Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Published byHugo Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology."— Presentation transcript:

1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive; Stop 8930 Gaithersburg, MD (301) fax: (301)

2 Presentation Contents
Background/motivation System security C&A (historical perspective) OMB A-130; Appendix III Federal Information Security Management Act (FISMA) NIST FISMA implementation project ISSCA Significance of NIST’s activities to the commercial sector Supporting detail

3 Background/Motivation
NIST’s system security C&A guidance aging (FIPS ) OMB A-130Appendix III: Security of Federal Information Resources (1996) Proliferation of C&A guidance FIPS 102 (NIST) DITSCAP (DoD) NIACAP (NSTISSC/NSS) Federal Information Security Management Act (FISMA)

4 OMB A-130, Management of Federal Information Resources
Requires Federal agencies to: Plan for security Implement controls commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information (called adequate security) Ensure that appropriate officials are assigned security responsibility Authorize system processing prior to operations and periodically, thereafter. Consistent with FISMA

5 Federal Information Security Management Act (FISMA)
Title III of E-Government Act of 2002 (Public Law )

6 FISMA Requirements Federal agency information security (IS) program requirements NIST requirements Others (not to be addressed today)

7 Federal Agency Information Security Programs Must Include (1):
Periodic assessments of the risk Policies and procedures that are: Risk-based Cost-effective Reduce IS risks to an acceptable level Ensure IS is addressed throughout the system life cycle Plans for providing adequate IS for networks, facilities, & information systems (i.e., security planning) Security awareness training to inform personnel (including contractors and other users of information systems) of the IS risks and their responsibilities

8 Federal Agency Information Security Programs Must Include (2):
Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices with a frequency depending on risk, but no less than annually Plans and procedures to ensure continuity of operations Procedures for detecting, reporting, and responding to security incidents including: Mitigating risks before substantial damage is done Notifying/consulting with the Federal IS incident response center , law enforcement agencies, IG, other agency or office, in accordance with law or as directed by the President A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures and practices of the agency

9 FISMA Tasks for NIST Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels Guidelines recommending the types of information and information systems to be included in each category Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category

10 FISMA Implementation Project
Phase I: To develop standards and guidelines for: Categorizing Federal information and information systems Selecting minimum security controls for Federal information systems Assessing the security controls in Federal information systems Phase II: To create a national network of accredited organizations capable of providing cost effective, quality security assessment services based on the NIST standards and guidelines

11 FISMA Implementation Project Standards and Guidelines
FIPS Publication 199 (Security Categorization) NIST Special Publication (C&A) NIST Special Publication (Security Controls) NIST Special Publication A (Assessment) NIST Special Publication (National Security) NIST Special Publication (Category Mapping) FIPS Publication 200 (Minimum Security Controls)

12 Information System Security Control Architecture (ISSCA)
Key activities in managing risk to agency operations, agency assets, or individuals resulting from the operation of an information system— Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document agreed upon security controls in security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis

13 Information System Security Control Architecture
Defines category of information system according to potential impact of loss FIPS SP Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP FIPS 200 Security Control Selection In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place SP Security Control Documentation Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP A SP Security Control Assessment Security Control Implementation Implements security controls in new or legacy information systems Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness

14 Significance of NIST’s activities to the commercial sector (1)
ISSCA applicable to both government and commercial sector organizations NIST is contributing its standards/guidelines to IEEE as candidates for common industry-government standards/guidelines NIST Minimum control sets/baselines incorporate security controls from many public and private sector sources: CC Part 2 ISO/IEC 17799 COBIT GAO FISCAM NIST SP Self Assessment Questionnaire CMS (healthcare) D/CID 6-3 Requirements DoD Policy 8500 BITS functional packages

15 Significance of NIST’s activities to the commercial sector (2)
Control sets mapped to threat coverage Can be adjusted to widen/reduce threat coverage Can be adjusted based on risk analytic process Unique, ambitious attempt by NIST to do control mapping Control sets adaptable and adoptable by other communities Control catalogue provides a rich set of controls to meet many needs Communities can tailor control sets/baselines according to their needs Healthcare (to demonstrate HIPPA compliance) Other communities

16 Significance of NIST’s activities to the commercial sector (3)
Based on expectations of wide adoption by US government agencies, NIST standards/guidelines may become de facto “due diligence” for commercial sector Will result in accredited individuals/organizations competent to perform system security evaluations NIST invites industry review and comment on applicability of NIST standards/guidelines to commercial sector systems NIST and IEEE invite participation in security standardization activities

17 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project Manager Assessment Program Dr. Ron Ross Arnold Johnson (301) (301) Special Publications Assessment Methodologies Joan Hash Annabelle Lee (301) (301) Gov’t and Industry Outreach Technical Advisor Dr. Stu Katzke Gary Stoneburner (301) (301) Organizational Accreditations Administrative Support Pat Toth Peggy Himes (301) (301) Comments to: World Wide Web:

18 Security Certification (of an IT system)
The comprehensive assessment of the management, operational, and technical security controls in an information system Assessment supports the security accreditation process Assessment performed by security expert (may be contractor) Assesses (in a particular environment of operation) the extent to which the implemented security controls are: Correctly implemented? Operating as intended? Producing the desired outcome with respect to meeting the system’s security requirements

19 Security Certification (of an IT system) (continued)
Determines remaining vulnerabilities in the information system based on the assessment. The results of a security certification are used to reassess the risks and update the system security plan Provides the factual basis for an authorizing official to render a security accreditation decision

20 Security Accreditation (of an IT system)
Official management decision to authorize operation of a system : Made by a senior agency official Is applicable to a particular environment of operation of the IT system Explicitly accepts the level of residual risk to agency: Operations (including mission, functions, image or reputation), Assets, & Individuals that remain after the implementation of an agree upon set of security controls in the IT system.

21 Security Accreditation (of an IT system) (continued)
Authorizing agency official accepts: Responsibility for system’s security Accountability for adverse impacts of security breaches

22 C: Assess residual vulnerabilities; A: Assess residual risk
C = Certification A = Accreditation Initiation Development/Acquisition Disposal Categorize System Security Planning Determine Security Requirements Select Security Controls Risk Assessment Development/Acquisition Configuration Management and control Information Security Activities Security Control Development Continuous Monitoring of Security Control Effectiveness Operation/ Maintenance Developmental Security Test & Evaluation Develop Security Test Plan Test & Evaluate Security Controls Security Control Integration Security Accreditation Implementation C: Determine control effectiveness; Determine & document residual vulnerabilities; A: Assess residual risk; Make accreditation determination System Security Activities (Inside) within the System Development Life Cycle (Outside)

23 Security Controls: Special Publication 800-53

24 Special Publication 800-53 The purpose of SP 800-53 is to provide—
Guidance on how to use a FIPS Publication 199 security categorization to identify minimum security controls (baseline) for an information system Minimum (baseline) sets of security controls for low, moderate, and high impact information systems Estimated threat coverage for each baseline A catalog of security controls for information systems requiring additional threat coverage

25 Applicability Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

26 Special Publication Special Publication is not a tutorial on the security control selection process or a security engineering handbook. An additional guidance document is needed that addresses: Relationship of minimum security controls (baselines) to threat coverage Relationships among basic, enhanced, and strong controls How to select additional security controls from the control catalogue

27 Document Architecture
Main Body Catalog of Security Controls (complete set) Minimum Security Controls for Low Impact Systems (subset of controls from catalog) Minimum Security Controls for Moderate Impact Systems (subset of controls from catalog) Minimum Security Controls for High Impact Systems (subset of controls from catalog) Estimated Threat Coverage

28 Security Categorization
Potential Impact FIPS Publication 199 Low Moderate High Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Security Objective

29 Security Categorization
Example: Law Enforcement Witness Protection Information System FIPS Publication 199 Low Moderate High Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories SP

30 Security Categorization
Example: Law Enforcement Witness Protection Information System FIPS Publication 199 Low Moderate High Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories Minimum Security Controls for High Impact Systems SP

31 Why High Water Mark Strong dependencies among security objectives of confidentiality, integrity, and availability In general, the impact values for all security objectives must be commensurate—a lowering of an impact value for one security objective might affect all other security objectives Example: A lowering of the impact value for confidentiality and the corresponding employment of weaker security controls may result in a breach of security due to an unauthorized disclosure of system password tables—thus, causing a subsequent integrity loss and denial of service…

32 Minimum Security Controls
Minimum security controls and associated threat coverage in each of the designated baselines: Provide a starting point for organizations and communities of interest in their security control selection process Are used in the within the context of the agency’s ongoing risk management process

33 Terminology Security control strength or goodness rating defined in the control catalog as: Basic Enhanced Strong Appropriate security controls from the catalog are selected to populate the sets of minimum security controls (baselines) for: Low impact information systems Moderate impact information systems High impact information systems No direct correlation between strength/goodness rating and impact level—select the controls best suited to do the job…

34 Minimum Security Controls Sets Baselines Provided by Special Publication 800-53
Low Impact Information Systems High Impact Moderate Impact Information Systems Security Control Catalog Complete Set of Basic, Enhanced, and Strong Security Controls Baseline #1 Selection of a subset of security controls from the catalog—all basic level controls Baseline #2 Selection of a subset of security controls from the catalog—combination of basic and enhanced controls Baseline #3 Selection of a subset of security controls from the catalog—combination of basic, enhanced, and strong controls

35 Estimated Threat Coverage Provided by Special Publication 800-53
Minimum Security Controls Low Impact Information Systems High Impact Moderate Impact Information Systems Security Control Catalog Complete Set of Basic, Enhanced, and Strong Security Controls Estimated Threat Coverage Low Baseline Moderate Baseline High Baseline

36 Security Control Refinement Agency-level Activity Guided by Risk Assessment
Security Control Catalog Complete Set Basic, Enhanced, and Strong Security Controls Risk Assessment Process Incorporates Local Conditions and Specific Agency Requirements to Adjust Initial Set of Security Controls 3 Starting Point Minimum Security Controls Moderate Impact Information Systems Additional Security Controls Estimated Threat Coverage Additional Threat Coverage Initial Coverage 1 4 2 5

37 Tagging of Security Controls
Why aren’t security controls partitioned by security objectives (e.g., C, I, A)? In general, it is difficult to assign proper security objectives (i.e., confidentiality, integrity, or availability) to individual security controls In many cases, multiple security objectives apply to a single security control Availability may be the exception due to the potential for downgrading availability impact values during FIPS 199 security categorizations

38 Cost Effective Implementation: Common Security Controls

39 Common Security Controls
Common security controls are those controls that can be applied to one or more agency information systems and have the following properties: The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner) The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied

40 Common Security Controls
Identification of common security controls is an agency-level activity in collaboration with Chief Information Officer, authorizing officials, information system owners, system security managers, and system security officers Potential for significant cost savings for the agency in security control development, implementation, and assessment

41 Common Security Controls
Common security controls can be applied agency-wide, site-wide, or to common subsystems and assessed accordingly— For example: Contingency planning Incident response planning Security training and awareness Physical and personnel security * Common hardware, software, or firmware ** * Related to the concept of site certification in certain communities ** Related to the concept of type certification in certain communities

42 Common Security Controls
Example: Moderate Impact Agency Information Systems Responsibility of Information System Owners Common Security Controls System Specific Security Controls Responsibility of Designated Agency Official Other Than Information System Owner (e.g., Chief Information Officer, Facilities Manager, etc.) Common security controls developed, implemented, and assessed one time by designated agency official(s) Development and implementation cost amortized across all agency information systems Results shared among all information system owners and authorizing officials where common security controls are applied Maximum re-use of assessment evidence during security certification and accreditation of information systems Security assessment reports provided to information system owners to confirm the security status of common security controls Assessments of common security controls not repeated; only system specific aspects when necessary

43 Certification & Accreditation: Special Publication 800-37

44 C: Assess residual vulnerabilities; A: Assess residual risk
C = Certification A = Accreditation Initiation Development/Acquisition Disposal Categorize System Security Planning Determine Security Requirements Select Security Controls Risk Assessment Development/Acquisition Configuration Management and control Information Security Activities Security Control Development Continuous Monitoring of Security Control Effectiveness Operation/ Maintenance Developmental Security Test & Evaluation Develop Security Test Plan Test & Evaluate Security Controls Security Control Integration Security Accreditation Implementation C: Determine control effectiveness; Determine & document residual vulnerabilities; A: Assess residual risk; Make accreditation determination System Security Activities (Inside) within the System Development Life Cycle (Outside)

45 Key Roles Authorizing Official
Authorizing Official Designated Representative Chief Information Officer Senior Agency Information Security Officer Information System Owner Information System Security Officer Certification Agent User Representatives

46 Authorizing Official Reviews and approves the security categorizations of information systems Reviews and approves system security plans Determines agency-level risk from information generated during the security certification Makes accreditation decisions and signs associated transmittal letters for accreditation packages (authorizing official only) Reviews security status reports from continuous monitoring operations; initiates reaccreditation actions

47 Designated Representative
Selected by the authorizing official to coordinate and carry out the necessary activities required during the security certification and accreditation process Empowered to make certain decisions with regard to the: Planning and resourcing of the security certification and accreditation activities Acceptance of the system security plan Determination of risk to agency operations, assets, and individuals Prepares accreditation decision letter Obtains authorizing official’s signature on the accreditation decision letter and transmits accreditation package to appropriate agency officials

48 Chief Information Officer
Designates a senior agency information security officer Develops and maintains information security policies, procedures, and control techniques to address all applicable requirements Trains and oversees personnel with significant responsibilities for information security Assists senior agency officials concerning their security responsibilities Coordinates with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program

49 Senior Agency Information Security Officer
Serves in a position with primary responsibilities and duties related to information security Carries out the Chief Information Officer responsibilities under FISMA Possesses professional qualifications required to administer information security program functions Heads an office with the mission and resources to assist in ensuring agency compliance with FISMA

50 Information System Owner
Procures, develops, integrates, modifies, operates or maintains an information system. Prepares system security plan and conducts risk assessment Informs agency officials of the need for certification and accreditation; ensures appropriate resources are available Provides necessary system-related documentation to the certification agent Prepares plan of action and milestones to reduce or eliminate vulnerabilities in the information system Assembles final accreditation package and submits to authorizing official

51 Information System Security Officer
Serves as principal staff advisor to the system owner on all matters involving the security of the information system Manages the security aspects of the information system and, in some cases, oversees the day-to-day security operations of the system Assists the system owner in: Developing and enforcing security policies for the information system Assembling the security accreditation package Managing and controlling changes to the information system and assessing the security impacts of those changes

52 Certification Agent Provides an independent assessment of the system security plan Assesses the security controls in the information system to determine the extent to which the controls are: Implemented correctly; Operating as intended; and Producing the desired outcome with respect to meeting the security requirements of the system Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

53 User Representatives Represent the operational interests and mission needs of the user community Identify mission and operational requirements Serve as liaisons for the user community throughout the system development life cycle Assist in the security certification and accreditation process, when needed

54 Other Supporting Roles
Information Owner Operations Manager Facilities Manager System Administrator

55 Accreditation Boundaries
Uniquely assigning information resources to an information system defines the security accreditation boundary for that system Agencies have great flexibility in determining what constitutes an information system and the resulting accreditation boundary that is associated with that system

56 Accreditation Boundaries
If a set of information resources is identified as an information system, the resources should generally be under the same direct management control Consider if the information resources being identified as an information system— Have the same function or mission objective and essentially the same operating characteristics and security needs Reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments)

57 Large and Complex Systems
Accreditation Boundary Subsystem Component Local Area Network Alpha System Guard Bravo Agency General Support System System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component Security assessment methods and procedures tailored for the security controls in each subsystem component and for the combined system level Security certification performed on each subsystem component and on system-level controls not covered by subsystem certifications Security accreditation performed on the information system as a whole

58 Common Security Controls
Common security controls are those controls that can be applied to one or more agency information systems and have the following properties: The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner) The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied

59 Common Security Controls
Identification of common security controls is an agency-level activity in collaboration with Chief Information Officer, authorizing officials, information system owners, system security managers, and system security officers Potential for significant cost savings for the agency in security control development, implementation, and assessment

60 Common Security Controls
Common security controls can be applied agency-wide, site-wide, or to common subsystems and assessed accordingly— For example: Contingency planning Incident response planning Security training and awareness Physical and personnel security * Common hardware, software, or firmware ** * Related to the concept of site certification in certain communities ** Related to the concept of type certification in certain communities

61 Common Security Controls
Example: Moderate Impact Agency Information Systems Responsibility of Information System Owners Common Security Controls System Specific Security Controls Responsibility of Designated Agency Official Other Than Information System Owner (e.g., Chief Information Officer, Facilities Manager, etc.) Common security controls developed, implemented, and assessed one time by designated agency official(s) Development and implementation cost amortized across all agency information systems Results shared among all information system owners and authorizing officials where common security controls are applied Maximum re-use of assessment evidence during security certification and accreditation of information systems Security assessment reports provided to information system owners to confirm the security status of common security controls Assessments of common security controls not repeated; only system specific aspects when necessary

62 Accreditation Decisions
Full Authorization To Operate Interim Approval To Operate Denial of Authorization to Operate

63 Full Authorization to Operate
Risk to agency operations, agency assets, or individuals is deemed fully acceptable to the authorizing official Information system is accredited without any significant restrictions or limitations on its operation Authorizing officials may recommend specific actions be taken to reduce or eliminate identified vulnerabilities, where it is cost effective to do so

64 Interim Approval To Operate
Risk to agency operations, agency assets, or individuals is not deemed fully acceptable to the authorizing official, but there is an overarching mission necessity to place the information system into operation or continue its operation Limited authorization to operate the information system under specific terms and conditions Acknowledges greater risk to the agency for a limited period of time

65 Interim Approval To Operate
Terms and conditions, established by the authorizing official, convey limitations on information system operations Information system is not considered accredited during the period of limited authorization to operate Maximum allowable timeframe for an interim approval to operate should generally not exceed one year including all extensions

66 Interim Approval To Operate
At the end of the period of limited authorization, the information system should either meet the requirements for being fully authorized or not be authorized for further operation Renewals or extensions to interim approvals to operate should be discouraged and approved by authorizing officials only under the most extenuating circumstances Security control effectiveness should be monitored during the period of limited authorization

67 Denial of Authorization to Operate
The residual risk to the agency’s operations or assets is deemed unacceptable to the authorizing official Information system is not accredited and should not be placed into operation—or for an information system currently in operation, all activity should be halted Major deficiencies in the security controls in the information system—corrective actions should be initiated immediately

68 Accreditation Package
Approved system security plan Security assessment report Plan of action and milestones

69 Accreditation Package
Documents the results of the security certification Provides the authorizing official with the essential information needed to make a credible risk-based decision on whether to authorize operation of the information system Uses inputs from the information system security officer and the certification agent

70 System Security Plan Prepared by the information system owner
Provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements Contains (either as supporting appendices or as references) other key security-related documents for the information system (e.g., risk assessment, contingency plan, incident response plan, system interconnection agreements)

71 Security Assessment Report
Prepared by the certification agent Provides the results of assessing the security controls in the information system to determine the extent to which the controls are: Implemented correctly Operating as intended Producing the desired outcome with respect to meeting the system security requirements Contains a list of recommended corrective actions

72 Plan of Action and Milestones
Prepared by the system owner Describes the measures that have been implemented or planned to: Correct any deficiencies noted during the assessment of the security controls Reduce or eliminate known vulnerabilities in the information system

73 Accreditation Decision Letter
Constructed from information provided by the information system owner in the accreditation package Consists of: Accreditation decision Supporting rationale for the decision Specific terms and conditions imposed on the system owner The contents of security certification and accreditation-related documentation (especially information dealing with system vulnerabilities) should be marked and protected appropriately in accordance with agency policy.

74 The C&A Process Initiation Phase Security Certification Phase
Security Accreditation Phase Continuous Monitoring Phase

75 Initiation Phase Major Tasks and Subtasks
Task 1: Preparation Subtask 1.1: Information System Description Subtask 1.2: Security Categorization Subtask 1.3: Threat Identification Subtask 1.4: Vulnerability Identification Subtask 1.5: Security Control Identification Subtask 1.6: Initial Risk Determination Task 2: Notification and Resource Identification Subtask 2.1: Notification Subtask 2.2: Planning and Resources

76 Initiation Phase Major Tasks and Subtasks
Task 3: System Security Plan Analysis, Update, and Acceptance Subtask 3.1: Security Categorization Review Subtask 3.2: System Security Plan Analysis Subtask 3.3: System Security Plan Update Subtask 3.4: System Security Plan Acceptance

77 Security Certification Phase Major Tasks and Subtasks
Task 4: Security Control Assessment Subtask 4.1: Documentation and Supporting Materials Subtask 4.2: Reuse of Assessment Results Subtask 4.3: Methods and Procedures Subtask 4.4: Security Assessment Subtask 4.5: Security Assessment Report Task 5: Security Certification Documentation Subtask 5.1: Findings and Recommendations Subtask 5.2: System Security Plan Update Subtask 5.3: Accreditation Package Assembly

78 Security Accreditation Phase Major Tasks and Subtasks
Task 6: Accreditation Decision Subtask 6.1: Final Risk Determination Subtask 6.2: Risk Acceptability Task 7: Accreditation Documentation Subtask 7.1: Accreditation Package Transmission Subtask 7.2: System Security Plan Update

79 Continuous Monitoring Phase Major Tasks and Subtasks
Task 8: Configuration Management and Control Subtask 8.1: Documentation of System Changes Subtask 8.2: Security Impact Analysis Task 9: Security Control Monitoring Subtask 9.1: Security Control Selection Subtask 9.2: Selected Security Control Assessment Task 10: Status Reporting and Documentation Subtask 10.1: System Security Plan Update Subtask 10.2: Status Reporting

80 Certification and Accreditation For Low Impact Information Systems
Incorporates the use of self-assessment activities Reduces the associated level of supporting documentation and paperwork Decreases the time spent conducting assessment-related activities Significantly reduces costs to the agency without increasing agency-level risk or sacrificing the overall security of the information system.

81 Summary

82 The Bottom Line Standardized security controls facilitate—
More consistent, comparable specifications of security controls for information systems Comparability of security plans among business/mission partners A better understanding of the effectiveness of business/mission partner’s security controls and the vulnerabilities in their information systems Greater insights into business/mission partner’s due diligence with regard to security and tolerance for agency-level, mission-related risk

83 NIST Standards and Guidelines
Are intended to promote and facilitate— More consistent, comparable specifications of security controls for information systems More consistent, comparable, and repeatable system assessments of information systems More complete and reliable security-related information for authorizing officials A better understanding of complex information systems and associated risks and vulnerabilities Greater availability of competent security assessment services

84 FISMA Implementation Project Standards and Guidelines
FIPS Publication 199 (Security Categorization) NIST Special Publication (C&A) NIST Special Publication (Security Controls) NIST Special Publication A (Assessment) NIST Special Publication (National Security) NIST Special Publication (Category Mapping) FIPS Publication 200 (Minimum Security Controls)

85 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project Manager Assessment Program Dr. Ron Ross Arnold Johnson (301) (301) Special Publications Assessment Methodologies Joan Hash Annabelle Lee (301) (301) Gov’t and Industry Outreach Technical Advisor Dr. Stu Katzke Gary Stoneburner (301) (301) Organizational Accreditations Administrative Support Pat Toth Peggy Himes (301) (301) Comments to: World Wide Web:

Download ppt "Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology."

Similar presentations

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Software Quality Assurance Plan

Software Quality Assurance Plan
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
Purpose of the Standards

Purpose of the Standards

Similar presentations

Ads by Google