1 / 156

Dr. Ron Ross & Dr. Stuart Katzke Computer Security Division Information Technology Laboratory

The New FISMA Standards and Guidelines or Building More Secure Information Systems A Strategy for Effectively Applying the Provisions of FISMA. Dr. Ron Ross & Dr. Stuart Katzke Computer Security Division Information Technology Laboratory. Presentation Contents. Part I: Overview

mali
Download Presentation

Dr. Ron Ross & Dr. Stuart Katzke Computer Security Division Information Technology Laboratory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The New FISMA Standards and GuidelinesorBuilding More Secure Information SystemsA Strategy for Effectively Applying the Provisions of FISMA Dr. Ron Ross & Dr. Stuart Katzke Computer Security Division Information Technology Laboratory

  2. Presentation Contents • Part I: Overview • Setting the stage/motivation/background • NIST’s Federal Information Security Management Act (FISMA) of 2002 Implementation Project: A Risk Management Framework (RMF) • Part II: Details • FIPS 199: Security Categorization • Special Publication (SP) 800-60: Categories Mapping Guidelines • SP 800-53: Security Control Selection (Minimum/Baseline Controls) • The Development and Vetting of SP 800-53 • SP 800- 37: Security Certification and Accreditation • SP 800- 53A: Security Control Assessment

  3. Part I: Overview

  4. The Information Age • Information systems are an integral part of government and business operations today • Information systems are changing the way we do business and interact as a society • Information systems are driving a reengineering of business processes in all sectors including defense, healthcare, manufacturing, financial services, etc. • Information systems are driving a transition from a paper-based society to a digital society

  5. The Protection Gap • Information system protection measures have not kept pace with rapidly advancing technologies • Information security programs have not kept pace with the aggressive deployment of information technologies within enterprises • Two-tiered approach to security (i.e., national security community vs. everyone else) has left significant parts of the critical infrastructure vulnerable

  6. The Global Threat • Information security is not just a paperwork drill…there are dangerous adversaries out there capable of launching serious attacks on our information systems that can result in severe or catastrophic damage to the nation’s critical information infrastructure and ultimately threaten our economic and national security…

  7. U.S. Critical InfrastructuresDefinition • “...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” -- USA Patriot Act (P.L. 107-56)

  8. U.S. Critical InfrastructuresExamples • Energy (electrical, nuclear, gas and oil, dams) • Transportation (air, road, rail, port, waterways) • Public Health Systems / Emergency Services • Information and Telecommunications • Defense Industry • Banking and Finance • Postal and Shipping • Agriculture / Food / Water • Chemical

  9. Critical Infrastructure Protection • The U.S. critical infrastructures are over 90% owned and operated by the private sector • Critical infrastructure protection must be a partnership between the public and private sectors • Information security solutions must be broad-based, consensus-driven, and address the ongoing needs of government and industry

  10. Connectivity Complexity Threats to Security

  11. Key Security Challenges • Adequately protecting enterprise information systems within constrained budgets • Changing the current culture of: “Connect first…ask security questions later” • Bringing standardization to: • Information system security control selection and specification • Methods and procedures employed to assess the correctness and effectiveness of those controls

  12. Business / Mission Information Flow Why Standardization?Security Visibility Among Business/Mission Partners Organization One Information System Organization Two Information System ? ? Security Information Determining the risk to the first organization’s operations and assets and the acceptability of such risk Determining the risk to the second organization’s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence.

  13. NIST’s Federal Information Security Management Act (FISMA) of 2002 Implementation Project: a Risk Management Framework (RMF)

  14. FISMA Implementation Project Drivers • Technical • Legislative and Policy

  15. Project Drivers:Technical • NIST’s system security certification and accreditation (C&A) guidance aging (FIPS 102--1983) • Proliferation of C&A guidance • FIPS 102 (NIST) • DITSCAP (DoD) • NIACAP (NSTISSC/NSS) • Attempt to achieve government-wide C&A convergence • Attempt to integrate new and existing guidance in a comprehensive risk management framework

  16. Project Drivers:Legislative and Policy • Public Law 107-347 (Title III) Federal Information Security Management Act of 2002 • Public Law 107-305 Cyber Security Research and Development Act of 2002 • Homeland Security Presidential Directive #7 Critical Infrastructure Identification, Prioritization, and Protection • OMB Circular A-130 (Appendix III) Security of Federal Automated Information Resources

  17. Security ChecklistsCSRDA Requirement • Develop and disseminate security configuration checklists and option selections that minimize the security risks associated with commercial information technology products that are, or are likely to become, widely used within federal information systems • Publication status: • NIST Special Publication 800-70, “The NIST Security Configuration Checklists Program” • Initial Public Draft: August 2004

  18. FISMA LegislationOverview “Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

  19. FISMA Tasks for NIST • Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels • Guidelines recommending the types of information and information systems to be included in each category • Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category

  20. FISMA Implementation Project • FISMA-related standards and guidelines tightly coupled to the suite of NIST Management and Technical Guidelines • Described within the context of System Development Life Cycle (SDLC) http://csrc.nist.gov/SDLCinfosec

  21. FISMA Implementation Project Standards and Guidelines (1) • New Standards and Guidelines • FIPS Publication 199(Security Categorization) • NIST Special Publication 800-37(Certification & Accreditation) • NIST Special Publication 800-53(Recommended Security Controls) • NIST Special Publication 800-53A(Security Control Assessment) • NIST Special Publication 800-59(National Security Systems) • NIST Special Publication 800-60(Security Category Mapping) • FIPS Publication 200(Minimum Security Controls)

  22. FISMA Implementation Project Standards and Guidelines (2) • Existing Standards and Guidelines • NIST Special Publication 800-30(Risk Management ) • NIST Special Publication 800-18(Security Plan Development) • NIST Special Publication 800-64 (System Development Life Cycle) • NIST Special Publication 800-70 (Security Configuration Checklists)

  23. FISMA Implementation ProjectOverall Goals • Helping to achieve more secure information systems within the federal government by: • A better understanding of mission risks resulting from the operation of information systems • A standard approach for selecting baseline controls • More consistent, comparable and repeatable assessments of security controls in federal systems • More complete, reliable and trustworthy information to support authorizing officials—facilitating more informed accreditation decisions

  24. Managing Enterprise Risk • Key activities in managing organizational-level risk—risk to the organization resulting from the operation of an information system: • Categorize the information system • Select set of minimum (baseline) security controls • Refine the security control set based on risk assessment • Document security controls in system security plan • Implement the security controls in the information system • Assess the security controls (C&A) • Determine agency-level risk and risk acceptability (C&A) • Authorize information system operation (C&A) • Monitor security controls on a continuous basis (C&A)

  25. FIPS 199 / SP 800-60 SP 800-37 SP 800-37 SP 800-53 / FIPS 200 Security Categorization System Authorization Security Control Monitoring Security Control Selection Defines category of information system according to potential impact of loss Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-18 SP 800-64/SP 800-70 SP 800-53A / SP 800-37 Security Control Documentation Security Control Implementation Security Control Assessment In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place Implements security controls in new or legacy information systems; implements security configuration checklists Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements FISMA Implementation Project:Risk Management Framework (RMF)

  26. Security Objectives • Confidentiality • “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] • Integrity • “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] • Availability • “Ensuring timely and reliable access to and use of information…” [44 U.S.C., Sec. 3542]

  27. FIPS 199 Levels of Impact • The level of impact is low if— • The event could be expected to have a limited adverse effect on agency operations (including mission, functions, image or reputation), agency assets, or individuals. The event causes a negative outcome or results in limited damage to operations or assets, requiring minor corrective actions or repairs. • The level of impact is moderate if— • The event could be expected to have a serious adverse effect on agency operations (including mission, functions, image or reputation), agency assets, or individuals. The event causes significant degradation in mission capability, places the agency at a significant disadvantage, or results in major damage to assets, requiring extensive corrective actions or repairs. • The level of impact is high if— • The event could be expected to have a severe or catastrophic adverse effect on agency operations (including mission, functions, image or reputation), agency assets, or individuals. The event causes a loss of mission capability for a period that poses a threat to human life, or results in a loss of major assets.

  28. SP 800-60 Security Categorization Example: An Enterprise Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

  29. SP 800-60 Security Categorization Example: An Enterprise Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories Minimum Security Controls for High Impact Systems

  30. Organization One Information System Organization Two Information System Business / Mission Information Flow System Security Plan System Security Plan Security Assessment Report Security Information Security Assessment Report Plan of Action and Milestones Plan of Action and Milestones Determining the risk to the first organization’s operations and assets and the acceptability of such risk Determining the risk to the second organization’s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence. The Desired End StateSecurity Visibility Among Business/Mission Partners

  31. System Security Plan • Prepared by the information system owner • Provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements • Contains (either as supporting appendices or as references) other key security-related documents for the information system (e.g., risk assessment, contingency plan, incident response plan, system interconnection agreements)

  32. RMF: Significant Features (1) • Standard categorization method—based on worst case impact to enterprise if compromise • Supports scalability and prioritization • Level of effort commensurate with security categorization • Apply effort to highest impact systems first • Is generic • Applies to all types of systems • Focuses on the process for the selection, implementation, & assessment of controls

  33. RMF: Significant Features (2) • Master control catalogue derived from many public and private sector sources: • CC Part 2 • ISO/IEC 17799 • COBIT • GAO FISCAM • NIST SP 800-26 Self Assessment Questionnaire • CMS (healthcare) • D/CID 6-3 Requirements • DoD Policy 8500 • BITS functional packages

  34. RMF: Significant Features (3) • Minimum/ baseline controls for Low, Moderate, & High impact systems were selected from master control catalogue • Hierarchical • Increase in functionality • Assurance requirements • Baseline dependent: one for each baseline • Increase control developer/implementer's analysis and evidence to demonstrate implementation quality, correctness, and confidence

  35. RMF: Significant Features (4) • Assurance requirements are related to and support control assessment approach • Common security controls concept • Agency-wide (e.g., training, personal security) • Site-wide (e.g., physical security, contingency plan) • Common subsystem (e.g., deployed at multiple sites)

  36. RMF: Significant Features (5) • C&A for low impact systems • Allows self assessment • Scaled level of effort • Controls can be added to the control catalogue and new baselines developed to meet requirements of community-specific applications/systems • SCADA/real-time processing • Healthcare/HIPPA • Financial/Sarbanes-Oxley

  37. RMF: Significant Features (6) • Possibility of becoming “due diligence” in commercial and other sectors through: • Government critical infrastructure liaisons to private sector counterparts (e.g., energy, financial, transportation) • Extension of government security standards and requirements to systems operated on behalf of the federal government • State and local governments • Contractors and IT service providers

  38. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project Manager Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 marianne.swanson@nist.gov skatzke@nist.gov Pat Toth Arnold Johnson (301) 975-5140 (301) 975-3247 patricia.toth@nist.govarnold.johnson@nist.gov Curt Barker Information and Feedback (301) 975-4768 Web:csrc.nist.gov/sec-cert wbarker@nist.gov Comments:sec-cert@nist.gov

  39. Part II: Details • Security Categorization • Categories Mapping Guidelines • Security Control Selection • Security Certification and Accreditation • Security Control Assessment • Desired End State/Conclusion • Security Control Selection Vetting Process

  40. Security Categorization FIPS 199: Standards for Security Categorization of Federal Information and Information Systems

  41. Categorization StandardsFISMA Requirement • Develop standards to be used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels • Publication status: • Federal Information Processing Standards (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems” • Final Publication: December 2003* *FIPS Publication 199 was signed by the Secretary of Commerce in February 2004.

  42. FIPS Publication 199 • FIPS 199 is critically important to enterprises because the standard— • Requires prioritization of information systems according to potential impact on mission or business operations • Promotes effective allocation of limited information security resources according to greatest need • Facilitates effective application of security controls to achieve adequate information security • Establishes appropriate expectations for information system protection

  43. FIPS 199 Applications • FIPS 199 should guide the rigor, intensity, and scope of all information security-related activities within the enterprise including— • The application and allocation of security controls within information systems • The assessment of security controls to determine control effectiveness • Information system authorizations or accreditations • Oversight, reporting requirements, and performance metrics for security effectiveness and compliance

  44. SP 800-60 Security Categorization Example: An Enterprise Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

  45. Categories Mapping Guidelines SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories,

  46. Mapping GuidelinesFISMA Requirement • Develop guidelines recommending the types of information and information systems to be included in each category • Publication status: • NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories” • Final Publication: June 2004

  47. SP 800-60 • Companion to FIPS 199 • Rationale by Identified Lines of Business • Offers guidance on Special Factors to be considered in addressing system impact

  48. SP 800-60 Overview • Types of information • Agency-common: administrative, management and support information • Mission-based: mission information and service delivery mechanisms • Service delivery mechanisms provide policy, programmatic, and managerial foundation in support of Federal government operations • Security attributes of information associated with mission-specific activities will often vary from agency to agency

  49. SP 800-60 Overview(concluded) • Supportservices and management of resources functions are included in agency-common information types • Services to citizens and modes of delivery types are included in mission-based information types

  50. Security Control Selection(Minimum/Baseline Controls) NIST Special Publication 800-53:Recommended Security Controls for Federal Information Systems “Building a National Consensus For Due Diligence in the Application of Minimum Security Controls for Information Systems”

More Related