Special Publication 800-53 (Security Controls)
NIST Special Publication 800-53A (Assessment)
NIST Special Publication 800-59 (National Security)
NIST Special Publication 800-60 (Category Mapping)
FIPS Publication 200 (Minimum Security Controls)
National Institute of Standards and Technology
11
Information System Security Control
Architecture (ISSCA)
Key activities in managing risk to agency operations, agency
assets, or individuals resulting from the operation of an
information system—
Categorize the information system
Select set of minimum (baseline) security controls
Refine the security control set based on risk assessment
Document agreed upon security controls in security plan
Implement the security controls in the information system
Assess the security controls
Determine agency-level risk and risk acceptability
Authorize information system operation
Monitor security controls on a continuous basis
National Institute of Standards and Technology
12
Information System Security Control
Architecture
FIPS 199
SP 800-53
FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or
in place to protect the information system
SP 800-53
SP 800-60
Security
Categorization
Defines category of information
system according to potential
impact of loss
FIPS 200
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-18
Security Control
Documentation
In system security plan, provides a an
overview of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-53A
Security Control
Implementation
Implements security controls in new
or legacy information systems
SP 800-37
Security Control
Assessment
Determines extent to which the security
controls are implemented correctly, operating
as intended, and producing desired outcome
with respect to meeting security requirements
National Institute of Standards and Technology
13
Significance of NIST’s activities to the
commercial sector (1)
• ISSCA applicable to both government and commercial
sector organizations
• NIST is contributing its standards/guidelines to IEEE as
candidates for common industry-government
standards/guidelines
• NIST Minimum control sets/baselines incorporate security
controls from many public and private sector sources:
– CC Part 2
– ISO/IEC 17799
– COBIT
– GAO FISCAM
– NIST SP 800-26 Self Assessment Questionnaire
– CMS (healthcare)
– D/CID 6-3 Requirements
– DoD Policy 8500
– BITS functional packages
National Institute of Standards and Technology
14
Significance of NIST’s activities to the
commercial sector (2)
• Control sets mapped to threat coverage
– Can be adjusted to widen/reduce threat coverage
– Can be adjusted based on risk analytic process
– Unique, ambitious attempt by NIST to do control
mapping
• Control sets adaptable and adoptable by other
communities
– Control catalogue provides a rich set of controls to meet
many needs
– Communities can tailor control sets/baselines according
to their needs
– Healthcare (to demonstrate HIPPA compliance)
National Institute of Standards and Technology
– Other communities
15
Significance of NIST’s activities to the
commercial sector (3)
• Based on expectations of wide adoption by US
government agencies, NIST standards/guidelines
may become de facto “due diligence” for
commercial sector
• Will result in accredited individuals/organizations
competent to perform system security evaluations
• NIST invites industry review and comment on
applicability of NIST standards/guidelines to
commercial sector systems
• NIST and IEEE invite participation in security
standardization activities
National Institute of Standards and Technology
16
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Manager
Assessment Program
Dr. Ron Ross
(301) 975-5390
[email protected]
Arnold Johnson
(301) 975-3247
[email protected]
Special Publications
Assessment Methodologies
Joan Hash
(301) 975-3357
[email protected]
Annabelle Lee
(301) 975-2941
[email protected]
Gov’t and Industry Outreach
Technical Advisor
Dr. Stu Katzke
(301) 975-4768
[email protected]
Gary Stoneburner
(301) 975-5394
[email protected]
Organizational Accreditations
Administrative Support
Pat Toth
(301) 975-5140
[email protected]
Peggy Himes
(301) 975-2489
[email protected]
Comments to: [email protected]
World Wide Web: http://csrc.nist.gov/sec-cert
National Institute of Standards and Technology
17
Security Certification (of an IT system)
• The comprehensive assessment of the management,
operational, and technical security controls in an
information system
• Assessment supports the security accreditation process
• Assessment performed by security expert (may be
contractor)
• Assesses (in a particular environment of operation) the
extent to which the implemented security controls are:
– Correctly implemented?
– Operating as intended?
– Producing the desired outcome with respect to meeting the
system’s security requirements
National Institute of Standards and Technology
18
Security Certification (of an IT system)
(continued)
• Determines remaining vulnerabilities in the
information system based on the assessment.
• The results of a security certification are used to
reassess the risks and update the system security
plan
• Provides the factual basis for an authorizing
official to render a security accreditation decision
National Institute of Standards and Technology
19
Security Accreditation (of an IT system)
• Official management decision to authorize
operation of a system :
– Made by a senior agency official
– Is applicable to a particular environment of operation of
the IT system
– Explicitly accepts the level of residual risk to agency:
Operations (including mission, functions, image or reputation),
Assets, &
Individuals
that remain after the implementation of an agree upon
set of security controls in the IT system.
National Institute of Standards and Technology
20
Security Accreditation (of an IT system)
(continued)
• Authorizing agency official accepts:
– Responsibility for system’s security
– Accountability for adverse impacts of security
breaches
National Institute of Standards and Technology
21
Disposal
C = Certification
A = Accreditation
C: Assess residual vulnerabilities; A: Assess residual risk
Initiation
Categorize System
Security Planning
Risk Assessment
Configuration Management
and control
Operation/ Maintenance
Development/Acquisition
•Determine Security Requirements
•Select Security Controls
Information Security
Activities
Security Control
Development
Continuous Monitoring of
Security
Control Effectiveness
Security
Accreditation
Security Control
Integration
Developmental Security
Test & Evaluation
•Develop Security Test Plan
•Test & Evaluate Security
Controls
Implementation
C: Determine control
A: Assess residual risk; Make
accreditation determination
effectiveness; Determine &
document residual
vulnerabilities;
National Institute of Standards and Technology
System Security Activities (Inside) within the System 22
Development Life Cycle (Outside)
Security Controls:
Special Publication 800-53
National Institute of Standards and Technology
23
Special Publication 800-53
The purpose of SP 800-53 is to provide—
Guidance on how to use a FIPS Publication 199
security categorization to identify minimum security
controls (baseline) for an information system
Minimum (baseline) sets of security controls for
low, moderate, and high impact information systems
Estimated threat coverage for each baseline
A catalog of security controls for information
systems requiring additional threat coverage
National Institute of Standards and Technology
24
Applicability
Applicable to all Federal information systems other
than those systems designated as national security
systems as defined in 44 U.S.C., Section 3542
Broadly developed from a technical perspective to
complement similar guidelines issued by agencies
and offices operating or exercising control over
national security systems
Provides guidance to Federal agencies until the
publication of FIPS Publication 200, Minimum
Security Controls for Federal Information Systems
National Institute of Standards and Technology
25
Special Publication 800-53
Special Publication 800-53 is not a tutorial on the
security control selection process or a security
engineering handbook. An additional guidance
document is needed that addresses:
Relationship of minimum security controls (baselines) to
threat coverage
Relationships among basic, enhanced, and strong
controls
How to select additional security controls from the
control catalogue
National Institute of Standards and Technology
26
Document Architecture
Main Body
Catalog of Security Controls (complete set)
Minimum Security Controls for Low Impact Systems
(subset of controls from catalog)
Minimum Security Controls for Moderate Impact Systems
(subset of controls from catalog)
Minimum Security Controls for High Impact Systems
(subset of controls from catalog)
Estimated Threat Coverage
National Institute of Standards and Technology
27
Security Categorization
Potential Impact
Security Objective
FIPS Publication
199
Low
Moderate
High
Confidentiality
The loss of confidentiality
could be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
severe or catastrophic
adverse effect on
organizational operations,
organizational assets, or
individuals.
Integrity
The loss of integrity could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
The loss of availability could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
Availability
National Institute of Standards and Technology
28
Security Categorization
Example: Law Enforcement Witness Protection Information System
FIPS Publication
199
Guidance for
Mapping Types of
Information and
Information
Systems to FIPS
Publication 199
Security Categories
Low
Moderate
High
Confidentiality
The loss of confidentiality
could be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
severe or catastrophic
adverse effect on
organizational operations,
organizational assets, or
individuals.
Integrity
The loss of integrity could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
The loss of availability could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
SP 800-60
Availability
National Institute of Standards and Technology
29
Security Categorization
Example: Law Enforcement Witness Protection Information System
FIPS Publication
199
Guidance for
Mapping Types of
Information and
Information
Systems to FIPS
Publication 199
Security Categories
Low
Moderate
High
Confidentiality
The loss of confidentiality
could be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of confidentiality
could be expected to have a
severe or catastrophic
adverse effect on
organizational operations,
organizational assets, or
individuals.
Integrity
The loss of integrity could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of integrity could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
The loss of availability could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The loss of availability could
be expected to have a severe
or catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.
SP 800-60
Availability
Minimum Security
Controls for High
Impact Systems
National Institute of Standards and Technology
30
Why High Water Mark
Strong dependencies among security objectives of
confidentiality, integrity, and availability
In general, the impact values for all security
objectives must be commensurate—a lowering of
an impact value for one security objective might
affect all other security objectives
Example: A lowering of the impact value for
confidentiality and the corresponding employment of
weaker security controls may result in a breach of
security due to an unauthorized disclosure of system
password tables—thus, causing a subsequent integrity
loss and denial of service…
National Institute of Standards and Technology
31
Minimum Security Controls
Minimum security controls and associated
threat coverage in each of the designated
baselines:
Provide a starting point for organizations and
communities of interest in their security
control selection process
Are used in the within the context of the
agency’s ongoing risk management process
National Institute of Standards and Technology
32
Terminology
Security control strength or goodness rating defined in the
control catalog as:
Basic
Enhanced
Strong
Appropriate security controls from the catalog are selected to
populate the sets of minimum security controls (baselines) for:
Low impact information systems
Moderate impact information systems
High impact information systems
No direct correlation between strength/goodness rating and
impact level—select the controls best suited to do the job…
National Institute of Standards and Technology
33
Minimum Security Controls Sets
Baselines Provided by Special Publication 800-53
Security Control Catalog
Complete Set of Basic, Enhanced, and Strong Security Controls
Minimum Security Controls
Minimum Security Controls
Minimum Security Controls
Low Impact
Information Systems
Moderate Impact
Information Systems
High Impact
Information Systems
Baseline #1
Baseline #2
Baseline #3
Selection of a subset of security
controls from the catalog—all basic
level controls
Selection of a subset of security
controls from the catalog—
combination of basic and
enhanced controls
Selection of a subset of security
controls from the catalog—
combination of basic, enhanced,
and strong controls
National Institute of Standards and Technology
34
Estimated Threat Coverage
Provided by Special Publication 800-53
Security Control Catalog
Complete Set of Basic, Enhanced, and Strong Security Controls
Minimum Security Controls
Minimum Security Controls
Minimum Security Controls
Low Impact
Information Systems
Moderate Impact
Information Systems
High Impact
Information Systems
Low
Baseline
Estimated Threat
Coverage
Moderate
Baseline
Estimated Threat
Coverage
High
Baseline
Estimated Threat
Coverage
National Institute of Standards and Technology
35
Security Control Refinement
Agency-level Activity Guided by Risk Assessment
Starting Point
Security Control
Catalog
Complete Set
Initial Coverage
Minimum Security
Controls
1
Basic, Enhanced,
and Strong Security
Controls
4
Moderate Impact
Information
Systems
Additional Security
Controls
2
Estimated Threat
Coverage
3
5
Additional Threat
Coverage
Risk Assessment Process Incorporates Local Conditions
and Specific Agency Requirements to Adjust Initial Set of
Security Controls
3
3
National Institute of Standards and Technology
36
Tagging of Security Controls
Why aren’t security controls partitioned by security
objectives (e.g., C, I, A)?
In general, it is difficult to assign proper security
objectives (i.e., confidentiality, integrity, or
availability) to individual security controls
In many cases, multiple security objectives apply
to a single security control
Availability may be the exception due to the
potential for downgrading availability impact
values during FIPS 199 security categorizations
National Institute of Standards and Technology
37
Cost Effective Implementation:
Common Security Controls
National Institute of Standards and Technology
38
Common Security Controls
Common security controls are those controls that
can be applied to one or more agency information
systems and have the following properties:
The development, implementation, and assessment of
common security controls can be assigned to
responsible officials or organizational elements (other
than the information system owner)
The results from the assessment of the common
security controls can be reused in security certifications
and accreditations of agency information systems
where those controls have been applied
National Institute of Standards and Technology
39
Common Security Controls
Identification of common security controls is an
agency-level activity in collaboration with Chief
Information Officer, authorizing officials,
information system owners, system security
managers, and system security officers
Potential for significant cost savings for the
agency in security control development,
implementation, and assessment
National Institute of Standards and Technology
40
Common Security Controls
Common security controls can be applied
agency-wide, site-wide, or to common
subsystems and assessed accordingly—
For example:
*
**
Contingency planning
Incident response planning
Security training and awareness
Physical and personnel security *
Common hardware, software, or firmware **
Related to the concept of site certification in certain communities
Related to the concept of type certification in certain communities
National Institute of Standards and Technology
41
Common Security Controls
Responsibility of Information System Owners
• Common security controls
developed, implemented, and
assessed one time by designated
agency official(s)
Example: Moderate Impact
Agency Information Systems
• Maximum re-use of assessment
evidence during security certification
and accreditation of information
systems
• Security assessment reports
provided to information system
owners to confirm the security status
of common security controls
• Assessments of common security
controls not repeated; only system
specific aspects when necessary
System
Specific
Security
Controls
• Development and implementation
cost amortized across all agency
information systems
Common
Security
Controls
• Results shared among all
information system owners and
authorizing officials where
common security controls are
applied
Responsibility of Designated Agency Official Other
Than Information System Owner (e.g., Chief
Information Officer, Facilities Manager, etc.)
National Institute of Standards and Technology
42
Certification & Accreditation:
Special Publication 800-37
National Institute of Standards and Technology
43
Disposal
C = Certification
A = Accreditation
C: Assess residual vulnerabilities; A: Assess residual risk
Initiation
Categorize System
Security Planning
Risk Assessment
Configuration Management
and control
Operation/ Maintenance
Development/Acquisition
•Determine Security Requirements
•Select Security Controls
Information Security
Activities
Security Control
Development
Continuous Monitoring of
Security
Control Effectiveness
Security
Accreditation
Security Control
Integration
Developmental Security
Test & Evaluation
•Develop Security Test Plan
•Test & Evaluate Security
Controls
Implementation
C: Determine control
A: Assess residual risk; Make
accreditation determination
effectiveness; Determine &
document residual
vulnerabilities;
National Institute of Standards and Technology
System Security Activities (Inside) within the System 44
Development Life Cycle (Outside)
Key Roles
Authorizing Official
Authorizing Official Designated Representative
Chief Information Officer
Senior Agency Information Security Officer
Information System Owner
Information System Security Officer
Certification Agent
User Representatives
National Institute of Standards and Technology
45
Authorizing Official
Reviews and approves the security categorizations of
information systems
Reviews and approves system security plans
Determines agency-level risk from information generated
during the security certification
Makes accreditation decisions and signs associated
transmittal letters for accreditation packages (authorizing
official only)
Reviews security status reports from continuous
monitoring operations; initiates reaccreditation actions
National Institute of Standards and Technology
46
Designated Representative
Selected by the authorizing official to coordinate and
carry out the necessary activities required during the
security certification and accreditation process
Empowered to make certain decisions with regard to the:
Planning and resourcing of the security certification and accreditation
activities
Acceptance of the system security plan
Determination of risk to agency operations, assets, and individuals
Prepares accreditation decision letter
Obtains authorizing official’s signature on the
accreditation decision letter and transmits accreditation
package to appropriate agency officials
National Institute of Standards and Technology
47
Chief Information Officer
Designates a senior agency information security officer
Develops and maintains information security policies,
procedures, and control techniques to address all
applicable requirements
Trains and oversees personnel with significant
responsibilities for information security
Assists senior agency officials concerning their security
responsibilities
Coordinates with other senior agency officials, reporting
annually to the agency head on the effectiveness of the
agency information security program
National Institute of Standards and Technology
48
Senior Agency Information
Security Officer
Serves in a position with primary responsibilities
and duties related to information security
Carries out the Chief Information Officer
responsibilities under FISMA
Possesses professional qualifications required to
administer information security program functions
Heads an office with the mission and resources to
assist in ensuring agency compliance with FISMA
National Institute of Standards and Technology
49
Information System Owner
Procures, develops, integrates, modifies, operates or
maintains an information system.
Prepares system security plan and conducts risk assessment
Informs agency officials of the need for certification and
accreditation; ensures appropriate resources are available
Provides necessary system-related documentation to the
certification agent
Prepares plan of action and milestones to reduce or
eliminate vulnerabilities in the information system
Assembles final accreditation package and submits to
authorizing official
National Institute of Standards and Technology
50
Information System Security Officer
Serves as principal staff advisor to the system owner on
all matters involving the security of the information
system
Manages the security aspects of the information system
and, in some cases, oversees the day-to-day security
operations of the system
Assists the system owner in:
Developing and enforcing security policies for the information
system
Assembling the security accreditation package
Managing and controlling changes to the information system
and assessing the security impacts of those changes
National Institute of Standards and Technology
51
Certification Agent
Provides an independent assessment of the system
security plan
Assesses the security controls in the information system
to determine the extent to which the controls are:
Implemented correctly;
Operating as intended; and
Producing the desired outcome with respect to meeting the
security requirements of the system
Provides recommended corrective actions to reduce or
eliminate vulnerabilities in the information system
National Institute of Standards and Technology
52
User Representatives
Represent the operational interests and mission needs of
the user community
Identify mission and operational requirements
Serve as liaisons for the user community throughout the
system development life cycle
Assist in the security certification and accreditation
process, when needed
National Institute of Standards and Technology
53
Other Supporting Roles
Information Owner
Operations Manager
Facilities Manager
System Administrator
National Institute of Standards and Technology
54
Accreditation Boundaries
Uniquely assigning information resources to an
information system defines the security
accreditation boundary for that system
Agencies have great flexibility in determining
what constitutes an information system and the
resulting accreditation boundary that is
associated with that system
National Institute of Standards and Technology
55
Accreditation Boundaries
If a set of information resources is identified as an
information system, the resources should generally
be under the same direct management control
Consider if the information resources being
identified as an information system—
Have the same function or mission objective and
essentially the same operating characteristics and security
needs
Reside in the same general operating environment (or in
the case of a distributed information system, reside in
various locations with similar operating environments)
National Institute of Standards and Technology
56
Large and Complex Systems
Accreditation Boundary
Agency General Support System
Subsystem
Component
Subsystem
Component
Subsystem
Component
System Guard
Local Area Network
Alpha
Local Area Network
Bravo
• System security plan reflects information system decomposition with adequate security
controls assigned to each subsystem component
• Security assessment methods and procedures tailored for the security controls in each
subsystem component and for the combined system level
• Security certification performed on each subsystem component and on system-level controls
not covered by subsystem certifications
• Security accreditation performed on the information system as a whole
National Institute of Standards and Technology
57
Common Security Controls
Common security controls are those controls that
can be applied to one or more agency information
systems and have the following properties:
The development, implementation, and assessment of
common security controls can be assigned to
responsible officials or organizational elements (other
than the information system owner)
The results from the assessment of the common
security controls can be reused in security certifications
and accreditations of agency information systems
where those controls have been applied
National Institute of Standards and Technology
58
Common Security Controls
Identification of common security controls is an
agency-level activity in collaboration with Chief
Information Officer, authorizing officials,
information system owners, system security
managers, and system security officers
Potential for significant cost savings for the
agency in security control development,
implementation, and assessment
National Institute of Standards and Technology
59
Common Security Controls
Common security controls can be applied
agency-wide, site-wide, or to common
subsystems and assessed accordingly—
For example:
*
**
Contingency planning
Incident response planning
Security training and awareness
Physical and personnel security *
Common hardware, software, or firmware **
Related to the concept of site certification in certain communities
Related to the concept of type certification in certain communities
National Institute of Standards and Technology
60
Common Security Controls
Responsibility of Information System Owners
• Common security controls
developed, implemented, and
assessed one time by designated
agency official(s)
Example: Moderate Impact
Agency Information Systems
• Maximum re-use of assessment
evidence during security certification
and accreditation of information
systems
• Security assessment reports
provided to information system
owners to confirm the security status
of common security controls
• Assessments of common security
controls not repeated; only system
specific aspects when necessary
System
Specific
Security
Controls
• Development and implementation
cost amortized across all agency
information systems
Common
Security
Controls
• Results shared among all
information system owners and
authorizing officials where
common security controls are
applied
Responsibility of Designated Agency Official Other
Than Information System Owner (e.g., Chief
Information Officer, Facilities Manager, etc.)
National Institute of Standards and Technology
61
Accreditation Decisions
Full Authorization To Operate
Interim Approval To Operate
Denial of Authorization to Operate
National Institute of Standards and Technology
62
Full Authorization to Operate
Risk to agency operations, agency assets, or
individuals is deemed fully acceptable to the
authorizing official
Information system is accredited without any
significant restrictions or limitations on its
operation
Authorizing officials may recommend specific
actions be taken to reduce or eliminate identified
vulnerabilities, where it is cost effective to do so
National Institute of Standards and Technology
63
Interim Approval To Operate
Risk to agency operations, agency assets, or
individuals is not deemed fully acceptable to the
authorizing official, but there is an overarching
mission necessity to place the information system
into operation or continue its operation
Limited authorization to operate the information
system under specific terms and conditions
Acknowledges greater risk to the agency for a
limited period of time
National Institute of Standards and Technology
64
Interim Approval To Operate
Terms and conditions, established by the
authorizing official, convey limitations on
information system operations
Information system is not considered accredited
during the period of limited authorization to
operate
Maximum allowable timeframe for an interim
approval to operate should generally not exceed
one year including all extensions
National Institute of Standards and Technology
65
Interim Approval To Operate
At the end of the period of limited authorization,
the information system should either meet the
requirements for being fully authorized or not be
authorized for further operation
Renewals or extensions to interim approvals to
operate should be discouraged and approved by
authorizing officials only under the most
extenuating circumstances
Security control effectiveness should be monitored
during the period of limited authorization
National Institute of Standards and Technology
66
Denial of Authorization to Operate
The residual risk to the agency’s operations or
assets is deemed unacceptable to the authorizing
official
Information system is not accredited and should
not be placed into operation—or for an
information system currently in operation, all
activity should be halted
Major deficiencies in the security controls in the
information system—corrective actions should be
initiated immediately
National Institute of Standards and Technology
67
Accreditation Package
Approved system security plan
Security assessment report
Plan of action and milestones
National Institute of Standards and Technology
68
Accreditation Package
Documents the results of the security certification
Provides the authorizing official with the essential
information needed to make a credible risk-based
decision on whether to authorize operation of the
information system
Uses inputs from the information system security
officer and the certification agent
National Institute of Standards and Technology
69
System Security Plan
Prepared by the information system owner
Provides an overview of the security requirements
for the information system and describes the
security controls in place or planned for meeting
those requirements
Contains (either as supporting appendices or as
references) other key security-related documents
for the information system (e.g., risk assessment,
contingency plan, incident response plan, system
interconnection agreements)
National Institute of Standards and Technology
70
Security Assessment Report
Prepared by the certification agent
Provides the results of assessing the security
controls in the information system to determine
the extent to which the controls are:
Implemented correctly
Operating as intended
Producing the desired outcome with respect to meeting
the system security requirements
Contains a list of recommended corrective actions
National Institute of Standards and Technology
71
Plan of Action and Milestones
Prepared by the system owner
Describes the measures that have been
implemented or planned to:
Correct any deficiencies noted during the assessment
of the security controls
Reduce or eliminate known vulnerabilities in the
information system
National Institute of Standards and Technology
72
Accreditation Decision Letter
Constructed from information provided by the
information system owner in the accreditation
package
Consists of:
Accreditation decision
Supporting rationale for the decision
Specific terms and conditions imposed on the
system owner
The contents of security certification and accreditation-related documentation
(especially information dealing with system vulnerabilities) should be marked and
protected appropriately in accordance with agency policy.
National Institute of Standards and Technology
73
The C&A Process
Initiation Phase
Security Certification Phase
Security Accreditation Phase
Continuous Monitoring Phase
National Institute of Standards and Technology
74
Initiation Phase
Major Tasks and Subtasks
Task 1: Preparation
Subtask 1.1: Information System Description
Subtask 1.2: Security Categorization
Subtask 1.3: Threat Identification
Subtask 1.4: Vulnerability Identification
Subtask 1.5: Security Control Identification
Subtask 1.6: Initial Risk Determination
Task 2: Notification and Resource Identification
Subtask 2.1: Notification
Subtask 2.2: Planning and Resources
National Institute of Standards and Technology
75
Initiation Phase
Major Tasks and Subtasks
Task 3: System Security Plan Analysis, Update,
and Acceptance
Subtask 3.1: Security Categorization Review
Subtask 3.2: System Security Plan Analysis
Subtask 3.3: System Security Plan Update
Subtask 3.4: System Security Plan Acceptance
National Institute of Standards and Technology
76
Security Certification Phase
Major Tasks and Subtasks
Task 4: Security Control Assessment
Subtask 4.1: Documentation and Supporting Materials
Subtask 4.2: Reuse of Assessment Results
Subtask 4.3: Methods and Procedures
Subtask 4.4: Security Assessment
Subtask 4.5: Security Assessment Report
Task 5: Security Certification Documentation
Subtask 5.1: Findings and Recommendations
Subtask 5.2: System Security Plan Update
Subtask 5.3: Accreditation Package Assembly
National Institute of Standards and Technology
77
Security Accreditation Phase
Major Tasks and Subtasks
Task 6: Accreditation Decision
Subtask 6.1: Final Risk Determination
Subtask 6.2: Risk Acceptability
Task 7: Accreditation Documentation
Subtask 7.1: Accreditation Package Transmission
Subtask 7.2: System Security Plan Update
National Institute of Standards and Technology
78
Continuous Monitoring Phase
Major Tasks and Subtasks
Task 8: Configuration Management and Control
Subtask 8.1: Documentation of System Changes
Subtask 8.2: Security Impact Analysis
Task 9: Security Control Monitoring
Subtask 9.1: Security Control Selection
Subtask 9.2: Selected Security Control Assessment
Task 10: Status Reporting and Documentation
Subtask 10.1: System Security Plan Update
Subtask 10.2: Status Reporting
National Institute of Standards and Technology
79
Certification and Accreditation
For Low Impact Information Systems
Incorporates the use of self-assessment activities
Reduces the associated level of supporting
documentation and paperwork
Decreases the time spent conducting assessmentrelated activities
Significantly reduces costs to the agency without
increasing agency-level risk or sacrificing the
overall security of the information system.
National Institute of Standards and Technology
80
Summary
National Institute of Standards and Technology
81
The Bottom Line
Standardized security controls facilitate—
More consistent, comparable specifications of security
controls for information systems
Comparability of security plans among
business/mission partners
A better understanding of the effectiveness of
business/mission partner’s security controls and the
vulnerabilities in their information systems
Greater insights into business/mission partner’s due
diligence with regard to security and tolerance for
agency-level, mission-related risk
National Institute of Standards and Technology
82
NIST Standards and Guidelines
Are intended to promote and facilitate—
More consistent, comparable specifications of security
controls for information systems
More consistent, comparable, and repeatable system
assessments of information systems
More complete and reliable security-related information
for authorizing officials
A better understanding of complex information systems
and associated risks and vulnerabilities
Greater availability of competent security assessment
services
National Institute of Standards and Technology
83
FISMA Implementation Project
Standards and Guidelines
FIPS Publication 199 (Security Categorization)
NIST Special Publication 800-37 (C&A)
NIST Special Publication 800-53 (Security Controls)
NIST Special Publication 800-53A (Assessment)
NIST Special Publication 800-59 (National Security)
NIST Special Publication 800-60 (Category Mapping)
FIPS Publication 200 (Minimum Security Controls)
National Institute of Standards and Technology
84
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Manager
Assessment Program
Dr. Ron Ross
(301) 975-5390
[email protected]
Arnold Johnson
(301) 975-3247
[email protected]
Special Publications
Assessment Methodologies
Joan Hash
(301) 975-3357
[email protected]
Annabelle Lee
(301) 975-2941
[email protected]
Gov’t and Industry Outreach
Technical Advisor
Dr. Stu Katzke
(301) 975-4768
[email protected]
Gary Stoneburner
(301) 975-5394
[email protected]
Organizational Accreditations
Administrative Support
Pat Toth
(301) 975-5140
[email protected]
Peggy Himes
(301) 975-2489
[email protected]
Comments to: [email protected]
World Wide Web: http://csrc.nist.gov/sec-cert
National Institute of Standards and Technology
85