This introductory session will cover the basic steps of the Risk Management Framework (RMF) and the transition away from the previous Certification and Accreditation approach to information systems security and assurance. This will also cover the benefits of the RMF for organizations, local, state, and federal governments.
12. “Certification and accreditation is the methodology
used to ensure that security controls are established for
an information system, that these controls are
functioning appropriately, and that management has
authorized the operation of the system in is current
security posture.”
- Official (ISC)2 Guide to the CAP CBK (1st ed.)
13. Measures that protect and defend information and
information systems by ensuring their availability,
integrity, authentication, confidentiality, and non
repudiation. These measures include providing for
restoration of information systems by incorporating
protection, detection, and reaction capabilities.
- CNSS Instruction No. 4009
14.
15.
16.
17.
18. “The official management decision given by a senior
organizational official to authorize operation of an
information system and to explicitly accept the risk to
organizational operations (including mission, functions,
image, or reputation), organizational assets, individuals,
other organizations, and the Nation based on the
implementation of an agreed-upon set of security
controls.”
- NIST SP 800-37 rev 1
28. //// Trainers Underground ////
The session will begin shortly.
Open/close Chat
Mute / unmute
Share Video
See attendees
Share/view
presentation
You may need an microphone plugged in
to join the Lync call
Picture: Fiori di Como, Bellagio Hotel, Las Vegas, NV, Photo by Donald E. Hester all rights reserved
Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1
Introduction
Introduction
Background
A Risk Based Approach
What is Certification and Accreditation
What is the NIST Risk Management Framework
What is Authorization
Systems Security Approach
Benefits
External Drivers
History
There is an obligation for each agency (or organization) to properly secure information.
Computer Security Act 1987
OMB A-130 appendix III, implemented the act
National Computer Security Center (NCSC)
NCSC-TG-029 Introduction to Certification and Accreditation by NSA in 1994
DoD, DITSCAP
NSA, NIACAP in 2000
FISMA made law for Public Agencies
Federal Information Security Management Act 2002 (FISMA)
NIST created standards and guidelines for implementation
DoD, DIACAP
DoD Instruction 8510.01 in 2007
Coming soon: Department of Defense Information Assurance Risk Management Framework (DIARMF)
Standards and Guidelines
Public Law
Compulsory and binding
Federal information Processing Standards (FIPS)
Compulsory and binding
High level objectives
NIST Special Publications (SP)
OMB requires federal agencies to follow certain SP
Lower specific objectives
Some flexibility in how agencies apply guidance
NISTIR and ITL are mandatory only when specified by OMB
OMB polices, directives and memoranda
DoD and CNSS Instructions
What is FISMA?
E-Government Act (Public Law 107-347) passed and signed into law in December 2002
Title III of the E-Government Act, Federal Information Security Management Act (FISMA) (44 USC § 351)
Required for all government agencies
To develop, document, and implement an agency-wide information security program
To provide information security for the information and systems that support the operations and assets of the agency
Applies to contractors and other sources
A Risk Based Approach
Emphasize a risk-based policy for cost-effective security
FISMA
The Paperwork Reduction Act of 1995
The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)
Supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources
OMB defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
FISMA Goals
Security Federal Government Systems
Understand Risk to the Mission at the organization-wide level
Consistent
Comparable
Repeatable
Complete
Reliable
Trustworthy
Common Foundation
Collaboration
National Institute of Standards and Technology (NIST)
Office of the Director of National Intelligence (ODNI)
Department of Defense (DoD)
Committee on National Security Systems (CNSS)
Public (review and vetting)
Common Foundation
Uniform and consistent risk management
Strong basis for reciprocal acceptance
Defense, Intelligence and Civil sectors
State, local and tribal governments
As well as contractors and private organizations
Joint Task Force Transformation Initiative Interagency Working Group is made up of:
National Institute of Standards and Technology (NIST)
Office of the Director of National Intelligence (ODNI)
Department of Defense (DoD)
Committee on National Security Systems (CNSS)
Risk Management Framework (RMF)
NIST SP 800-37 Rev 1, § 2.1
It is a lifecycle
Certification and Accreditation
“Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.”
- Official (ISC)2 Guide to the CAP CBK (1st ed.)
Information Assurance
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
- CNSS Instruction No. 4009
Recent Changes
Recent changes transform the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF)
Revised process emphasizes
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Term Transition
From NIST SP 800-37 to NIST SP 800-37 Rev 1 concepts remain the same but the words change.
You will also see that different sectors use different terminology.
Certification (now Assessment)
Detailed security review of an information system
Comprehensive assessment of
Management security controls
Operational security controls
Technical security controls
To determine the extent to which the controls are
Implemented correctly
Operating as intended
Producing the desired outcome
Providing the factual basis for an authorizing official to render a security accreditation decision
Accreditation (now Authorization)
Security accreditation is the official management decision to operate
Given by a senior agency official (management)
The official should have the authority to oversee the budget and business operations of the information system
Explicitly accept the risk to
Operations
Assets
Individuals
Accepts responsibility for the security of the system
Fully accountable for the security of the system
Authorization (new term)
“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”
- NIST SP 800-37 rev 1
Multi-tiered Approach
NIST SP 800-37 Rev 1, § 2.1
Graphic correction “Bravo” not “Brovo”
System Security Approach
Security not at the application, device, data or user level
Security that encompasses a system made up of applications, devices, data and users.
Easier and more cost effect to define ‘systems’ with boundaries and perimeters
Implement controls based upon the system and not the entire enterprise
Benefits
Information security visibility
Management involvement
Management due diligence
Integrate security
Consistent implementation
Common goal
Ensure minimum security
Ensure proper controls in place
Ensure risk-based controls
Efficient use of resources and funds
Discussion
Why are Agencies riddled with security holes?
Picture Source: <http://www.fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx>
Example of external drives
http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
Review
What is the official management decision to operate?
Certification
Authorization
Risk Assessment
Responsibility
Review
What is a comprehensive assessment of management, operational, and technical security controls?
Certification
Accreditation
Risk Assessment
Authorization