What is Security Authorization?Employing an applicable Security
Authorization ProcessRoles and Responsibilities
Legal, Regulatory and Other RequirementsCommon Controls and Control Inheritance
Risk Management Framework (RMF) PhasesSystem Development Life Cycle (SDLC)
Presenter
Presentation Notes
Purpose of Security Authorization What is Security Authorization? Employing an applicable Security Authorization Process Roles and Responsibilities Legal, Regulatory and Other Requirements Common Controls and Control Inheritance Risk Management Framework (RMF) Phases System Development Life Cycle (SDLC)
Presenter
Presentation Notes
Picture: Fiori di Como, Bellagio Hotel, Las Vegas, NV, Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 Introduction
Presenter
Presentation Notes
Introduction Background A Risk Based Approach What is Certification and Accreditation What is the NIST Risk Management Framework What is Authorization Systems Security Approach Benefits External Drivers
Presenter
Presentation Notes
History There is an obligation for each agency (or organization) to properly secure information. Computer Security Act 1987 OMB A-130 appendix III, implemented the act National Computer Security Center (NCSC) NCSC-TG-029 Introduction to Certification and Accreditation by NSA in 1994 DoD, DITSCAP NSA, NIACAP in 2000 FISMA made law for Public Agencies Federal Information Security Management Act 2002 (FISMA) NIST created standards and guidelines for implementation DoD, DIACAP DoD Instruction 8510.01 in 2007 Coming soon: Department of Defense Information Assurance Risk Management Framework (DIARMF)
Presenter
Presentation Notes
Standards and Guidelines Public Law Compulsory and binding Federal information Processing Standards (FIPS) Compulsory and binding High level objectives NIST Special Publications (SP) OMB requires federal agencies to follow certain SP Lower specific objectives Some flexibility in how agencies apply guidance NISTIR and ITL are mandatory only when specified by OMB OMB polices, directives and memoranda DoD and CNSS Instructions
Presenter
Presentation Notes
What is FISMA? E-Government Act (Public Law 107-347) passed and signed into law in December 2002 Title III of the E-Government Act, Federal Information Security Management Act (FISMA) (44 USC § 351) Required for all government agencies To develop, document, and implement an agency-wide information security program To provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources
Presenter
Presentation Notes
A Risk Based Approach Emphasize a risk-based policy for cost-effective security FISMA The Paperwork Reduction Act of 1995 The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) Supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources OMB defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
Presenter
Presentation Notes
FISMA Goals Security Federal Government Systems Understand Risk to the Mission at the organization-wide level Consistent Comparable Repeatable Complete Reliable Trustworthy
Presenter
Presentation Notes
Common Foundation Collaboration National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Department of Defense (DoD) Committee on National Security Systems (CNSS) Public (review and vetting) Common Foundation Uniform and consistent risk management Strong basis for reciprocal acceptance Defense, Intelligence and Civil sectors State, local and tribal governments As well as contractors and private organizations Joint Task Force Transformation Initiative Interagency Working Group is made up of: National Institute of Standards and Technology (NIST) Office of the Director of National Intelligence (ODNI) Department of Defense (DoD) Committee on National Security Systems (CNSS)
“Certification and accreditation is the methodologyused to ensure that security controls are establishedfor an information system, that these controls arefunctioning appropriately, and that management hasauthorized the operation of the system in is currentsecurity posture.”- Official (ISC)2 Guide to the CAP CBK (1st ed.)
Presenter
Presentation Notes
Certification and Accreditation “Certification and accreditation is the methodology used to ensure that security controls are established for an information system, that these controls are functioning appropriately, and that management has authorized the operation of the system in is current security posture.” - Official (ISC)2 Guide to the CAP CBK (1st ed.)
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
Presenter
Presentation Notes
Information Assurance Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - CNSS Instruction No. 4009
Presenter
Presentation Notes
Recent Changes Recent changes transform the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF) Revised process emphasizes Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Presenter
Presentation Notes
Term Transition From NIST SP 800-37 to NIST SP 800-37 Rev 1 concepts remain the same but the words change.
• Management• Operational• Technical
• Implemented correctly• Operating as intended• Producing the desired outcome
Presenter
Presentation Notes
Certification (now Assessment) Detailed security review of an information system Comprehensive assessment of Management security controls Operational security controls Technical security controls To determine the extent to which the controls are Implemented correctly Operating as intended Producing the desired outcome Providing the factual basis for an authorizing official to render a security accreditation decision
official management decision to operate
budget and business operations
Presenter
Presentation Notes
Accreditation (now Authorization) Security accreditation is the official management decision to operate Given by a senior agency official (management) The official should have the authority to oversee the budget and business operations of the information system Explicitly accept the risk to Operations Assets Individuals Accepts responsibility for the security of the system Fully accountable for the security of the system
“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”- NIST SP 800-37 rev 1
Presenter
Presentation Notes
Authorization (new term) “The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” - NIST SP 800-37 rev 1
Presenter
Presentation Notes
Multi-tiered Approach NIST SP 800-37 Rev 1, § 2.1
Presenter
Presentation Notes
Graphic correction “Bravo” not “Brovo” System Security Approach Security not at the application, device, data or user level Security that encompasses a system made up of applications, devices, data and users. Easier and more cost effect to define ‘systems’ with boundaries and perimeters Implement controls based upon the system and not the entire enterprise
Presenter
Presentation Notes
Benefits Information security visibility Management involvement Management due diligence Integrate security Consistent implementation Common goal Ensure minimum security Ensure proper controls in place Ensure risk-based controls Efficient use of resources and funds
Why are Agencies riddled with security holes?
Presenter
Presentation Notes
Discussion Why are Agencies riddled with security holes? Picture Source: <http://www.fcw.com/Articles/2009/07/17/Web-GAO-FISMA-info-security.aspx>
Example of external drives http://gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx
Presenter
Presentation Notes
Review What is the official management decision to operate? Certification Authorization Risk Assessment Responsibility
Presenter
Presentation Notes
Review What is a comprehensive assessment of management, operational, and technical security controls? Certification Accreditation Risk Assessment Authorization
Presenter
Presentation Notes
Picture: Bellagio Hotel, Las Vegas, NV, Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 Building a Successful Program
What are some key factors in creating a successful RMF program?
business enabler
Presenter
Presentation Notes
The Business Case What is the benefit to the organization? Due diligence Accountability Implementation of risk management Visibility of risk Cost-effectiveness A strong business case will help enlist support The RMF program will help them meet their organizational needs, reach their goals and accomplish their mission Security and RMF is a business enabler
Presenter
Presentation Notes
RMF goal setting Typical project management Goals must be: Realistic Comprehensive Integrated Achievable Effective Supported Enduring The organizations management, culture, personality and security posture all play a part.
Presenter
Presentation Notes
Establishing program tasks and milestone Typical project management Project management is the discipline of planning, organizing and managing resources to bring about the successful completion of specific project goals and objectives. A Project is made up of multiple stages, tasks and milestones. A milestone is the end of a stage that marks the completion of a work phase A task is an activity that needs to be accomplished within a defined period of time
Presenter
Presentation Notes
Overseeing Program Execution
• Need consistent management support
• Without management support people will not fulfill their obligations to the project
• Without management support you will not have access to needed resources and funding
• The Senior Information Security Officer (SISO) can keep the program visible by giving regular updates to c-level management
Presenter
Presentation Notes
Maintaining Program Visibility Need consistent management support Without management support people will not fulfill their obligations to the project Without management support you will not have access to needed resources and funding The Chief Information Security Officer (CISO) can keep the program visible by giving regular updates to c-level management
Presenter
Presentation Notes
Resources What types of resources might the project need? Funds, money, budget People, man-hours Processes Technology Outside expertise Training Automated tools Use realistic requirements
Presenter
Presentation Notes
Developing Guidance Document what the program is Document how you plan to implement Sample Documents Policies Standards Guidelines Procedures Should meet organizational business needs Describe the process Precise, clear and brief
Sample RMF (C & A) Policy Reference: http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
Life-cycle for the development of the documentation for the RMF process
• Awareness• Monitoring• Enforcement• Maintenance
• Retirement
• Communication• Compliance• Exceptions
• Creation• Review• Approval
Development Implementation
MaintenanceDisposal
Presenter
Presentation Notes
Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 15 Table 1.2 RMF Guidance Development Life Cycle Development Creation Review Approval Implementation Communication Compliance Exceptions Maintenance Awareness Monitoring Enforcement Maintenance Disposal Retirement
Presenter
Presentation Notes
Guidance Caution Too many rules limit the latitude and innovation that may be needed at lower levels Long, cumbersome guidance documents will be ignored Limits agility Should be easy to access Intranet site System administrators need to use regularly
Presenter
Presentation Notes
Program Integration Security needs to be baked into the organization C & A program should integrate with other organizational programs, processes and activities For example Integrate with human resources for background checks Guard service for physical security Accounting for procurement and budget
Presenter
Presentation Notes
Establishing RMF Points of Contact Chief Information Security Officer (CISO) is directly responsible. Other key players System Owners C & A Workgroup Security Steering Committee IT administrators Key areas of knowledge for Organizations Operations Hierarchy Management Strategies Initiative
Presenter
Presentation Notes
Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 20-21 Measuring Progress Need to have a method for measuring progress and effectiveness. Dashboard for an over-all status and where additional resources are needed. Scope Tasks Type and number of systems Risk Sensitivity & Criticality Time Effort Improvements Budget Cost
Presenter
Presentation Notes
Tracking program activities Keep your eyes on the road Know where you are Determine potential hazards (Problem forecasting) Determine outside influences (Track external projects) Keep people informed (Reporting) Know what you have (Resource monitoring)
Presenter
Presentation Notes
Tracking and Monitoring Compliance How do you hit a moving target? Maintenance Phase (keep your guard up) Updates and maintenance (systems and documentation) Plan of Actions and Milestones (POA&M) Open items that need to be addressed (mitigation) Recertification Triggers or Reassessment Risk New Vulnerabilities New Risks Environment changes Control failure Audit findings Reassessment of Risk not just Recertification
Presenter
Presentation Notes
Providing Advice & Assistance Need to strive for a consistent approach within the program Multiple systems and system owners (Enterprise wide) Maintain flexibility for individual systems Seek advice of professionals Take suggestions Document understandings Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 23-24
Presenter
Presentation Notes
Responding to change Need a process to know when a change has been made that will effect the risk of a system Is the change a material change? Significant changes modify the risk to the system Recertification Triggers or Reassessment Risk New Vulnerabilities (major possibly, minor are handled by patch management) New Risks (brought about by changes) Environment changes (Application or OS change) Control failure (Controls not working as intended) Audit findings (Missing controls) Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 25
Presenter
Presentation Notes
Program Awareness, Training and Education In order to maintain the RMF program Constant reminders – awareness Training – program training – depending on role Education – security and RMF related continuing education Possible to integrate with other training and awareness programs within the organization Track training Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 25
Presenter
Presentation Notes
Use of Expert Systems Automated tools Tracking systems RMF document management systems Audit log management Dashboards Intrusion Prevention Systems Etc. Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 26-27
Presenter
Presentation Notes
Waivers and Exceptions to Policy There needs to be a process to handle exceptions How will you consider waivers? Who makes the decision? Can the decision be made in a timely fashion? How will the decision be documented? Does the system owner accept the risk? RMF is not supposed to be a paper exercise. RMF is based on risk! RMF helps the organization meets its goals. Waivers should be based on business need. Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 page 27-28
Presenter
Presentation Notes
Summary Business Case Setting up the program Establishing tasks, milestones and goals Resources Program Integration Program Phases Points of contact Measuring results Tracking progress Education, training and awareness Exceptions and waivers
