Embed Size (px)
Citation preview
FISMA
It Doesn’t Bite
Dan Philpott
OnPoint Consulting - ConsultantFISMApedia.org – Founderguerilla-ciso.com – Guest BloggerPotomac Forum – FISMA InstructorCISSP, CAP, MCSE, ITIL
ProType – Beta Tester, 1983
Structure
1 •Compliance
2 •Story of FISMA
3 •How FISMA Works
4 •Future of FISMA
Story of FISMA
Once upon a time ...
© Nic's events - Creative Commons Attribution-ShareAlike
The Suck
© thebadastronomer - Creative Commons Attribution-ShareAlike
Barren Wasteland
© Denis Defreyne - Creative Commons Attribution
Toothless Security
© Oscar Alexander - Creative Commons Attribution
9/11
Public Law 107-347E-Government Act
“Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the
information and information systems that support the operations and
assets of the agency, including those provided or managed by another
agency, contractor, or other source…”
"...information security protections commensurate with the risk and
magnitude of the harm resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction..."
Split Duties
• OMB coordinates• NIST develops guidance
Testing and Evaluation
© humeid - Creative Commons Attribution-NonCommercial-ShareAlike
Reporting
© icadrews - Creative Commons Attribution-NonCommercial
Exemptions
• National Security Systems• Department of Defense• Central Intelligence Agency
NO WAIVERS!
© Mel B. - Creative Commons Attribution
Compliance
Compliance = Securityor
Compliance ≠ Security
Network SecurityHost Security
Web App SecuritySecure Development
Physical SecuritySecurity Training
Cryptography+ Compliance= Security
How FISMA Works
NIST Special Publication 800-37: Guide for the Security Certification and Accreditation of
Federal Information Systems
NIST Special Publication 800-100: Information Security Handbook: A Guide for Managers
Phases Overview
Phase 1 •Initiation
Phase 2 •Security Certification
Phase 3 •Security Accreditation
Phase 4 •Continuous Monitoring
Phase 1: Initiation
NIST FIPS 199: Standards for Security Categorization of Federal Information and
Information Systems
NIST Special Publication 800-60: Guide for Mapping Types of Information and Information
Systems to Security Categories
NIST Special Publication 800-30: Risk Management Guide for Information
Technology Systems
NIST Special Publication 800-18: Guide for Developing Security Plans for Federal
Information Systems
NIST FIPS 200: Minimum Security Requirements for Federal Information and Information Systems
NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems
Before we go further…
• Common Controls• Tailoring the Baseline• Compensating Controls
Phase 2: Security Certification
NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems
Assessment Cases for NIST SP 800-53A
Phase 3: Security Accreditation
NIST Special Publication 800-30: Risk Management Guide for Information
Technology Systems
Security Accreditation Package
• System Security Plan• Security Assessment Report• Plan of Action and Milestones• Appendix: Final Risk Assessment
Security Accreditation Decision
• Authorization To Operate (ATO)• Denial of Authorization To Operate (DATO)• Interim Authority To Operate (IATO) - Retired
Phase 4: Continuous Monitoring
NIST Special Publication 800-53A: Guide for Assessing the Security Controls in
Federal Information Systems
Yearly Assessment
Future of FISMA
NIST Special Publication 800-37 Revision 1: Guide for Security Authorization of Federal Information Systems: A Security Lifecycle
Approach
NIST Special Publication 800-64: Security Considerations in the System Development Life Cycle
System Development Life Cycle (SDLC)
NIST Special Publication 800-39: Managing Risk from Information Systems: An
Organizational Perspective
Risk Management Framework
Security Life Cycle
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
MONITORSecurity Controls
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
Joint Task Force Transformation Initiative
Office of the Director of National IntelligenceDepartment of DefenseCommittee on National Security SystemsNational Institute of Standards and Technology
Publications
NIST Special Publication 800-37 Revision 1: Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
NIST Special Publication 800-53 Revision 3: Recommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-39: Managing Risk from Information Systems: An Organizational Perspective
Separate National Security System Documents
Security Categorization:NIST FIPS 199 → CNSS Instruction 1199
Security Controls:NIST SP 800-53 → CNSS Instruction 1253
Security Control Assessment:NIST SP 800-53A → CNSS Instruction 1253A
Security Authorization:NIST SP 800-37 = NIST SP 800-37
Continuous Monitoring:NIST SP 800-37 = NIST SP 800-37NIST SP 800-53A → CNSS Instruction 1253A
Three Phases1. Preparing For The Authorization2. Conducting The Authorization3. Maintaining The Authorization
Continuous Monitoring
Security Content Automation Protocol
Phase II: Organizational Credentialing Program
Credentialing organizations to provide security assessmentsTraining Initiative:
Quick Start Guides, FAQs, and training class materialProduct and Services Assurance Assessment Initiative
Product specific guidance on 800-53 controlsSupport Tools Initiative:
Checklists, programs, protocols, referencesHarmonization Initiative:
ISO 27000, ISO 9000, ISO 17000
Senate Bill S. 3474 (110th Congress)
Federal Information Security Management Act of 2008Sponsored by:
Tom Carper (D-DE)Joseph Lieberman (I-CT)
Creates CISO RoleCreates CISO CouncilRequires audits, not evaluationsDHS - Annual operational evaluations
Senate Bill S. 921
United States Information and Communications Enhancement Act of 2009
Sponsored by Tom Carper (D-DE)No AuditsNo CISO Council
Senate Bills S. 773 & S. 778
Cybersecurity Act of 2009 and Sponsored by:
John (Jay) Rockefeller (D-WV)Olympia J. Snowe (R-Maine)
Cyber-Katrina
S. 778: Establish Office of the National Cybersecurity Advisor
NIST Resources
They have a few other documents
What Else?• Bluetooth Security• Border Gateway Protocol (BGP) Security• Cell Phone Forensics• Cell Phone and PDA Security• Computer Security Log Management• Contingency Planning• DNSSEC• Electronic Mail Security• Engineering Principles for Security• Enterprise Password Management• Firewalls and Firewall Policy• General Server Security• IPsec VPNs
What Else?• Implementing Cryptography• Industrial Control Systems Security (SCADA)• Information Security Handbook• Information Security Training• Integrating Forensic Techniques into Incident Response• Introduction to Computer Security• Intrusion Detection and Prevention Systems (IDPS)• Malware Incident Prevention and Handling• Managing Risk• Media Sanitization• Mobile Agent Security• Network Security Testing• PBX Vulnerability Analysis
What Else?• PDA Forensics• PKI Specifications• Patch and Vulnerability Management• Performance Measurement for Information Security• Protecting the Confidentiality of Personally Identifiable Information (PII)• Radio Frequency Identification (RFID) Systems• Risk Management• SSL VPNs• Secure Web Services• Securing Public Web Servers• Security Awareness and Training• Security Configuration Checklists• Security for VOIP Systems
What Else?• Security Content Automation Protocol (SCAP)• Security Controls• Security Incident Handling• Security Metrics• Security for Telecommuting and Broadband Communications• Selecting IT Security Products• Storage Encryption Technologies• System Development Life Cycle• Technical Information Security Testing and Assessment• Technical Models for IT Security• Telecommunications Security• Telework and Remote Access• Wireless Robust Security Networks
Questions?
Links:NIST Special Publications:
http://csrc.nist.gov/publications/PubsSPs.htmlNIST FIPS Publications:
http://csrc.nist.gov/publications/PubsFIPS.htmlNIST Draft Publications:
http://csrc.nist.gov/publications/PubsDrafts.htmlNIST Interagency Reports:
http://csrc.nist.gov/publications/PubsNISTIRs.htmlNIST ITL Security Bulletins:
http://csrc.nist.gov/publications/PubsITLSB.htmlOMB Memoranda:
http://www.whitehouse.gov/omb/memoranda_default/
Links:Security Content Automation Protocol:
http://nvd.nist.gov/scap.cfmFederal Desktop Core Configuration:
http://nvd.nist.gov/fdcc/index.cfmNational Checklist Program (SP 800-70):
http://checklists.nist.gov/Security Technical Implementation Guides (STIGS):
http://iase.disa.mil/stigs/index.htmlNSA Security Configuration Guides:
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlThe Center for Internet Security (CIS):
http://www.cisecurity.org/benchmarks.html
Links:Assessment Cases for SP 800-53A:
http://csrc.nist.gov/groups/SMA/fisma/assessment-cases-overview.html
Federal Computer Security Program Managers' Forum:http://csrc.nist.gov/groups/SMA/forum/index.html
Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Federal Information Systems Security Educators' Association (FISSEA):http://csrc.nist.gov/groups/SMA/fissea/index.html
National Vulnerability Database:http://nvd.nist.gov/
Links:
FISMApedia.org:http://fismapedia.org/index.php?title=Main_Page
Guerilla-CISO.comhttp://www.guerilla-ciso.com/
How Is That Assurance Evidence?http://howisthatassuranceevidence.blogspot.com/
