1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14, 2007 Dr. Ron Ross Computer Security Division Information Technology Laboratory

2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Current State of Affairs  Continuing serious attacks on federal information systems; targeting key federal operations and assets.  Adversaries are nation states, terrorist groups, hackers, criminals, disgruntled employees.  Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated.  Significant exfiltration of critical and sensitive information and implantation of malicious software.

3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Threats to Security Connectivity Complexity

4 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Challenges for Agencies  Large, complex information technology infrastructures; many information systems to manage.  Dynamic operational environments with changing threats, vulnerabilities, and technologies.  Obtaining adequate staffing with requisite information security skills and expertise.

5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Changing Models of Protection  Risk Avoidance  Risk Management  Information Protection  Information Protection Information Sharing  Confidentiality  Confidentiality, Integrity, Availability

6 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Desired End State Security Visibility Among Business/Mission Partners Organization One Information System Plan of Action and Milestones Security Assessment Report System Security Plan Determining the risk to the first organization’s operations and assets and the acceptability of such risk Business / Mission Information Flow The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust. Determining the risk to the second organization’s operations and assets and the acceptability of such risk Organization Two Information System Plan of Action and Milestones Security Assessment Report System Security Plan Security Information

7 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Imperatives For an Information Sharing Partnership  The need to share depends on a need to trust.  Trust cannot be conferred ; it must be earned.  Trust is earned by understanding the security state of your partner’s information system.  Understanding the security state of an information system depends on the evidence produced by organizations demonstrating the effective employment of safeguards and countermeasures. Trust but verify…

8 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Paradigm Shift  From: Policy-based compliance  Policy dictates discrete, pre-defined information security requirements and associated safeguards/countermeasures;  Minimal flexibility in implementation; and  Little emphasis on explicit acceptance of mission risk.  To: Risk-based mission protection  Enterprise missions and business functions drive security requirements and associated safeguards/countermeasures;  Highly flexible in implementation; and  Focuses on acknowledgement and acceptance of mission risk.

9 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FISMA Strategic Vision  Building a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and guidelines.  Institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies and contractors.  Establishing a fundamental level of “information security due diligence” for federal agencies based on a common process to determine adequate protection for enterprise missions and business functions.

10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Risk Management Framework  The Risk Management Framework and the associated security standards and guidelines provide a process that is:  Disciplined  Structured  Flexible  Extensible  Repeatable “Building information security into the infrastructure of the organization… so that critical enterprise missions and business functions will be protected.”

11 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Managing Enterprise Risk  Key activities in managing enterprise-level risk—risk to the enterprise and to other organizations resulting from the operation of an information system: Categorize the information system (criticality/sensitivity) Select and tailor baseline (minimum) security controls Supplement the security controls based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls for effectiveness Authorize information system operation based on mission risk Monitor security controls on a continuous basis

12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Risk Management Framework Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) SP A ASSESS Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP / SP A MONITOR Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place SP DOCUMENT Security Controls SP AUTHORIZE Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP / SP SUPPLEMENT Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence FIPS 200 / SP SELECT Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate Implement security controls; apply security configuration settings IMPLEMENT Security Controls SP Define criticality /sensitivity of information system according to potential impact of loss FIPS 199 / SP CATEGORIZE Information System Starting Point

13 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Information Security Program Adversaries attack the weakest link…where is yours? Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

14 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Common Foundation For Managing Enterprise Risk The Generalized Model Common Information Security Requirements Unique Information Security Requirements The “Delta” Foundational Set of Information Security Standards and Guidance Standardized risk management framework Standardized security categorization (criticality/sensitivity) Standardized security controls and control enhancements Standardized security control assessment procedures Intelligence Community Department of Defense Federal Civil Agencies National security and non national security information systems

15 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Enterprise-wide Strategy  Facilitates enterprise-wide, mission-oriented decisions on risk mitigation activities based on organizational priorities;  Provides global view of systemic weaknesses and deficiencies occurring in information systems across the organization;  Promotes the development of enterprise-wide solutions to information security problems; and  Increases knowledge base for system owners regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common problems.

16 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Defense-in-Breadth Strategy  Diversify information technology assets.  Reduce the information technology target size.  Consider vulnerabilities of new information technologies before deployment.  Apply a balanced set of management, operational, and technical security controls in a defense-in- depth approach.

17 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Key Standards and Guidelines  FIPS Publication 199 (Security Categorization)  FIPS Publication 200 (Minimum Security Requirements)  NIST Special Publication (Security Planning)  NIST Special Publication (Risk Management)  NIST Special Publication (Certification & Accreditation)  NIST Special Publication (Recommended Security Controls)  NIST Special Publication A (Security Control Assessment)  NIST Special Publication (National Security Systems)  NIST Special Publication (Security Category Mapping) Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…

18 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) (301) Senior Information Security Researchers and Technical Support Marianne Swanson Dr. Stu Katzke (301) (301) Pat TothArnold Johnson (301) (301) Matt SchollInformation and Feedback (301) Web: csrc.nist.gov/sec-cert Comments: