national institute of standards and technology 1 information system security control architecture...

85
National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive; Stop 8930 Gaithersburg, MD 20899 (301) 975-4768 [email protected] fax: (301) 975-4964

Upload: hugo-marsh

Post on 24-Dec-2015

216 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology1

Information System Security Control Architecture (ISSCA)

Stuart Katzke, Ph.D.Senior Research Scientist

National Institute of Standards & Technology100 Bureau Drive; Stop 8930

Gaithersburg, MD 20899(301) 975-4768

[email protected]: (301) 975-4964

Page 2: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology2

Presentation Contents• Background/motivation

– System security C&A (historical perspective)

– OMB A-130; Appendix III

– Federal Information Security Management Act 2002 (FISMA)

• NIST FISMA implementation project• ISSCA• Significance of NIST’s activities to the

commercial sector

-----------------------------------------------• Supporting detail

Page 3: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology3

Background/Motivation• NIST’s system security C&A guidance

aging (FIPS 102--1983)

• OMB A-130Appendix III: Security of Federal Information Resources (1996)

• Proliferation of C&A guidance – FIPS 102 (NIST)– DITSCAP (DoD)– NIACAP (NSTISSC/NSS)

• Federal Information Security Management Act 2002 (FISMA)

Page 4: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology4

OMB A-130, Management of Federal Information Resources

• Requires Federal agencies to:

– Plan for security

– Implement controls commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information (called adequate security)

– Ensure that appropriate officials are assigned security responsibility

– Authorize system processing prior to operations and periodically, thereafter.

• Consistent with FISMA

Page 5: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology5

Federal Information Security Management Act (FISMA)

Title III of E-Government Act of 2002(Public Law 107-347)

Page 6: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology6

FISMA Requirements

• Federal agency information security (IS) program requirements

• NIST requirements

• Others (not to be addressed today)

Page 7: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology7

Federal Agency Information Security Programs Must Include (1):

• Periodic assessments of the risk

• Policies and procedures that are: – Risk-based

– Cost-effective

– Reduce IS risks to an acceptable level

– Ensure IS is addressed throughout the system life cycle

• Plans for providing adequate IS for networks, facilities, & information systems (i.e., security planning)

• Security awareness training to inform personnel (including contractors and other users of information systems) of the IS risks and their responsibilities

Page 8: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology8

Federal Agency Information Security Programs Must Include (2):

• Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices with a frequency depending on risk, but no less than annually

• Plans and procedures to ensure continuity of operations

• Procedures for detecting, reporting, and responding to security incidents including:

– Mitigating risks before substantial damage is done

– Notifying/consulting with the Federal IS incident response center , law enforcement agencies, IG, other agency or office, in accordance with law or as directed by the President

• A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures and practices of the agency

Page 9: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology9

FISMA Tasks for NIST Standards to be used by Federal agencies to categorize

information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels

Guidelines recommending the types of information and information systems to be included in each category

Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category

Page 10: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology10

FISMA Implementation Project Phase I: To develop standards and guidelines for:

Categorizing Federal information and information systems

Selecting minimum security controls for Federal information systems

Assessing the security controls in Federal information systems

Phase II: To create a national network of accredited organizations capable of providing cost effective, quality security assessment services based on the NIST standards and guidelines

Page 11: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology11

FISMA Implementation Project Standards and Guidelines

FIPS Publication 199 (Security Categorization)

NIST Special Publication 800-37 (C&A)

NIST Special Publication 800-53 (Security Controls)

NIST Special Publication 800-53A (Assessment)

NIST Special Publication 800-59 (National Security)

NIST Special Publication 800-60 (Category Mapping)

FIPS Publication 200 (Minimum Security Controls)

Page 12: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology12

Information System Security Control Architecture (ISSCA)

Key activities in managing risk to agency operations, agency assets, or individuals resulting from the operation of an information system—Categorize the information systemSelect set of minimum (baseline) security controlsRefine the security control set based on risk assessmentDocument agreed upon security controls in security planImplement the security controls in the information systemAssess the security controlsDetermine agency-level risk and risk acceptabilityAuthorize information system operationMonitor security controls on a continuous basis

Page 13: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology13

Information System Security Control Architecture

Defines category of information system according to potential

impact of loss

FIPS 199 SP 800-60

Security Categorization

Selects minimum security controls (i.e., safeguards and countermeasures) planned or

in place to protect the information system

SP 800-53 FIPS 200

Security Control Selection

In system security plan, provides a an overview of the security requirements for

the information system and documents the security controls planned or in place

SP 800-18

Security Control Documentation

Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements

SP 800-53A SP 800-37

Security Control Assessment

Security Control Implementation

Implements security controls in new or legacy information systems

SP 800-53 FIPS 200

Security Control Refinement

Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements

SP 800-37

System Authorization

Determines risk to agency operations, agency assets, or individuals and, if acceptable,

authorizes information system processing

SP 800-37

Security Control Monitoring

Continuously tracks changes to the information system that may affect security controls and

assesses control effectiveness

Page 14: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology14

Significance of NIST’s activities to the commercial sector (1)

• ISSCA applicable to both government and commercial sector organizations

• NIST is contributing its standards/guidelines to IEEE as candidates for common industry-government standards/guidelines

• NIST Minimum control sets/baselines incorporate security controls from many public and private sector sources:

– CC Part 2

– ISO/IEC 17799

– COBIT

– GAO FISCAM

– NIST SP 800-26 Self Assessment Questionnaire

– CMS (healthcare)

– D/CID 6-3 Requirements

– DoD Policy 8500

– BITS functional packages

Page 15: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology15

Significance of NIST’s activities to the commercial sector (2)

• Control sets mapped to threat coverage– Can be adjusted to widen/reduce threat coverage– Can be adjusted based on risk analytic process– Unique, ambitious attempt by NIST to do control mapping

• Control sets adaptable and adoptable by other communities– Control catalogue provides a rich set of controls to meet

many needs– Communities can tailor control sets/baselines according to

their needs– Healthcare (to demonstrate HIPPA compliance)– Other communities

Page 16: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology16

Significance of NIST’s activities to the commercial sector (3)

• Based on expectations of wide adoption by US government agencies, NIST standards/guidelines may become de facto “due diligence” for commercial sector

• Will result in accredited individuals/organizations competent to perform system security evaluations

• NIST invites industry review and comment on applicability of NIST standards/guidelines to commercial sector systems

• NIST and IEEE invite participation in security standardization activities

Page 17: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology17

Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Manager Assessment ProgramDr. Ron Ross Arnold Johnson(301) 975-5390 (301) [email protected] [email protected]

Special Publications Assessment MethodologiesJoan Hash Annabelle Lee(301) 975-3357 (301) [email protected] [email protected]

Gov’t and Industry Outreach Technical AdvisorDr. Stu Katzke Gary Stoneburner(301) 975-4768 (301) [email protected] [email protected]

Organizational Accreditations Administrative SupportPat Toth Peggy Himes(301) 975-5140 (301) [email protected] [email protected]

Comments to: [email protected] Wide Web: http://csrc.nist.gov/sec-cert

Page 18: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology18

Security Certification (of an IT system)

• The comprehensive assessment of the management, operational, and technical security controls in an information system

• Assessment supports the security accreditation process

• Assessment performed by security expert (may be contractor)

• Assesses (in a particular environment of operation) the extent to which the implemented security controls are:– Correctly implemented?

– Operating as intended?

– Producing the desired outcome with respect to meeting the system’s security requirements

Page 19: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology19

Security Certification (of an IT system)(continued)

• Determines remaining vulnerabilities in the information system based on the assessment.

• The results of a security certification are used to reassess the risks and update the system security plan

• Provides the factual basis for an authorizing official to render a security accreditation decision

Page 20: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology20

Security Accreditation (of an IT system)

• Official management decision to authorize operation of a system : – Made by a senior agency official– Is applicable to a particular environment of operation of

the IT system– Explicitly accepts the level of residual risk to agency:

Operations (including mission, functions, image or reputation), Assets, &Individuals

that remain after the implementation of an agree upon set of security controls in the IT system.

Page 21: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology21

Security Accreditation (of an IT system)(continued)

• Authorizing agency official accepts:– Responsibility for system’s security– Accountability for adverse impacts of security

breaches

Page 22: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology22System Security Activities (Inside) within the System

Development Life Cycle (Outside)

Information SecurityActivities

Risk Assessment Security Planning•Determine Security Requirements•Select Security Controls

Security Accreditation

Continuous Monitoring of Security

Control Effectiveness

Security Control Development

Developmental Security Test & Evaluation

•Develop Security Test Plan•Test & Evaluate Security Controls

Configuration Management and control

Initiation

Disposal

Development/Acquisition

Operation/ Maintenance

A: Assess residual risk; Make

accreditation determination

C: Determine control

effectiveness; Determine & document residual vulnerabilities;

C: Assess residual vulnerabilities; A: Assess residual risk

Categorize System

Security Control Integration

Implementation

Development/Acquisition

C = CertificationA = Accreditation

Page 23: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology23

Security Controls:Special Publication 800-53

Page 24: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology24

Special Publication 800-53The purpose of SP 800-53 is to provide—

Guidance on how to use a FIPS Publication 199 security categorization to identify minimum security controls (baseline) for an information system

Minimum (baseline) sets of security controls for low, moderate, and high impact information systems

Estimated threat coverage for each baseline

A catalog of security controls for information systems requiring additional threat coverage

Page 25: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology25

Applicability Applicable to all Federal information systems other

than those systems designated as national security systems as defined in 44 U.S.C., Section 3542

Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems

Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

Page 26: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology26

Special Publication 800-53 Special Publication 800-53 is not a tutorial on the

security control selection process or a security engineering handbook. An additional guidance document is needed that addresses: Relationship of minimum security controls (baselines) to

threat coverage

Relationships among basic, enhanced, and strong controls

How to select additional security controls from the control catalogue

Page 27: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology27

Document Architecture Main Body Catalog of Security Controls (complete set)

Minimum Security Controls for Low Impact Systems (subset of controls from catalog)

Minimum Security Controls for Moderate Impact Systems (subset of controls from catalog)

Minimum Security Controls for High Impact Systems (subset of controls from catalog)

Estimated Threat Coverage

Page 28: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology28

Security Categorization

FIPS Publication 199 Low Moderate High

Confidentiality

The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Potential Impact

Sec

uri

ty O

bjec

tive

Page 29: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology29

Security Categorization

FIPS Publication 199 Low Moderate High

Confidentiality

The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Example: Law Enforcement Witness Protection Information System

Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

SP 800-60

Page 30: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology30

Security Categorization

FIPS Publication 199 Low Moderate High

Confidentiality

The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Example: Law Enforcement Witness Protection Information System

Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

SP 800-60

Minimum Security Controls for High Impact Systems

Page 31: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology31

Why High Water Mark Strong dependencies among security objectives of

confidentiality, integrity, and availability In general, the impact values for all security

objectives must be commensurate—a lowering of an impact value for one security objective might affect all other security objectives Example: A lowering of the impact value for

confidentiality and the corresponding employment of weaker security controls may result in a breach of security due to an unauthorized disclosure of system password tables—thus, causing a subsequent integrity loss and denial of service…

Page 32: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology32

Minimum Security Controls

Minimum security controls and associated threat coverage in each of the designated baselines: Provide a starting point for organizations and

communities of interest in their security control selection process

Are used in the within the context of the agency’s ongoing risk management process

Page 33: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology33

Terminology Security control strength or goodness rating defined in the

control catalog as: Basic Enhanced Strong

Appropriate security controls from the catalog are selected to populate the sets of minimum security controls (baselines) for: Low impact information systems Moderate impact information systems High impact information systems

No direct correlation between strength/goodness rating and impact level—select the controls best suited to do the job…

Page 34: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology34

Minimum Security Controls SetsBaselines Provided by Special Publication 800-53

Minimum Security ControlsLow Impact

Information Systems

Minimum Security ControlsHigh Impact

Information Systems

Minimum Security ControlsModerate Impact

Information Systems

Security Control Catalog

Complete Set of Basic, Enhanced, and Strong Security Controls

Baseline #1

Selection of a subset of security controls from the catalog—all

basic level controls

Baseline #2

Selection of a subset of security controls from the catalog—combination of basic and

enhanced controls

Baseline #3

Selection of a subset of security controls from the catalog—

combination of basic, enhanced, and strong controls

Page 35: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology35

Estimated Threat CoverageProvided by Special Publication 800-53

Minimum Security ControlsLow Impact

Information Systems

Minimum Security ControlsHigh Impact

Information Systems

Minimum Security ControlsModerate Impact

Information Systems

Security Control Catalog

Complete Set of Basic, Enhanced, and Strong Security Controls

Estimated Threat Coverage

Estimated Threat Coverage

Estimated Threat Coverage

Low Baseline Moderate Baseline High Baseline

Page 36: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology36

Security Control RefinementAgency-level Activity Guided by Risk Assessment

Security Control Catalog

Complete Set

Basic, Enhanced, and Strong Security

Controls

Risk Assessment Process Incorporates Local Conditions and Specific Agency Requirements to Adjust Initial Set of

Security Controls

3

33

Starting Point

Minimum Security Controls

Moderate Impact Information

Systems

Additional Security Controls

Estimated Threat Coverage

Additional Threat Coverage

Initial Coverage

1

4

2

5

Page 37: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology37

Tagging of Security ControlsWhy aren’t security controls partitioned by security objectives (e.g., C, I, A)?

In general, it is difficult to assign proper security objectives (i.e., confidentiality, integrity, or availability) to individual security controls

In many cases, multiple security objectives apply to a single security control

Availability may be the exception due to the potential for downgrading availability impact values during FIPS 199 security categorizations

Page 38: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology38

Cost Effective Implementation:Common Security Controls

Page 39: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology39

Common Security Controls Common security controls are those controls that

can be applied to one or more agency information systems and have the following properties:

The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner)

The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied

Page 40: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology40

Common Security Controls Identification of common security controls is an

agency-level activity in collaboration with Chief Information Officer, authorizing officials, information system owners, system security managers, and system security officers

Potential for significant cost savings for the agency in security control development, implementation, and assessment

Page 41: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology41

Common Security Controls Common security controls can be applied

agency-wide, site-wide, or to common subsystems and assessed accordingly—For example: Contingency planning Incident response planning Security training and awareness Physical and personnel security * Common hardware, software, or firmware **

* Related to the concept of site certification in certain communities** Related to the concept of type certification in certain communities

Page 42: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology42

Common Security Controls

Example: Moderate ImpactAgency Information Systems

Responsibility of Information System Owners

Common Security Controls

System Specific Security Controls

Responsibility of Designated Agency Official Other Than Information System Owner (e.g., Chief Information Officer, Facilities Manager, etc.)

• Common security controls developed, implemented, and assessed one time by designated agency official(s)

• Development and implementation cost amortized across all agency information systems

• Results shared among all information system owners and authorizing officials where common security controls are applied

• Maximum re-use of assessment evidence during security certification and accreditation of information systems

• Security assessment reports provided to information system owners to confirm the security status of common security controls

• Assessments of common security controls not repeated; only system specific aspects when necessary

Page 43: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology43

Certification & Accreditation:Special Publication 800-37

Page 44: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology44System Security Activities (Inside) within the System

Development Life Cycle (Outside)

Information SecurityActivities

Risk Assessment Security Planning•Determine Security Requirements•Select Security Controls

Security Accreditation

Continuous Monitoring of Security

Control Effectiveness

Security Control Development

Developmental Security Test & Evaluation

•Develop Security Test Plan•Test & Evaluate Security Controls

Configuration Management and control

Initiation

Disposal

Development/Acquisition

Operation/ Maintenance

A: Assess residual risk; Make

accreditation determination

C: Determine control

effectiveness; Determine & document residual vulnerabilities;

C: Assess residual vulnerabilities; A: Assess residual risk

Categorize System

Security Control Integration

Implementation

Development/Acquisition

C = CertificationA = Accreditation

Page 45: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology45

Key Roles Authorizing Official

Authorizing Official Designated Representative

Chief Information Officer

Senior Agency Information Security Officer

Information System Owner

Information System Security Officer

Certification Agent

User Representatives

Page 46: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology46

Authorizing Official Reviews and approves the security categorizations of

information systems

Reviews and approves system security plans

Determines agency-level risk from information generated during the security certification

Makes accreditation decisions and signs associated transmittal letters for accreditation packages (authorizing official only)

Reviews security status reports from continuous monitoring operations; initiates reaccreditation actions

Page 47: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology47

Designated Representative Selected by the authorizing official to coordinate and

carry out the necessary activities required during the security certification and accreditation process

Empowered to make certain decisions with regard to the: Planning and resourcing of the security certification and accreditation

activities

Acceptance of the system security plan

Determination of risk to agency operations, assets, and individuals

Prepares accreditation decision letter

Obtains authorizing official’s signature on the accreditation decision letter and transmits accreditation package to appropriate agency officials

Page 48: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology48

Chief Information Officer Designates a senior agency information security officer

Develops and maintains information security policies, procedures, and control techniques to address all applicable requirements

Trains and oversees personnel with significant responsibilities for information security

Assists senior agency officials concerning their security responsibilities

Coordinates with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program

Page 49: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology49

Senior Agency Information Security Officer

Serves in a position with primary responsibilities and duties related to information security

Carries out the Chief Information Officer responsibilities under FISMA

Possesses professional qualifications required to administer information security program functions

Heads an office with the mission and resources to assist in ensuring agency compliance with FISMA

Page 50: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology50

Information System Owner Procures, develops, integrates, modifies, operates or

maintains an information system.

Prepares system security plan and conducts risk assessment

Informs agency officials of the need for certification and accreditation; ensures appropriate resources are available

Provides necessary system-related documentation to the certification agent

Prepares plan of action and milestones to reduce or eliminate vulnerabilities in the information system

Assembles final accreditation package and submits to authorizing official

Page 51: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology51

Information System Security Officer Serves as principal staff advisor to the system owner on

all matters involving the security of the information system

Manages the security aspects of the information system and, in some cases, oversees the day-to-day security operations of the system

Assists the system owner in: Developing and enforcing security policies for the information

system Assembling the security accreditation package Managing and controlling changes to the information system

and assessing the security impacts of those changes

Page 52: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology52

Certification Agent Provides an independent assessment of the system

security plan

Assesses the security controls in the information system to determine the extent to which the controls are:

Implemented correctly;

Operating as intended; and

Producing the desired outcome with respect to meeting the security requirements of the system

Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

Page 53: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology53

User Representatives Represent the operational interests and mission needs of

the user community

Identify mission and operational requirements

Serve as liaisons for the user community throughout the system development life cycle

Assist in the security certification and accreditation process, when needed

Page 54: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology54

Other Supporting Roles Information Owner

Operations Manager

Facilities Manager

System Administrator

Page 55: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology55

Accreditation Boundaries

Uniquely assigning information resources to an Uniquely assigning information resources to an information system defines the security information system defines the security accreditation boundary for that systemaccreditation boundary for that system

Agencies have great flexibility in determining Agencies have great flexibility in determining what constitutes an information system and the what constitutes an information system and the resulting accreditation boundary that is resulting accreditation boundary that is associated with that systemassociated with that system

Page 56: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology56

Accreditation Boundaries If a set of information resources is identified as an If a set of information resources is identified as an

information system, the resources should generally information system, the resources should generally be under the same direct management controlbe under the same direct management control

Consider if the information resources being Consider if the information resources being identified as an information system—identified as an information system— Have the same function or mission objective and Have the same function or mission objective and

essentially the same operating characteristics and security essentially the same operating characteristics and security needsneeds

Reside in the same general operating environment (or in Reside in the same general operating environment (or in the case of a distributed information system, reside in the case of a distributed information system, reside in various locations with similar operating environments)various locations with similar operating environments)

Page 57: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology57

Large and Complex Systems

• System security plan reflects information system decomposition with adequate security controls assigned to each subsystem component

• Security assessment methods and procedures tailored for the security controls in each subsystem component and for the combined system level

• Security certification performed on each subsystem component and on system-level controls not covered by subsystem certifications

• Security accreditation performed on the information system as a whole

Accreditation Boundary

SubsystemComponent

Local Area NetworkAlpha

SubsystemComponent

System Guard

SubsystemComponent

Local Area NetworkBravo

Agency General Support System

Page 58: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology58

Common Security Controls Common security controls are those controls that

can be applied to one or more agency information systems and have the following properties:

The development, implementation, and assessment of common security controls can be assigned to responsible officials or organizational elements (other than the information system owner)

The results from the assessment of the common security controls can be reused in security certifications and accreditations of agency information systems where those controls have been applied

Page 59: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology59

Common Security Controls Identification of common security controls is an

agency-level activity in collaboration with Chief Information Officer, authorizing officials, information system owners, system security managers, and system security officers

Potential for significant cost savings for the agency in security control development, implementation, and assessment

Page 60: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology60

Common Security Controls Common security controls can be applied

agency-wide, site-wide, or to common subsystems and assessed accordingly—For example: Contingency planning Incident response planning Security training and awareness Physical and personnel security * Common hardware, software, or firmware **

* Related to the concept of site certification in certain communities** Related to the concept of type certification in certain communities

Page 61: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology61

Common Security Controls

Example: Moderate ImpactAgency Information Systems

Responsibility of Information System Owners

Common Security Controls

System Specific Security Controls

Responsibility of Designated Agency Official Other Than Information System Owner (e.g., Chief Information Officer, Facilities Manager, etc.)

• Common security controls developed, implemented, and assessed one time by designated agency official(s)

• Development and implementation cost amortized across all agency information systems

• Results shared among all information system owners and authorizing officials where common security controls are applied

• Maximum re-use of assessment evidence during security certification and accreditation of information systems

• Security assessment reports provided to information system owners to confirm the security status of common security controls

• Assessments of common security controls not repeated; only system specific aspects when necessary

Page 62: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology62

Accreditation Decisions

Full Authorization To Operate

Interim Approval To Operate

Denial of Authorization to Operate

Page 63: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology63

Full Authorization to Operate Risk to agency operations, agency assets, or

individuals is deemed fully acceptable to the authorizing official

Information system is accredited without any significant restrictions or limitations on its operation

Authorizing officials may recommend specific actions be taken to reduce or eliminate identified vulnerabilities, where it is cost effective to do so

Page 64: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology64

Interim Approval To Operate Risk to agency operations, agency assets, or

individuals is not deemed fully acceptable to the authorizing official, but there is an overarching mission necessity to place the information system into operation or continue its operation

Limited authorization to operate the information system under specific terms and conditions

Acknowledges greater risk to the agency for a limited period of time

Page 65: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology65

Interim Approval To Operate Terms and conditions, established by the

authorizing official, convey limitations on information system operations

Information system is not considered accredited during the period of limited authorization to operate

Maximum allowable timeframe for an interim approval to operate should generally not exceed one year including all extensions

Page 66: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology66

Interim Approval To Operate At the end of the period of limited authorization,

the information system should either meet the requirements for being fully authorized or not be authorized for further operation

Renewals or extensions to interim approvals to operate should be discouraged and approved by authorizing officials only under the most extenuating circumstances

Security control effectiveness should be monitored during the period of limited authorization

Page 67: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology67

Denial of Authorization to Operate The residual risk to the agency’s operations or

assets is deemed unacceptable to the authorizing official

Information system is not accredited and should not be placed into operation—or for an information system currently in operation, all activity should be halted

Major deficiencies in the security controls in the information system—corrective actions should be initiated immediately

Page 68: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology68

Accreditation Package

Approved system security plan

Security assessment report

Plan of action and milestones

Page 69: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology69

Accreditation Package Documents the results of the security certification

Provides the authorizing official with the essential information needed to make a credible risk-based decision on whether to authorize operation of the information system

Uses inputs from the information system security officer and the certification agent

Page 70: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology70

System Security Plan Prepared by the information system owner

Provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements

Contains (either as supporting appendices or as references) other key security-related documents for the information system (e.g., risk assessment, contingency plan, incident response plan, system interconnection agreements)

Page 71: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology71

Security Assessment Report Prepared by the certification agent

Provides the results of assessing the security controls in the information system to determine the extent to which the controls are: Implemented correctlyOperating as intendedProducing the desired outcome with respect to meeting

the system security requirements

Contains a list of recommended corrective actions

Page 72: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology72

Plan of Action and Milestones

Prepared by the system owner

Describes the measures that have been implemented or planned to:

Correct any deficiencies noted during the assessment of the security controls

Reduce or eliminate known vulnerabilities in the information system

Page 73: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology73

Accreditation Decision Letter Constructed from information provided by the

information system owner in the accreditation package

Consists of: Accreditation decision Supporting rationale for the decision Specific terms and conditions imposed on the

system owner

The contents of security certification and accreditation-related documentation (especially information dealing with system vulnerabilities) should be marked and protected appropriately in accordance with agency policy.

Page 74: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology74

The C&A Process Initiation Phase

Security Certification Phase

Security Accreditation Phase

Continuous Monitoring Phase

Page 75: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology75

Initiation PhaseMajor Tasks and Subtasks

Task 1: Preparation Subtask 1.1: Information System Description Subtask 1.2: Security Categorization Subtask 1.3: Threat Identification Subtask 1.4: Vulnerability Identification Subtask 1.5: Security Control Identification Subtask 1.6: Initial Risk Determination

Task 2: Notification and Resource Identification Subtask 2.1: Notification Subtask 2.2: Planning and Resources

Page 76: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology76

Initiation PhaseMajor Tasks and Subtasks

Task 3: System Security Plan Analysis, Update, and Acceptance Subtask 3.1: Security Categorization Review Subtask 3.2: System Security Plan Analysis Subtask 3.3: System Security Plan Update Subtask 3.4: System Security Plan Acceptance

Page 77: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology77

Security Certification PhaseMajor Tasks and Subtasks

Task 4: Security Control Assessment Subtask 4.1: Documentation and Supporting Materials Subtask 4.2: Reuse of Assessment Results Subtask 4.3: Methods and Procedures Subtask 4.4: Security Assessment Subtask 4.5: Security Assessment Report

Task 5: Security Certification Documentation Subtask 5.1: Findings and Recommendations Subtask 5.2: System Security Plan Update Subtask 5.3: Accreditation Package Assembly

Page 78: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology78

Security Accreditation PhaseMajor Tasks and Subtasks

Task 6: Accreditation Decision Subtask 6.1: Final Risk Determination Subtask 6.2: Risk Acceptability

Task 7: Accreditation Documentation Subtask 7.1: Accreditation Package Transmission Subtask 7.2: System Security Plan Update

Page 79: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology79

Continuous Monitoring PhaseMajor Tasks and Subtasks

Task 8: Configuration Management and Control Subtask 8.1: Documentation of System Changes Subtask 8.2: Security Impact Analysis

Task 9: Security Control Monitoring Subtask 9.1: Security Control Selection Subtask 9.2: Selected Security Control Assessment

Task 10: Status Reporting and Documentation Subtask 10.1: System Security Plan Update Subtask 10.2: Status Reporting

Page 80: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology80

Certification and AccreditationFor Low Impact Information Systems

Incorporates the use of self-assessment activities

Reduces the associated level of supporting documentation and paperwork

Decreases the time spent conducting assessment-related activities

Significantly reduces costs to the agency without increasing agency-level risk or sacrificing the overall security of the information system.

Page 81: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology81

Summary

Page 82: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology82

The Bottom Line Standardized security controls facilitate—

More consistent, comparable specifications of security controls for information systems

Comparability of security plans among business/mission partners

A better understanding of the effectiveness of business/mission partner’s security controls and the vulnerabilities in their information systems

Greater insights into business/mission partner’s due diligence with regard to security and tolerance for agency-level, mission-related risk

Page 83: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology83

NIST Standards and GuidelinesAre intended to promote and facilitate—

More consistent, comparable specifications of security controls for information systems

More consistent, comparable, and repeatable system assessments of information systems

More complete and reliable security-related information for authorizing officials

A better understanding of complex information systems and associated risks and vulnerabilities

Greater availability of competent security assessment services

Page 84: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology84

FISMA Implementation Project Standards and Guidelines

FIPS Publication 199 (Security Categorization)

NIST Special Publication 800-37 (C&A)

NIST Special Publication 800-53 (Security Controls)

NIST Special Publication 800-53A (Assessment)

NIST Special Publication 800-59 (National Security)

NIST Special Publication 800-60 (Category Mapping)

FIPS Publication 200 (Minimum Security Controls)

Page 85: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist

National Institute of Standards and Technology85

Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Manager Assessment ProgramDr. Ron Ross Arnold Johnson(301) 975-5390 (301) [email protected] [email protected]

Special Publications Assessment MethodologiesJoan Hash Annabelle Lee(301) 975-3357 (301) [email protected] [email protected]

Gov’t and Industry Outreach Technical AdvisorDr. Stu Katzke Gary Stoneburner(301) 975-4768 (301) [email protected] [email protected]

Organizational Accreditations Administrative SupportPat Toth Peggy Himes(301) 975-5140 (301) [email protected] [email protected]

Comments to: [email protected] Wide Web: http://csrc.nist.gov/sec-cert