An overview of the NIST Risk Management Framework ISA 652 Fall 2010

Slides:



Advertisements
Similar presentations
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Advertisements

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Cybersecurity and the Risk Management Framework
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.
Complying With The Federal Information Security Act (FISMA)
US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Security Control Families Management Class.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Move over DITSCAP… The DIACAP is here!
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Authorizing Information Systems FITSP-A Module 6.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
CategorizeSelectImplementAssessAuthorizeMonitor.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
FISMA 101.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
1515 N. Courthouse Road Suite 310 Arlington, VA Integrating Security into the SDLC Eric Silberman,
The NIST Special Publications for Security Management By: Waylon Coulter.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
ISSM 101 Break-Out Session
Safeguarding CDI - compliance with DFARS
The Risk Management Framework (RMF)
Presenter: Mohammed Jalaluddin
Computer Security Division Information Technology Laboratory
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Josh Thompson Classified Information Systems – Western Region
Matthew Christian Dave Maddox Tim Toennies
NCHER Knowledge Symposium Federal Contractor/TPS Session
MBUG 2018 Session Title: NIST in Higher Education
Continuous Monitoring
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

An overview of the NIST Risk Management Framework ISA 652 Fall 2010 FISMA, NIST Style An overview of the NIST Risk Management Framework ISA 652 Fall 2010

About Me… Chad Andersen, CISSP, CAP Currently employed as a Senior Principal with Noblis, a non-profit consulting firm specializing in public interest technology consulting. Supporting a civilian agency’s OCIO, performing security program development, FISMA compliance activities First year MS ISA student, prior graduate work at VT (MS CS), undergrad from JMU (BS CS) Worked a variety of security-related projects from software development to PKI implementation Chad.andersen@noblis.org; cander14@gmu.edu

FISMA NIST was given the responsibility to develop the guidance documentation for implementing FISMA Two primary sources of documentation FIPS – Federal Information Processing Standards NIST Special Publication 800-series http://csrc.nist.gov/

800-37 NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems Currently Revision 1 Released February 2010 Defines the risk management framework (RMF) in the context of the SDLC. Significant change from pervious version of 800-37

800-37 Changes No more Certification and Accreditation (C&A). Now referred to as security control assessment and security authorization. Integrated DOD and Intelligence community needs into the process. NIST will replace Director of Central Intelligence Directive (DCID) 6/3 and DIACAP Intelligence Community Directive (ICD) 503 rescinds DCID 6/3 Maps closer to the SDLC than previous version Introduces new roles – Common Control Provider, Risk Executive (Function) No more Interim Authority to Operate (IATO) http://www.onpointcorp.com/documents/NIST_SP_800-37.pdf

800-37 – Roles Key Roles Authorizing Official (AO or DAA – Designated Approving Authority)/ AO Designated Representative (AODR) Chief Information Officer (CIO) Senior Information Security Officer (SISO, SAISO, ITSO, others…) System Owner (SO) Information System Security Officer (ISSO) Security Control Assessor (SCA) Risk Executive (Function) Common Control Provider (CCP)

800-37 Defines the 6 steps of the RMF Categorize the information system Select security controls Implement security controls Assess security controls Authorize information system Monitor security controls * NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010, Section 2.1.

Categorize the Information System Required by FIPS 199: Standards for Security Categorization of Federal Information and Information Systems Utilize NIST 800-60 - Guide for Mapping Types of Information and Information Systems to Security Categories End result is a system categorization of High, Moderate, or Low across the security triad – Confidentiality, Integrity, Availability Overall categorization of the system is the high watermark of the CIA categorizations Determining the correct FIPS 199 is a CRITICAL step for a successful implementation

Select Security Controls Required by FIPS 200: Minimum Security Requirements for Federal Information and Information Systems Utilizes NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations Uses the FIPS 199 system categorization to drive the selection of the security controls. Uses the high watermark as the baseline for controls Allows for control tailoring, supplementing, and compensating Utilize common controls for cost savings Controls are defined in 17+1 families of controls Common Mistake is skipping the first half of the document and just utilizing the table in Appendix D. Section 3.3 includes very valuable information for success. AO acceptance is critical! Successful Security Control Selection Using NIST SP 800-53, ISSA Journal July 2009 http://www.noblis.org/NewsPublications/Publications/PublicationsandPresentations/Documents/ISSA0709_Using%20NIST%20SP%20800-53.pdf

800-53 Controls are divided into three categories – Technical, Management, Operational 800-53 includes 17 + 1 control families AC – Access Control AT – Awareness and Training AU – Audit and Accountability CA – Security Assessment and Authorization CM – Configuration Management CP – Contingency Planning IA – Identification and Authentication IR – Incident Response MA – Maintenance MP – Media Protection PE – Physical and Environmental Protection PL – Planning PS – Personnel Security RA – Risk Assessment SA – System and Services Acquisition SC – System and Communications Protection SI – System and Information Integrity PM – Program Management – Organizational level controls

Implement Security Controls Relatively straightforward implementation of the security controls and information system development. Utilize NIST SP 800-53 to determine the security control requirements Also use NIST SP 800-53A:Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans Can provide “derived requirements”. Dirty little secret of the control assessors (auditors). 800-53A is the basis for the test plan

Assess Security Controls NIST SP 800-53A:Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans Defines the security control test cases for all 800-53 controls. Includes some derived requirements New version – removes “mandate” to perform certain tests. Organization defines the level of testing.

Authorize Information System Develop and maintain a Plan of Action and Milestone (POA&M) for tracking and correcting deficiencies. Risk Executive (person or group) reviews the security assessment package and summarizes the risk posture Presents the risk posture to the AO for acceptance AO Acceptance of risk Authorization to Operate (ATO) – Document any limitations and authorization timeframe. Denial of Authorization to Operate (DATO)

Monitor Information System Perform Continuous Monitoring of the control implementation at least annually. Goal is to assess all controls at least once every three years Some controls may be organizationally mandated to be tested annually – Mostly technical controls or controls requiring annual updates Perform annual risk assessment updates Update System Security Plan (SSP) Update business continuity plan Perform regular vulnerability scanning, penetration testing as required by the organization Report results to the AO for continued risk acceptance Monitoring system changes is critical!

Keys to Success System Boundary Maintain documentation What are you including? Draw your boundary any way you like Implement appropriate boundary controls Interconnections – including neighboring components Maintain documentation SSP, component/software inventory Perform continuous monitoring activities continuously

Keys to Success AO Involvement AO can shut you down! Determining the FIPS 199 Categorization Selecting the Security Controls Tailoring/compensating the controls Budget Holders Authorize the system’s operations AO can shut you down!

Real World Pitfalls It’s just a documentation Exercise? Too much paperwork Never good enough Not enough funding Parent Organization Policies Poor interpretation of NIST guidance – Just ask Ron Ross Inspector General – Zero perceived organizational support, process improvement

Implementing FISMA on Corporate Systems Government acquisition regulations mandate any contractor system processing, storing, or transmitting government data must also follow FISMA and the NIST RMF. Rarely enforced, but on the books nonetheless. However, Government is starting to enforce for large, multi-use information systems, such as cloud computing. Requires contractors to develop a security authorization package, receive government authorization, and implement a security program compliant with NIST.

Problems with NIST on Corporate Systems NIST SP 800-37 Rev 1 states: “The role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.” Problems AO has budgetary responsibility AO has mission responsibility AO can shut a system down Most contractor systems are mixed – corporate and government data. Solution: Provide more authority to the Information Owner

Problems with NIST on Corporate Systems Multiple Agency Support – who authorizes a system if the contractor supports more than one agency? One agency? All agencies? Significant cost to both the contractor and the government Differing policies Will one agency accept another’s authorization? Will FBI accept an authorization from DOI or Agriculture? Likely not.

Problems with NIST on Corporate Systems Scope of system evaluation Personally identifiable information (PII) – only government provided or all “PII”? E-authentication – only for government services or all contractor systems? FIPS 199 – includes all data types or just government provided data types?

Problems with NIST on Corporate Systems Difficult or Impossible to implement controls Agencies have specific control requirements for their systems, such as use of CAC for authentication, that contractors just can’t implement. Other different technologies (audit, vulnerability scanner) that are organizationally mandated may drive cost and/or architecture changes. May require significant “waivers”

Problems with NIST on Corporate Systems FIPS 199/200 NIST method requires reviewing all data types to determine the level of protection required. Contractor systems may be the opposite – document the level of protection implemented then determine if the level is adequate for the government information to be processed. Data categorization may be contextual – high availability data on government systems may not be high availability if its used for different purposes on a contractor system.

Problems with NIST on Corporate Systems Roles AO – Government or Corporate? Who pays for “required” modifications to the corporate environment? Can the AO deny authorization to operate, therefore making the contractor unable to complete the work? Easy way to terminate a contract with cause? SO – Government or Corporate?

Problems with NIST on Corporate Systems Logistics Documentation formats. Multiple formats required for different agencies? Use of agency repository (CSAM) Distribution of corporate sensitive documentation Risk assessments Vulnerability scans Penetration test results POA&M Protection of information at the government site? How do you keep it away from other contractors? Protection as it moves through the parent organization OIG reviews – results posted to OIG web site? Continuous monitoring results

Problems with NIST on Corporate Systems Changes to NIST guidance required Possibly create an appendix or separate document to use when introducing contractor systems into the environment Development of rules for inter-agency re-use of authorizations Agency policy needs to be flexible when dealing with contractor systems Rules developed for OIG evaluation of contractor system -

Key NIST Documentation 800-18 – SSP 800-34 – Contingency Planning 800-37 –RMF 800-39 – Managing Risk 800-47 – Interconnections 800-53 – Controls 800-53A – Control Testing 800-60 – Data Categorization 800-64 – SDLC 800-82 – ICS (SCADA) 800-100 – Security Handbook 800-128 – Configuration Management FIPS 199 – System Categorization FIPS 200 – Control Selection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.