NIST - ISACA Denver Chapter

Document Sample
NIST - ISACA Denver Chapter Powered By Docstoc
					            Defending the United States
                 in the Digital Age
A Risk Management Framework to Improve Information Security


               ISACA Denver Chapter Annual General Meeting


                                           April 19, 2012

                                        Dr. Ron Ross
                              Computer Security Division
                          Information Technology Laboratory


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY          ‹#›
                                      Part 1
                  The Fundamentals




NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
Information technology is our greatest
  strength and at the same time, our
         greatest weakness…




   NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
                          The Perfect Storm
§ Explosive growth and aggressive use of information
  technology.
§ Proliferation of information systems and networks with
  virtually unlimited connectivity.
§ Increasing sophistication of threat including
  exponential growth rate in malware (malicious code).

  Resulting in an increasing number of penetrations of
  information systems in the public and private sectors…


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY      ‹#›
                       The Threat Situation
Continuing serious cyber attacks on public and private
sector information systems targeting key operations,
assets, and individuals…
§ Attacks are organized, disciplined, aggressive, and well
  resourced; many are extremely sophisticated.
§ Adversaries are nation states, terrorist groups, criminals,
  hackers, and individuals or groups with hostile intentions.
§ Effective deployment of malware causing significant
  exfiltration of sensitive information (e.g., intellectual property).
§ Potential for disruption of critical systems and services.

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY             ‹#›
           Advanced Persistent Threat
An adversary that —
§ Possesses significant levels of expertise / resources.
§ Creates opportunities to achieve its objectives by using
  multiple attack vectors (e.g., cyber, physical, deception).
§ Establishes footholds within IT infrastructure of targeted
  organizations—
   § To exfiltrate information.
   § Undermine / impede critical aspects of a mission, program, or
     organization.
   § Position itself to carry out these objectives in the future.

      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                 ‹#›
 Unconventional Threats to Security
                                   Connectivity




Complexity                                           Culture


    NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY             ‹#›
                “Red Zone” Security




NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
                                   The Present
We have our heads under the hood looking at every last
 detail in the engine compartment—that is, pursuing an
    endless number of information system vulnerabilities…




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     ‹#›
Instead of trying to figure out what type of car we need—
   that is, what level of information system resiliency is
 necessary to effectively support our core missions and
                    business functions…




      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY         ‹#›
  Active Cyber Defenses – The Future
§ Develop risk-aware mission and business processes.
§ Develop and implement enterprise architectures with
  embedded information security architectures that
  support organizational mission/business processes.
§ Use information technology wisely considering current
  threat landscape (capabilities, intent, and targeting).
§ Develop and implement robust continuous monitoring
  programs.

      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY        ‹#›
                   Cyber Defense Vision
                                       Core Principles

§ Strong, resilient, penetration-resistant information
  systems supporting core missions / mission processes.
§ Ongoing monitoring of the security state of information
  systems and environments of operation.
§ Continuous improvement in security controls.
§ Flexibility and agility in cyber security and risk
  management activities.


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     ‹#›
                            Core Concepts
                               IT Products and Systems


§ Modularity.
§ Layering.
§ Monitoring.


  To achieve defense-in-depth and defense-in-breadth.


     NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY      ‹#›
             Dual Protection Strategies
§ Boundary Protection
  Primary Consideration: Penetration Resistance
  Adversary Location: Outside the Defensive Perimeter
  Objective: Repelling the Attack

§ Agile Defense
  Primary Consideration: Information System Resilience
  Adversary Location: Inside the Defensive Perimeter
  Objective: Operating while under Attack


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     ‹#›
                                   Agile Defense
§ Boundary protection is a necessary but not sufficient
  condition for Agile Defense
§ Examples of Agile Defense measures:
     §   Compartmentalization and segregation of critical assets
     §   Targeted allocation of security controls
     §   Virtualization and obfuscation techniques
     §   Encryption of data at rest
     §   Limiting of privileges
     §   Routine reconstitution to known secure state
Bottom Line: Limit damage of hostile attack while operating in a (potentially)
degraded mode…

          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
              Enterprise-Wide Risk Management
§   Multi-tiered Risk Management Approach                                         STRATEGIC RISK
§   Implemented by the Risk Executive Function                                        FOCUS
§   Enterprise Architecture and SDLC Focus
                                                           TIER 1
§   Flexible and Agile Implementation
                                                      Organization
                                                        (Governance)



                                                           TIER 2
                                          Mission / Business Process
                                            (Information and Information Flows)
                                                                                  TACTICAL RISK
                                                                                     FOCUS
                                                           TIER 3
                                                Information System
                                                 (Environment of Operation)




                  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
Characteristics of Risk-Based Approaches
                                                (1 of 2)


§ Integrates information security more closely into the
  enterprise architecture and system life cycle.
§ Promotes near real-time risk management and ongoing
  system authorization through the implementation of
  robust continuous monitoring processes.
§ Provides senior leaders with necessary information to
  make risk-based decisions regarding information systems
  supporting their core missions and business functions.

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     ‹#›
Characteristics of Risk-Based Approaches
                                               (2 of 2)


§ Links risk management activities at the organization,
  mission, and information system levels through a risk
  executive (function).
§ Establishes responsibility and accountability for security
  controls deployed within information systems.
§ Encourages the use of automation to increase
  consistency, effectiveness, and timeliness of security
  control implementation.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY      ‹#›
         Risk Management Process
  Risk                                                          Risk
Framing                                                       Framing

                 Assess                             Respond

                                      Risk

  Risk                                                          Risk
Framing
                                      Monitor                 Framing


   NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                       ‹#›
Architectural and Engineering Approach
                                                  Organization
                                           risk management strategy

                     Mission / Business           Mission / Business               Mission / Business
                          Process                      Process                          Process
         informs                                                                                        informs
                                             enterprise architecture
                          (Reference Models, Segment Architecture, Solution Architecture)

                                          information security architecture
                                   (Security Requirement and Control Allocation)


         informs                                                                                        informs

                       INFORMATION                  INFORMATION                     INFORMATION
                          SYSTEM                       SYSTEM                          SYSTEM

                                             Environments of Operation




    NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                ‹#›
                  Enterprise Architecture
§ Consolidation.
§ Optimization.
§ Standardization.

   Wise use of information technology…

Build a leaner, more streamlined IT infrastructure that facilitates
more effective deployment of security controls to organizational
information systems and environments of operation.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY           ‹#›
            Risk Management Framework
                                                     Starting Point


                                                  CATEGORIZE
                                                Information System
                                             Define criticality/sensitivity of
                                           information system according to
           MONITOR                           potential worst-case, adverse
                                                                                              SELECT
       Security Controls                      impact to mission/business.                 Security Controls
Continuously track changes to the                                                  Select baseline security controls;
information system that may affect                                                   apply tailoring guidance and
  security controls and reassess                                                   supplement controls as needed
      control effectiveness.                                                          based on risk assessment.
                                           Security Life Cycle
         AUTHORIZE                                                                          IMPLEMENT
      Information System                                                                  Security Controls
   Determine risk to organizational                                                 Implement security controls within
 operations and assets, individuals,                                               enterprise architecture using sound
other organizations, and the Nation;                  ASSESS                      systems engineering practices; apply
 if acceptable, authorize operation.             Security Controls                    security configuration settings.

                                       Determine security control effectiveness
                                         (i.e., controls implemented correctly,
                                       operating as intended, meeting security
                                        requirements for information system).


          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                 ‹#›
                                Defense-in-Depth

     Links in the Security Chain: Management, Operational, and Technical Controls
üRisk assessment                                     üAccess control mechanisms
üSecurity planning, policies, procedures             üIdentification & authentication mechanisms
üConfiguration management and control                   (Biometrics, tokens, passwords)
üContingency planning                                üAudit mechanisms
üIncident response planning                          üEncryption mechanisms
üSecurity awareness and training                     üBoundary and network protection devices
üSecurity in acquisitions                               (Firewalls, guards, routers, gateways)
üPhysical security                                   üIntrusion protection/detection systems
üPersonnel security                                  üSecurity configuration settings
üSecurity assessments and authorization              üAnti-viral, anti-spyware, anti-spam software
üContinuous monitoring                               üSmart cards

         Adversaries attack the weakest link…where is yours?
             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                          ‹#›
         Why Continuous Monitoring?
§ Determine effectiveness of risk mitigation measures.
§ Identify changes to information systems and
  environments of operation.
§ Verify compliance.

Bottom Line: Increase situational awareness to help determine
risk to organizational operations and assets, individuals, other
organizations, and the Nation.


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY          ‹#›
Assurance and Trustworthiness
                                                     TRUSTWORTHINESS
                                                         Information Systems




                                                          Security Capability
                                           Prevent Attacks, Deter Attacks, Limit Harm from Attacks,
                                                 Respond to Attacks, Recover from Attacks


                  FUNCTIONALITY                                                               ASSURANCE
          Security Features, Functions, Services,                                         Measures of Confidence
                Mechanisms, Procedures




                   Security Strength
         Correctness, Completeness, Resistance                                 Development                   Operational
                 to Tamper and Bypass                                            Actions                      Actions




                                                                                                Security Evidence
                                                                           Development Artifacts, Test/Evaluation Results, Flaw Reports



                                                                        Enables Understanding of Security Capability


NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                                            ‹#›
                Unified Information Security
                         Framework
                                        The Generalized Model
Unique
Information                                                               C
Security             Intelligence         Department      Federal Civil   N     Private Sector
Requirements         Community            of Defense       Agencies       S   State/Local Govt
                                                                          S
The “Delta”

Common                  Foundational Set of Information Security Standards and Guidance
Information                •   Risk management (organization, mission, information system)
Security                   •   Security categorization (information criticality/sensitivity)
Requirements               •   Security controls (safeguards and countermeasures)
                           •   Security assessment procedures
                           •   Security authorization process



                         National security and non national security information systems

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                          ‹#›
Joint Task Force Transformation Initiative
A Broad-Based Partnership —
§ National Institute of Standards and Technology
§ Department of Defense
§ Intelligence Community
   § Office of the Director of National Intelligence
   § 17 U.S. Intelligence Agencies

§ Committee on National Security Systems


        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
Joint Task Force Transformation Initiative
                         Core Risk Management Publications

§ NIST Special Publication 800-39
  Managing Information Security Risk: Organization, Mission,
  and Information System View                                  Completed



§ NIST Special Publication 800-37, Revision 1
  Applying the Risk Management Framework to Federal
  Information Systems: A Security Lifecycle Approach           Completed



§ NIST Special Publication 800-30, Revision 1
  Guide for Conducting Risk Assessments
  Projected September 2011 (Public Draft)



        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                     ‹#›
Joint Task Force Transformation Initiative
                        Core Risk Management Publications

§ NIST Special Publication 800-53, Revision 3
  Recommended Security Controls for Federal Information
  Systems and Organizations                                   Completed



§ NIST Special Publication 800-53A, Revision 1
  Guide for Assessing the Security Controls in Federal
                                                              Completed
  Information Systems and Organizations: Building Effective
  Assessment Plans




       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                     ‹#›
       Focus Areas — 2012 and Beyond
§ Risk Assessment Guideline
§ Systems and Security Engineering Guideline
§ Update to NIST Special Publication 800-53, Revision 4
   §   Insider Threats
   §   Application Security
   §   Supply Chain Security
   §   Advanced Persistent Threats
   §   Industrial / Process Control Systems
   §   Mobile Devices, Cloud Computing
   §   Privacy Controls


         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
                                       Part 2
The Risk Management Framework




 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
            Risk Management Framework
                                                     Starting Point


                                                  CATEGORIZE
                                                Information System
                                             Define criticality/sensitivity of
                                           information system according to
           MONITOR                           potential worst-case, adverse
                                                                                              SELECT
       Security Controls                      impact to mission/business.                 Security Controls
Continuously track changes to the                                                  Select baseline security controls;
information system that may affect                                                   apply tailoring guidance and
  security controls and reassess                                                   supplement controls as needed
      control effectiveness.                                                          based on risk assessment.
                                           Security Life Cycle
         AUTHORIZE                                                                          IMPLEMENT
      Information System                                                                  Security Controls
   Determine risk to organizational                                                 Implement security controls within
 operations and assets, individuals,                                               enterprise architecture using sound
other organizations, and the Nation;                  ASSESS                      systems engineering practices; apply
 if acceptable, authorize operation.             Security Controls                    security configuration settings.

                                       Determine security control effectiveness
                                         (i.e., controls implemented correctly,
                                       operating as intended, meeting security
                                        requirements for information system).


          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                 ‹#›
                          Security Categorization
                       Example: An Organizational Information System

Guidance for
Mapping          FIPS 199                       LOW                   MODERATE                             HIGH
Types of
Information
and                                     The loss of confidentiality   The loss of confidentiality   The loss of confidentiality
Information                             could be expected to have     could be expected to have     could be expected to have
Systems to     Confidentiality          a limited adverse effect
                                        on organizational
                                                                      a serious adverse effect
                                                                      on organizational
                                                                                                    a severe or catastrophic
                                                                                                    adverse effect on             Baseline Security
FIPS 199
                                        operations, organizational    operations, organizational    organizational operations,    Controls for High
Security                                assets, or individuals.       assets, or individuals.       organizational assets, or
Categories                                                                                                                         Impact Systems
                                                                                                    individuals.

                                        The loss of integrity could   The loss of integrity could   The loss of integrity could
 SP 800-60                              be expected to have a         be expected to have a         be expected to have a
                  Integrity             limited adverse effect on
                                        organizational operations,
                                                                      serious adverse effect on
                                                                      organizational operations,
                                                                                                    severe or catastrophic
                                                                                                    adverse effect on
                                        organizational assets, or     organizational assets, or     organizational operations,
                                        individuals.                  individuals.                  organizational assets, or
                                                                                                    individuals.
                                        The loss of availability      The loss of availability      The loss of availability
                                        could be expected to have     could be expected to have     could be expected to have
                Availability            a limited adverse effect
                                        on organizational
                                                                      a serious adverse effect
                                                                      on organizational
                                                                                                    a severe or catastrophic
                                                                                                    adverse effect on
                                        operations, organizational    operations, organizational    organizational operations,
                                        assets, or individuals.       assets, or individuals.       organizational assets, or
                                                                                                    individuals.


               NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                         ‹#›
                         Security Controls
§ The management, operational, and technical
  safeguards or countermeasures prescribed for an
  information system to protect the confidentiality,
  integrity, and availability of the system and its
  information.




     NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY    ‹#›
                                                         34
                    Security Control Baselines
                                                (Appendix D)

                                      Master Security Control Catalog
                      Complete Set of Security Controls and Control Enhancements




  Minimum Security Controls                Minimum Security Controls           Minimum Security Controls
        Low Impact                            Moderate Impact                         High Impact
   Information Systems                      Information Systems                  Information Systems


         Baseline #1                               Baseline #2                         Baseline #3
 Selection of a subset of security       Builds on low baseline. Selection       Builds on moderate baseline.
controls from the master catalog—         of a subset of controls from the     Selection of a subset of controls
 consisting of basic level controls        master catalog—basic level          from the master catalog—basic
                                         controls, additional controls, and   level controls, additional controls,
                                              control enhancements                and control enhancements

             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                   ‹#›
                                                                                                                35
                Tailoring Security Controls
           Scoping, Parameterization, and Compensating Controls


Baseline Security Controls              Baseline Security Controls   Baseline Security Controls
       Low Impact                          Moderate Impact                 High Impact
  Information Systems                    Information Systems          Information Systems


       Low      Baseline              Moderate            Baseline       High      Baseline


    Tailored Security                       Tailored Security            Tailored Security
        Controls                                Controls                     Controls

    Organization #1                         Organization #2              Organization #3
Operational Environment #1             Operational Environment #2    Operational Environment #3


Cost effective, risk-based approach to achieving adequate information security…



         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                       ‹#›
                                                                                                  36
        Expanded Tailoring Guidance
                                              (1 of 2)

§ Identifying and designating common controls in initial
  security control baselines.
§ Applying scoping considerations to the remaining
  baseline security controls.
§ Selecting compensating security controls, if needed.
§ Assigning specific values to organization-defined
  security control parameters via explicit assignment and
  selection statements.


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY       ‹#›
        Expanded Tailoring Guidance
                                              (2 of 2)

§ Supplementing baselines with additional security
  controls and control enhancements, if needed.
• Providing additional specification information for
  control implementation.




      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY     ‹#›
                       Tailoring the Baseline




Document risk management decisions made during the tailoring
process to provide information necessary for authorizing officials
to make risk-based authorization decisions.
         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY         ‹#›
  Common Risk Management Process
§ NIST Special Publication 800-37, Revision 1
  Guide for Applying the Risk Management Framework to Federal Information
  Systems: A Security Life Cycle Approach

§ Developed by Joint Task Force Transformation
  Initiative Working Group
   §   Office of the Director of National Intelligence
   §   Department of Defense
   §   Committee on National Security Systems
   §   National Institute of Standards and Technology

§ Final Public Draft (November 2009)
§ Final Publication (February 2010)
        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                      ‹#›
                                         Purpose
§ Provide guidelines for applying the Risk Management
  Framework to federal information systems—
   § To ensure that managing risk from information systems is consistent with
     mission/business objectives and the overall risk strategy established by
     the senior leadership through the risk executive (function).
   § To ensure that information security requirements, including necessary
     security controls, are integrated into the organization’s enterprise
     architecture and system development life cycle processes.
   § To support consistent, well-informed, and ongoing security authorization
     decisions (through continuous monitoring), transparency of security and
     risk-related information, and reciprocity of authorization results.
   § To achieve more secure information and information systems through the
     implementation of appropriate risk mitigation strategies.

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
                                  Applicability
§ Federal information systems other than those systems
  designated as national security systems as defined in
  44 U.S.C., Section 3542.
§ National security systems with the approval of federal
  officials exercising policy authority over such systems.
  State, local, and tribal governments, as well as private
  sector organizations are encouraged to consider using
  these guidelines, as appropriate.


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY        ‹#›
                            Target Audience
§ Individuals with mission/business ownership responsibilities or
  fiduciary responsibilities.
§ Individuals with information system development and integration
  responsibilities.
§ Individuals with information system and/or security
  management/oversight responsibilities.
§ Individuals with information system and security control
  assessment and monitoring responsibilities.
§ Individuals with information security implementation and
  operational responsibilities.

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY              ‹#›
    Mainstreaming Information Security
§ Information security requirements must be considered
  first order requirements and are critical to mission and
  business success.
§ An effective organization-wide information security
  program helps to ensure that security considerations
  are specifically addressed in the enterprise architecture
  for the organization and are integrated early into the
  system development life cycle.


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY        ‹#›
       System Development Life Cycle
                                               (1 of 2)

§ RMF steps are carried out within the five phases of the
  SDLC.
   §   System Initiation Phase
   §   System Development / Acquisition Phase
   §   System Implementation Phase
   §   System Operation / Maintenance Phase
   §   System Disposal Phase
§ Flexibility on types of SDLC models employed by the
  organization (e.g., spiral, waterfall, agile development).

        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY         ‹#›
      System Development Life Cycle
                                              (2 of 2)

§ Integrating information security requirements into the
  SDLC provides the most efficient and cost-effective
  method for an organization to ensure that:
   § Cost, schedule, and performance requirements are satisfied.
   § Missions and business operations supported by the information
     system are adequately protected.
   § Security-related activities are carried out as early as possible and
     not repeated unnecessarily.
   § Risk management activities are not isolated or decoupled from the
     management processes employed to develop, implement, operate,
     and maintain the information system.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                   ‹#›
Applying the Risk Management Framework to Information Systems

                         Output from Automated                        Near Real Time Security
                             Support Tools                              Status Information


 Risk Executive             SECURITY PLAN            SECURITY             PLAN OF ACTION           Authorization
(Function) Inputs          including updated        ASSESSMENT                  AND
                                                      REPORT                MILESTONES               Package
                            Risk Assessment




                                           INFORMATION SYSTEM

                                                   CATEGORIZE
                                                 Information System
                        MONITOR                                                    SELECT
                     Security Controls         Risk Management                 Security Controls
                                                  Framework
                       AUTHORIZE                                                IMPLEMENT
                    Information System                                         Security Controls
                                                      ASSESS
                                                  Security Controls



             NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                    ‹#›
      Information System Boundaries
§ Define the scope of protection for information systems
  (i.e., what the organization agrees to protect under its
  direct control or within the scope of its responsibilities).
§ Include the people, processes, and technologies that
  are part of the systems supporting the organization’s
  missions and business processes.
§ Need to be established before information system
  security categorization and the development of security
  plans.

       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY        ‹#›
          Large and Complex Systems
§ From a centralized development, implementation, and
  operations perspective—
   § The organization examines the purpose of the information system and
     considers the feasibility of decomposing the complex system into more
     manageable components, or subsystems.

§ From a distributed development, implementation, and
  operations perspective—
   § The organization recognizes that multiple entities, possibly operating
     under different policies, may be contributing to the development,
     implementation, and/or operations of the subsystems that comprise the
     overall information system.


       NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
       Large and Complex Systems
                                (Including System of Systems)

                                organizational information system


                        subsystem              subsystem             subsystem
                        LAN ONE                 GUARD                LAN TWO




                     DYNAMIC                 SUBSYSTEM                    DYNAMIC
                    SUBSYSTEM              GUARD / GATEWAY               SUBSYSTEM




(Sub) System Boundary
                                dynamic external           Static external
                                   subsystem                 subsystem


    - Security plan reflects information system decomposition with security controls
    assigned to each subsystem component.
    - Security assessment procedures tailored for the security controls in each subsystem
    component and for the combined system level.
    - Security control assessment performed on each subsystem component and on
    system-level controls not covered by subsystem security control assessments.
    - Security authorization conducted on the information system as a whole.


    NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                          ‹#›
             Security Control Allocation
§ Security controls are defined to be system-specific,
  hybrid, or common.
§ Security controls are allocated to specific components
  of organizational information systems as system-
  specific, hybrid, or common controls.
§ Security control allocations are consistent with the
  organization’s enterprise architecture and information
  security architecture.


      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY       ‹#›
                  Security Control Accountability
                                                                                   RISK EXECUTIVE FUNCTION
                                                                           Organization-wide Risk Governance and Oversight

                                                                                        Core Missions / Business Processes
                                                                                              Security Requirements




                                                                                                                                                                       Ongoing Authorization Decisions
                   Ongoing Authorization Decisions
                                                                                                 Policy Guidance
                                                        Security                                                                                         Security
                                                         Plan                                                                                             Plan
Strategic Risk                                                                                                                                                                                            Top Level Risk
Management                                             Security
                                                                               INFORMATION
                                                                                  SYSTEM
                                                                                                               INFORMATION
                                                                                                                  SYSTEM                                Security
                                                                                                                                                                                                           Management
    Focus                                             Assessment
                                                                               System-specific                 System-specific
                                                                                                                                                       Assessment                                        Strategy Informs
                                                        Report                                                                                           Report
                                                                                  Controls                        Controls

                                                     Plan of Action                                                                                   Plan of Action
                                                     and Milestones                                                                                   and Milestones




                                                                                   Hybrid Controls




                                                                                                                       Hybrid Controls
                                                                                                         RISK
                                                                                                     MANAGEMENT
                                                                                                     FRAMEWORK
                                                                                                        (RMF)

Tactical Risk                                                                                                                                                                                              Operational
Management                                                                                                                                                                                                  Elements
                                                                                         COMMON CONTROLS
   Focus                                                           Security Controls Inherited by Organizational Information Systems                                                                     Enterprise-Wide


                                                                                                       Security
                                                                        Security                                                 Plan of Action and
                                                                                                      Assessment
                                                                         Plan                                                        Milestones
                                                                                                        Report




                                                                                   Ongoing Authorization Decisions

                 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                                                                                                                 ‹#›
                          The Process




NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   ‹#›
                       RMF Task Structure
                                               (1 of 2)
§ Task Section
   § Describes the specific RMF task within the appropriate step in the Risk
      Management Framework.
§ Primary Responsibility Section
   § Lists the individual or group within the organization having primary responsibility for
      executing the RMF task.
§ Supporting Roles Section
   § Lists the supporting roles within the organization that may be necessary to help the
      individual or group with primary responsibility for executing the RMF task.
§ SDLC Phase Section
   § Lists the particular phase of the SDLC when the RMF task is typically executed.


        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                   ‹#›
                       RMF Task Structure
                                               (2 of 2)

§ Supplemental Guidance Section
   § Provides supplemental guidance for executing the RMF task including additional
      information from relevant supporting security policies, instructions, standards, and
      guidelines.
§ References Section
   § Provides general references to NIST security standards and guidelines that should
      be consulted for additional information with regard to executing the RMF task.
   § Provides specific national security system references to CNSS policies and
      instructions that should be consulted for additional information with regard to
      executing the RMF task when the general references are either insufficient or
      inappropriate for national security application.




        NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                   ‹#›
                            RMF Step 1 Tasks
                               Categorize Information System

§ Security Categorization
   § Task 1-1: Categorize the information system and document the results of the
        security categorization in the security plan.

§ Information System Description
   § Task 1-2: Describe the information system (including system boundary) and
        document the description in the security plan.

§ Information System Registration
   § Task 1-3: Register the information system with appropriate organizational
        program/management offices.




           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                          ‹#›
                   Milestone Checkpoint #1
§ Has the organization completed a security categorization of the information
  system including the information to be processed, stored, and transmitted by
  the system?
§ Are the results of the security categorization process for the information
  system consistent with the organization’s enterprise architecture and
  commitment to protecting organizational mission/business processes?
§ Do the results of the security categorization process reflect the organization’s
  risk management strategy?
§ Has the organization adequately described the characteristics of the
  information system?
§ Has the organization registered the information system for purposes of
  management, accountability, and oversight?

          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
                            RMF Step 2 Tasks
                                     Select Security Controls

§ Common Control Identification
   § Task 2-1: Identify the security controls that are provided by the organization as
        common controls for organizational information systems and document the controls
        in a security plan (or equivalent document).
§ Security Control Selection
   § Task 2-2: Select the security controls for the information system and document
        the controls in the security plan.
§ Monitoring Strategy
   § Task 2-3: Develop a strategy for the continuous monitoring of security control
        effectiveness and any proposed/actual changes to the information system and its
        environment of operation.
§ Security Plan Approval
   § Task 2-4: Review and approve the security plan.

           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 ‹#›
                   Milestone Checkpoint #2
                                                 (1 of 3)

§ Has the organization allocated all security controls to the information system
  as system-specific, hybrid, or common controls?
§ Has the organization used its risk assessment (either formal or informal) to
  inform and guide the security control selection process?
§ Has the organization identified authorizing officials for the information
  system and all common controls inherited by the system?
§ Has the organization tailored and supplemented the baseline security
  controls to ensure that the controls, if implemented, adequately mitigate risks
  to organizational operations and assets, individuals, other organizations, and
  the Nation?



          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                            ‹#›
                   Milestone Checkpoint #2
                                                 (2 of 3)

§ Has the organization addressed minimum assurance requirements for the
  security controls employed within and inherited by the information system?
§ Has the organization consulted information system owners when identifying
  common controls to ensure that the security capability provided by the
  inherited controls is sufficient to deliver adequate protection?
§ Has the organization supplemented the common controls with system-
  specific or hybrid controls when the security control baselines of the common
  controls are less than those of the information system inheriting the controls?
§ Has the organization documented the common controls inherited from
  external providers?



          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                            ‹#›
                   Milestone Checkpoint #2
                                                 (3 of 3)

§ Has the organization developed a continuous monitoring strategy for the
  information system that reflects the organizational risk management strategy
  and commitment to protecting critical missions and business functions?
§ Have appropriate organizational officials approved security plans containing
  system-specific, hybrid, and common controls?




          NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
                            RMF Step 3 Tasks
                                 Implement Security Controls


§ Security Control Implementation
   § Task 3-1: Implement the security controls specified in the security plan.

§ Security Control Documentation
   § Task 3-2: Document the security control implementation, as appropriate, in the
        security plan, providing a functional description of the control implementation
        (including planned inputs, expected behavior, and expected outputs).




           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 ‹#›
                  Milestone Checkpoint #3
                                                (1 of 2)

§ Has the organization allocated security controls as system-specific, hybrid, or
  common controls consistent with the enterprise architecture and information
  security architecture?
§ Has the organization demonstrated the use of sound information system
  and security engineering methodologies in integrating information
  technology products into the information system and in implementing the
  security controls contained in the security plan?
§ Has the organization documented how common controls inherited by
  organizational information systems have been implemented?




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                        ‹#›
                  Milestone Checkpoint #3
                                                (2 of 2)
§ Has the organization documented how system-specific and hybrid security
  controls have been implemented within the information system taking into
  account specific technologies and platform dependencies?
§ Has the organization taken into account the minimum assurance
  requirements when implementing security controls?




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                      ‹#›
                            RMF Step 4 Tasks
                                    Assess Security Controls

§ Assessment Preparation
   § Task 4-1: Develop, review, and approve a plan to assess the security controls.
§ Security Control Assessment
   § Task 4-2: Assess the security controls in accordance with the assessment
        procedures defined in the security assessment plan.
§ Security Assessment Report
   § Task 4-3: Prepare the security assessment report documenting the issues,
        findings, and recommendations from the security control assessment.
§ Remediation Actions
   § Task 4-4: Conduct initial remediation actions on security controls based on the
        findings and recommendations of the security assessment report and reassess
        remediated control(s), as appropriate..


           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                              ‹#›
                  Milestone Checkpoint #4
                                                (1 of 2)
§ Has the organization developed a comprehensive plan to assess the security
  controls employed within or inherited by the information system?
§ Was the assessment plan reviewed and approved by appropriate
  organizational officials?
§ Has the organization considered the appropriate level of assessor
  independence for the security control assessment?
§ Has the organization provided all of the essential supporting assessment-
  related materials needed by the assessor(s) to conduct an effective security
  control assessment?
§ Has the organization examined opportunities for reusing assessment results
  from previous assessments or from other sources?


         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                      ‹#›
                  Milestone Checkpoint #4
                                                (2 of 2)
§ Did the assessor(s) complete the security control assessment in
  accordance with the stated assessment plan?
§ Did the organization receive the completed security assessment report with
  appropriate findings and recommendations from the assessors)?
§ Did the organization take the necessary remediation actions to address the
  most important weaknesses and deficiencies in the information system and its
  environment of operation based on the findings and recommendations in the
  security assessment report?
§ Did the organization update appropriate security plans based on the findings
  and recommendations in the security assessment report and any subsequent
  changes to the information system and its environment of operation?


         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                     ‹#›
                            RMF Step 5 Tasks
                                Authorize Information System
§ Plan of Action and Milestones
   § Task 5-1: Prepare the plan of action and milestones based on the findings and
        recommendations of the security assessment report excluding any remediation
        actions taken.
§ Security Authorization Package
   § Task 5-2: Assemble the security authorization package and submit the package to
        the authorizing official for adjudication.
§ Risk Determination
   § Task 5-3: Determine the risk to organizational operations (including mission,
        functions, image, or reputation), organizational assets, individuals, other
        organizations, or the Nation.
§ Risk Acceptance
   § Task 5-4: Determine if the risk to organizational operations, organizational assets,
        individuals, other organizations, or the Nation is acceptable.
           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                               ‹#›
                  Milestone Checkpoint #5
                                                (1 of 2)
§ Did the organization take the necessary remediation actions to address the
  most important weaknesses and deficiencies in the information system and its
  environment of operation based on the findings and recommendations in the
  security assessment report?
§ Did the organization develop an appropriate authorization package with all
  key documents including the security plan, security assessment report, and
  plan of action and milestones (if applicable)?




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                        ‹#›
                  Milestone Checkpoint #5
                                                (2 of 2)
§ Did the final risk determination and risk acceptance by the authorizing
  official reflect the risk management strategy developed by the organization
  and conveyed by the risk executive (function)?

•   Was the authorization decision conveyed to appropriate organizational
    personnel including information system owners and common control
    providers?




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                         ‹#›
                            RMF Step 6 Tasks
                                   Monitor Security Controls

§ Information System and Environment Changes
   § Task 6-1: Determine the security impact of proposed or actual changes to the
        information system and its environment of operation.
§ Ongoing Security Control Assessments
   § Task 6-2: Assess a selected subset of the technical, management, and
        operational security controls employed within and inherited by the information
        system in accordance with the organization-defined monitoring strategy.
§ Ongoing Remediation Actions
   § Task 6-3: Conduct selected remediation actions based on the results of ongoing
        monitoring activities, assessment of risk, and the outstanding items in the plan of
        action and milestones.
§ Key Updates
   § Task 6-4: Update the security plan, security assessment report, and plan of action
        and milestones based on the results of the continuous monitoring process.
           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                     ‹#›
                             RMF Step 6 Tasks
                                    Monitor Security Controls

§ Security Status Reporting
   § Task 6-5: Report the security status of the information system (including the
        effectiveness of security controls employed within and inherited by the system) to
        appropriate organizational officials on an ongoing basis in accordance with the
        organization-defined monitoring strategy.
§ Ongoing Risk Determination and Acceptance
   § Task 6-6: Review the reported security status of the information system (including
        the effectiveness of security controls employed within and inherited by the system)
        on an ongoing basis in accordance with the monitoring strategy to determine
        whether the risk to organizational operations, organizational assets, individuals,
        other organizations, or the Nation remains acceptable.
§ Information System Removal and Decommissioning
   § Task 6-7: Implement an information system decommissioning strategy, when
        needed, which executes required actions when a system is removed from service.

           NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                    ‹#›
                  Milestone Checkpoint #6
                                                (1 of 2)
§ Is the organization effectively monitoring changes to the information system
  and its environment of operation including the effectiveness of deployed
  security controls in accordance with the continuous monitoring strategy?
§ Is the organization effectively analyzing the security impacts of identified
  changes to the information system and its environment of operation?
§ Is the organization conducting ongoing assessments of security controls in
  accordance with the monitoring strategy?
§ Is the organization taking the necessary remediation actions on an ongoing
  basis to address identified weaknesses and deficiencies in the information
  system and its environment of operation?



         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                          ‹#›
                  Milestone Checkpoint #6
                                                (2 of 2)
§ Does the organization have an effective process in place to report the
  security status of the information system and its environment of operation to
  the authorizing officials and other designated senior leaders within the
  organization on an ongoing basis?
§ Is the organization updating critical risk management documents based on
  ongoing monitoring activities?
§ Are authorizing officials conducting ongoing security authorizations by
  employing effective continuous monitoring activities and communicating
  updated risk determination and acceptance decisions to information system
  owners and common control providers?




         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                       ‹#›
     Recognition of Authorization Results
           Organization One                                               Organization Two
                                              Business / Mission
            INFORMATION                        Information Flow            INFORMATION
               SYSTEM                                                         SYSTEM


               Security Plan                                                 Security Plan

       Security Assessment Report           Security Authorization    Security Assessment Report
                                                 Information
      Plan of Action and Milestones                                  Plan of Action and Milestones


 Determining risk to the organization’s                         Determining risk to the organization’s
operations and assets, individuals, other                      operations and assets, individuals, other
 organizations, and the Nation; and the                         organizations, and the Nation; and the
       acceptability of such risk.                                    acceptability of such risk.

The objective is to achieve transparency of prospective partner’s information security
authorization processes…establishing trust relationships based on common, shared
risk management principles.

            NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                                 ‹#›
                 Contact Information
                       100 Bureau Drive Mailstop 8930
                       Gaithersburg, MD USA 20899-8930

Project Leader                                    Administrative Support
Dr. Ron Ross                                      Peggy Himes
(301) 975-5390                                    (301) 975-2489
ron.ross@nist.gov                                 peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support
Marianne Swanson                                  Kelley Dempsey
(301) 975-3293                                    (301) 975-2827
marianne.swanson@nist.gov                         kelley.dempsey@nist.gov

Pat Toth                                          Arnold Johnson
(301) 975-5140                                    (301) 975-3247
patricia.toth@nist.gov                            arnold.johnson@nist.gov

Web: csrc.nist.gov/sec-cert                       Comments: sec-cert@nist.gov



 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY                                 ‹#›

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:9/27/2013
language:English
pages:76