FISMA 101

AGENDA FISMA Project Overview The Basics: FISMA and NIST RMF The Details: Six specific processes Portable Computing Devices and Media Getting Help Next Steps: Timeline, Rules of Behavior, HIPAA

FISMA PROJECT OVERVIEW The UF contract with the State of Texas requires compliance with FISMA and NIST standards for work supporting this project In response to the contract requirements: UFIT sponsored and invested in a significant project to support this contract ($1.5M/70-80 UFIT employees) On-track to complete the initial build-out by June 30th, 2015 The new FISMA environment replaces the current SAS and SQL environments used for Texas contract deliverables and research

FISMA @ UF Enables $40M State of Texas Contract UF will be eligible for additional contracts and grants via the FISMA-compliant, multi- tenant environment Requires End-users/Researchers: Heightened security requirements Office of Research: Revised contract /negotiation process UFIT: Additional compliance requirements

THE BASICS FISMA AND NIST RMF

WHAT IS FISMA? Federal Information Security Management Act (FISMA) of 2002 Included by Congress as part of the E-Government Act of 2002 Establishes security guidelines for federal agencies or those providing services to federal agencies Sets forth: Specific requirements for security programs Specific documentation, policies and procedures Defined processes required to be in place in accordance with NIST 800-53 – a national security standard Brings standardization to security control selection and assessment by providing a/an: Consistent framework for protecting information Effective management of risks to information security Development of adequate controls to protect information and systems Mechanism for effective oversight of security programs Essentially, every federal agency “did security differently or not at all” and Congress decided to enforce minimum standards.

NIST RISK MANAGEMENT FRAMEWORK (RMF) Prepare the POA&M Submit Security Authorization Package (Security Plan, SAR, and POA&M) to AO AO conducts final risk determination AO makes authorization decision Ultimately, NIST wants an organization to intelligently address the entire lifecycle of an information system to ensure security is “baked into” all components. This process has created a framework, titled “Risk Management Framework” (RMF) NIST guidance includes: Standards for categorizing information Standards for minimum security requirements Guidance for selecting appropriate security controls Guidance for assessing security controls and systems Guidance for “assess and authorize” information systems Basically, detailed documents that explain the entire security lifecycle: the who, what, when, and why of implementing secure environments to federal standards

RMF ALIGNED WITH INFORMATION SYSTEM Risk Management Framework Authorization Package SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE IMPLEMENT MONITOR Security State SELECT

SIX SPECIFIC PROCESSES THE DETAILS SIX SPECIFIC PROCESSES

1. GETTING AN ACCOUNT Non-FISMA Accounts were provided on an ad hoc basis (phone, email, etc.): accounts maintained as necessary FISMA Accounts have to be formally authorized and approved by management: processes need to ensure account list is current and appropriate Why Additional controls implement appropriate accountability and assurance of minimum necessary access rights

2. REMOTE ACCESS & LOGGING IN Non-FISMA Access was available through a variety of means and mechanisms simply requiring a user name and password (RDP, telnet, SSH, web portals, etc.) FISMA Remote access into the environment has to be secured with both something you know (a password) and something you have (a token) Why Passwords are easily stolen (Target, Home Depot, Anthem, Premera, etc.), so best practices and compliance require additional verification

3. DATA TRANSFERS Non-FISMA Systems allow whatever means for data transfer most convenient or available to users FISMA Sensitive data are regulated and therefore must have controlled mechanisms to allow data in and out Why Complexity and lack of control provide opportunities for loss or misuse

4. CHANGE MANAGEMENT Non-FISMA Changes are made on an ad hoc basis, not formally tracked or reviewed for security impact (updates to applications, databases, etc.) FISMA Changes must be formally reviewed, approved and tracked Why Oversight is necessary to ensure changes do not impact the integrity of the system’s security and tracking is necessary for audit purposes

5. LOGGING AND MONITORING Non-FISMA Logs and review of logs are performed on an ad hoc basis FISMA All systems enforce required logging measures to ensure they remain secure Why Logs are necessary to both detect adverse events (breaches, misuse of data, etc.) and for audit purposes

6. SECURITY ASSESSMENTS Non-FISMA No formal security assessments are performed FISMA Regular security assessments for vulnerabilities and compliance are conducted Why To ensure ongoing security of the environment

PORTABLE COMPUTING DEVICES AND MEDIA DATA PROTECTION AND PRIVACY

PORTABLE COMPUTING DEVICES Must comply with current UF policy which requires full disk encryption to protect the confidentiality and integrity of systems and data The FISMA environment is designed such that data is contained fully within the protected environment Users traveling to areas deemed as high risk are advised not to access the FISMA environment from those locations Portable devices taken to high risk areas will be completely erased and restored to the baseline configuration upon return and before being allowed to access the FISMA environment again

MEDIA ACCESS No ability is provided for users to use or access data on removable media as part of the ResShield system Privileged users are authorized to use removable media for the purpose of system installation and maintenance activities, as approved by the Change Advisory Board (CAB) No restricted data is stored on removable media, and media is scanned for malware before use with the ResShield system

MEDIA LABELING External labels are affixed to all removable media used with the ResShield system. Labels identify the data or software included and the note “Not for use with Restricted Data” If Restricted Data is stored on removable media, it is labeled as “UF ResShield” and “UF Restricted Data”

MEDIA STORAGE Privileged users store removable media used for system installation and maintenance in locked and controlled office facilities when not in use to prevent tampering See ResShield Standard Operating Procedures MP-4

MEDIA TRANSPORT Privileged users keep all removable media in their possession during transport to locked and controlled office facilities and the data center Transport of removable media that does not contain Restricted Data does not need to be documented and logged If Restricted Data is stored on removable media, the FISMA Operations Manager will individually authorize and document transport of such media outside of locked and controlled office facilities See ResShield Standard Operating Procedures MP-5

MEDIA ENCRYPTION UF Policy allows the use of unencrypted removable media only when encryption interferes with the media’s essential function As removable media is only used with ResShield for system installation and maintenance (which is usually not possible with encrypted media) encryption is not required for removable media If Restricted Data is stored on removable media, the media will be fully encrypted with FIPS 140-2 compliant products See ResShield Standard Operating Procedures

OUTPUT DEVICE PHYSICAL SECURITY UFIT staff with privileged access work in physically secured areas without public access Screen guards must be used with any monitors removed from the secure office area See ResShield Standard Operating Procedures PE-5

INSIDER THREATS

INSIDER THREATS What is an Insider Threat? An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems What are some signs of this type of behavior and/or activities that you may encounter? Job dissatisfaction that may be in the form of verbal complaints against the university Harassment of fellow co-workers (which should be reported immediately) Violations of other university policies What should you do if you suspect Insider Threat Activity? Report it!! Call the Privacy Hotline – 866-876-HIPA Use the web form: http://privacy.ufl.edu/uf-health- privacy/report-an-incident

GETTING HELP

WHAT IF I NEED HELP? Nothing changes with your workstation support Contact UFHealth AHC-IT as you normally do UFHealth AHC-IT will route FISMA support requests to the FISMA team Additionally, for a few weeks after go-live, UFIT FISMA staff will rotate at 3 locations for user support services: CTRB 1329 Bldg. 2020 Bldg. (HOP Modular)

NEXT STEPS

NEXT STEPS Timeline: 6-8-15 to 6-30-15 3rd Party Assessment Organization (3PAO), Excentium is performing their Independent Verification and Validation (IV&V) 6-15-15 to 6-26-15 TX EQRO testing 6-30-15 TX Data is inside the FISMA bubble, TX FISMA is LIVE 7-1-15 to 8-15-15  45 day parallel validation period Rules of Behavior Verify HIPAA is up-to-date

APPENDIX

NIST REFERENCES FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Assessment) NIST Special Publication 800-39 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-60 (Information Types Mapping)

INFORMATION SECURITY PROGRAMS 1 of 2 The information security programs are centered around the security control families: Access Control Awareness and Training Audit and Accountability Certification, Accreditation, & Security Assessments Configuration Management Contingency Planning Identification & Authentication Incident Response

INFORMATION SECURITY PROGRAMS 2 of 2 The information security programs are centered around the security control families: System Maintenance Media Protection Security Planning Risk Assessment System & Services Acquisition System & Communication System & Information Integrity