1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009

2 NIST FIPS FISMA NIST OMB A-130

3 Security Characteristics Dynamic  Definition of security changing continuously.  Extremely expensive and does not increase productivity.  Not visible to daily operations -- unless something bad happens.  Can’t fix it immediately.  Define “Risk” to Avoid “Cost”.  Have to know immediately. Governance  Set Standards, change standard continuously. NIST  Security has been legislated and made mandatory. (OMB A-130)  Continuous Monitoring to address volatile controls.  Manual or Rapidly Changing Env.  Control Change – Security Risk Assessment Process  Periodic independent Security Certification and Accreditation.  Plan of Action and Milestones  Set Baseline Standards.  Host Intrusion Detection  Logging and Monitoring

4 FISMA Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.)  U.S. federal law enacted in 2002 as Title III of the E- Government Act of 2002 ~(Pub.L , 116 Stat. 2899).  The act was meant to bolster computer and network security within the federal government and affiliated parties (such as government contractors) by mandating yearly audits.

5 FISMA Says Follow FIPS Federal Information Processing Standards Publications (FIPS PUBS)  Issued by the NIST after approval by the Secretary of Commerce ~Pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (PL ) and the FISMA of 2002 (PL ). Summary  15 FIPS PUBS  Security Essentials: ~FIPS 199Standards for Security Categorization of Federal Information and Information Systems ~FIPS 200Minimum Security Requirements for Federal Information and Information Systems ~FIPS 140-3Security Requirements for Cryptographic Modules

6 FIPS 199 Standards for Security Categorization of Federal Information and Information Systems  Determines methodology for determining the impact of the loss of confidentiality, integrity and availability.  Assess impact ~Impact makes Risk Acceptance not an option. ~Impact never changes. ~Mitigating controls are only option.

7 Potential Impact Security ObjectiveLOWMODERATEHIGH Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity. [44 U.S.C., SEC. 3542] The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Source: FIPS 199, Standards for Security Categorization of Federal Information and Information Systems

8 FIPS 200 Minimum Security Requirements for Federal Information and Information Systems  This is just a document for legal reasons that give NIST the authority to make standards.  Defines Control Families ~Controls entity must follow is in NIST – An Index to Controls

9 FIPS 140 Security Requirements for Cryptographic Modules  Specifies the security requirements for encryption. ~Computer and telecommunication systems (including voice systems).  FIPS ~Adds an additional security level and incorporates extended and new security features

10 NIST Compliance National Institute of Standards and Technology.  The standards-defining agency of the U.S. government, that fall under the Technology Administration ( a branch of the U.S. Commerce Department Next Steps  President Orders Federal Government to Follow NIST  OMB A-130 Appendix III  2006 – CMS orders DHCS to follow NIST  2006 – DHCS order EDS to follow NIST ~Key NIST standards only 2 years old at the time and still being vetted by community.

11 Relationship Between Publications Source: NIST SP , Managing Risk from Information Systems: An Organizational Perspective

12 NIST Special Publications  NIST SP ~Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach  NIST SP ~Managing Risk from Information Systems: An Organizational Perspective  NIST SP A ~Recommended Security Controls for Federal Information Systems  NIST SP ~Guide for Mapping Types of Information and Information Systems to Security Categories  NIST SP ~Security Configuration Checklists Program for IT Products

13 Monitoring Change After Certification Create a Baseline Design Securely Conduct Independent Reviews Conduct Annual Risk Assessment Monitor Volatile Controls RatingWindowsUNIXOracle Overall Environment Process in place Process functioning as intended Management Commitment Improvement Strategy

14 Plan of Action & Milestones (Continuous Improvement) Remediation Validation  Document vulnerabilities that can’t be fixed right away. ~Get a sample – screenshot, file, video, , etc. ~Set scope, roles and responsibilities. ~Assess risk impact.  Make a corrective plan: ~Incorporate into an existing project. ~Start a new project. ~Estimate cost.  Get owner approval and track to correction. ~Keep a scorecard. Verification  Retest for the vulnerability after correction.  Use an independent review. Source: NIST SP , Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach

15 Real Time Monitoring - HIDS CSA Audit Score Card Incident Response Critical or above DateResponse time Comments IP Source Filtering 1/1/1999Same dayThe process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on TCP port The operation was denied. Resolved: Added IP address to the block list.

16 Typical Deliverables (Prove You Did Work) Create a Baseline Monitor Change Monitor Drift Real Time Monitoring Maintain a POA&M

17 Recap NIST & FIPS required by law Prepare deliverables to prove compliance Monitor change, drift and volatile controls Annual assessment to plan compliance reviews Independent review to verify compliance

18 Questions