Complying With The Federal Information Security Act (FISMA)
What is FISMA? FISMA Congress included the FISMA as part of the E-Government Act of 2002 http://thomas.loc.gov/bss/d107/d107laws.html FISMA is the primary legislation that governs required security activities associated with the Certification and Accreditation Process. It sets forth specific requirements for security programs as well as an annual reporting requirement. As a DAA you will be responsible for executive oversight on meeting program and reporting requirements as outlined on the following slides.
Purpose of FISMA Bringing Standardization to security control selection and assessment through: Providing a consistent framework for protecting information at the federal level. Providing effective management of risks to information security. Providing for the development of adequate controls to protect information and systems. Providing a mechanism for effective oversight of federal security programs.
FISMA Requirements Federal agencies are required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency. Agencies are required to: assess the current level of risk associated with their information and information systems define controls to protect those systems implement policies and procedures to cost-effectively reduce risk periodically test and evaluate those controls train personnel on information security policies and procedures and manage incidents (incident response plan/process).
FISMA Dictates… Responsibilities of chief security officers. Actions required to assess risk. Actions required to mitigate risk. Security awareness training. Testing of security practices and controls. Procedures for responding to security issues. Procedures for business continuity.
FISMA and NIST NIST provides guidance on FISMA that is detailed and in-depth NIST guidance includes: Standards for categorizing information and information systems by mission impact. Standards for minimum security requirements for information and information systems. Guidance for selecting appropriate security controls for information systems. Guidance for assessing security controls in information systems and determining security control effectiveness. Guidance for certifying and accrediting information systems.
NIST FISMA Related Publications FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18, Rev 1 (Security Planning) NIST Special Publication 800-30, Rev 1 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 Rev 3 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1(Security Control Assessment) NIST Special Publication 800-60 (Security Category Mapping)
FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Provides minimum information security requirements for information and information systems in each security category defined in FIPS 199 Dictates the requirements to utilize NIST SP 800-53 for the baseline security control requirements.
NIST SP 800-37 Rev 1, Guide to Apply the Risk Management Framework to Federal Information Systems Establishes a six-step Risk Management Framework for Federal Information Systems: Categorize the Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize the Information System Monitor the Security Controls Applicable to non-national security information systems as defined in the Federal Information Security Management Act of 2002
NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems Defines the format and content for Security Plans, as required by OMB Circular No. A-130. The Security Plan main functions include: Overviewing the system’s security requirements Describing the controls in place or planned for meeting those requirements Delineating responsibilities and expected behavior of all individuals who access the system Documenting the structured process of planning adequate, cost-effective security protection for the system
NIST SP 800-30 Rev 1, Risk Management Guide for Information Technology Systems Definitional and Practical Guidance regarding concept and practice of managing IT-related risks Risk Management provides balance between operational objectives and economic costs of protective measures better securing of IT systems that store, process, or transmit organizational information; enabling management to make well-informed risk management decisions to justify the expenditures assisting management in authorizing (or accrediting) the IT systems
NIST SP 800-34 Rev 1, Contingency Planning Guide For Federal Information Systems Provides instructions, recommendations, and considerations for government IT contingency planning. Provides specific contingency planning recommendations for seven IT platforms Strategies and techniques common to all systems
NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations The purpose of NIST Special Publication 800-53, rev 3 is to provide guidelines for selecting and specifying security controls for information systems… Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems
NIST SP 800-53a Rev 1, Guide for Assessing the Security Controls In Federal Information Systems Provides standardized techniques and procedures to verify the effectiveness of security controls Provides a single baseline verification procedure for each security control in SP 800-53 , rev 3 Allows additional verification techniques and procedures to be applied at the discretion of the agency
NIST SP 800-60 Vol I and Vol II, Guide for Mapping Types of Information and Information Systems to Security Categories Provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).
SUMMARY Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis
QUESTIONS?
LARRY CHMIEL Security and Privacy Consulting, LLC larry@securityandprivacyconsulting.com 813-838-2689