NIST Document

advertisement
Important acronyms
AO = authorizing official
ISO = information system owner
CA = certification agent
NIST 800-37
National Institute of Standards and Technology,
US Department of Commerce
Guide for the Security Certification and
Accreditation of Federal Information Systems
National Policy
Office of Management and Budget Circular A-130,
Management of Federal Information Resources
requires federal agencies to:
National Policy
Office of Management and Budget Circular A-130,
Management of Federal Information Resources
requires federal agencies to:
 Plan for security
National Policy
Office of Management and Budget Circular A-130,
Management of Federal Information Resources
requires federal agencies to:
 Plan for security
 Ensure that appropriate officials are assigned security
responsibility
National Policy
Office of Management and Budget Circular A-130,
Management of Federal Information Resources
requires federal agencies to:
 Plan for security
 Ensure that appropriate officials are assigned security
responsibility
 Review security controls
Security Controls
• The countermeasures used to protect assets
and manage the confidentiality, integrity, and
availability of assets.
– Anti-virus software
– Network Firewall
– User awareness training
– Access controls
800-37 Purpose
• Provide guidelines for the security certification
and accreditation of information systems
supporting executive agencies of the US
federal government.
800-37 Purpose
• Enable consistent and repeatable assessments of
information systems
800-37 Purpose
• Enable consistent and repeatable assessments of
information systems
• Promote an understanding of risks involved in
operating information systems
800-37 Purpose
• Enable consistent and repeatable assessments of
information systems
• Promote an understanding of risks involved in
operating information systems
• Create complete and reliable information used by
professionals to make an informed
certification/accreditation decision.
800-37 Purpose
• Enable consistent and repeatable assessments of
information systems
• Promote an understanding of risks involved in
operating information systems
• Create complete and reliable information used by
professionals to make an informed
certification/accreditation decision.
• Assignment of responsibility and accountability to
the individuals overseeing the information system.
Risk Management
Links in the Security Chain: Management, Operational, and Technical Controls
 Risk assessment
 Security planning
 Security policies and procedures
 Contingency planning
 Incident response planning
 Physical security
 Personnel security
 Security assessments
 Security accreditation
 Access control mechanisms
 Identification & authentication mechanisms
(Biometrics, tokens, passwords)
 Audit mechanisms
 Encryption mechanisms
 Firewalls and network security mechanisms
 Intrusion detection systems
 Anti-malware
 Smart cards
Adversaries attack the weakest link…where is yours?
Managing Agency Risk
Key activities in managing agency-level risk—risk resulting from the operation
of an information system:







Select a set of security controls
Document security controls in the system security plan
Implement the security controls in the information system
Assess the security controls
Determine risk acceptability
Authorize information system operation
Monitor security controls on a continuous basis
Certification vs Accreditation
Certification Definition
• Certification occurs when security controls in
the information system are:
– implemented correctly,
Certification Definition
• Certification occurs when security controls in
the information system are
– implemented correctly,
– operate as intended, and
Certification Definition
• Certification occurs when security controls in
the information system are
– implemented correctly,
– operate as intended, and
– produce the desired outcome
Accreditation Definition
• An acknowledgment of risk acceptance.
Accreditation occurs when the agency has
determined that an accepted level of risk to
assets and operations has been achieved.
The Primary Officials’ Titles
• With regard to the Certification and
Accreditation process, …
– There are titles assigned to individuals within an
agency undergoing Cert-Acc. Many of the titles
can be artificially assigned to meet the suggested
requirements.
– These titles come with a well defined group of
responsibilities.
The Primary Officials and Their Titles
• Authorizing Official, The AO
• Information System Owner, the ISO.
– AKA System Owner
• Certification Agent, The CA
Authorizing Official
 Senior management position
 Formally assumes responsibility for operating an
information system at an acceptable level of risk
to an agency’s assets and operations. (primary
role)
 Is accountable for the risks associated with
operating an information system.
 Oversees the budget and business operations of
the information system
Authorizing Official
• The industry equivalent could include job
titles like VP of Information Technology.
• The AO would report to the CIO
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
 Responsible for development and maintenance of the
system security plan.
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
 Responsible for development and maintenance of the
system security plan.
 Ensures the system is deployed and operated according to
the agreed upon security requirements.
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
 Responsible for development and maintenance
(sustainability cycle) of the system security plan.
 Ensures the system is deployed and operated according to
the agreed upon security requirements.
 Grants access (and their respective privileges) to the
information system.
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
 Responsible for development and maintenance of the
system security plan.
 Ensures the system is deployed and operated according to
the agreed upon security requirements.
 Grants access (and their respective privileges) to the
information system.
 Provide users and support staff with appropriate security
training.
Information System Owner
 Procures, develops, integrates, modifies, operates or
maintains an information system (primary role)
 Responsible for development and maintenance of the
system security plan.
 Ensures the system is deployed and operated according to
the agreed upon security requirements.
 Grants access (and their respective privileges) to the
information system.
 Provide users and support staff with appropriate security
training.
 Ensures the appropriate resources are available for
certification and accreditation, and reports this to the AO.
Certification Agent
 Provides an independent assessment of the system
security plan (primary role)
Certification Agent
 Provides an independent assessment of the system
security plan (primary role)
 Assesses the security controls in the information
system to determine the extent to which the controls
are:
 Implemented correctly;
 Operating as intended; and
 Producing the desired outcome
Certification Agent
 Provides an independent assessment of the system
security plan (primary role)
 Assesses the security controls in the information
system to determine the extent to which the controls
are:
 Implemented correctly;
 Operating as intended; and
 Producing the desired outcome with respect to meeting the
security requirements
 Provides recommended corrective actions to reduce or
eliminate vulnerabilities in the information system
Certification Agent
• Independent from the persons directly
responsible for the development and
maintenance of the information system’s
operation.
– See FIPS-199 to determine an appropriate level of
independence.
Other Roles
• Authorizing Official Designated Representative,
reports to the AO.
• Chief Information Officer, appoints the SAISO
• Senior Agency Information Security Officer,
liason between the CIO and the AO.
• Information System Security Officer, reports to
the AO or the ISO.
• User Representatives, those using the
information systems.
Delegation of Roles
• At the discretion of senior agency officials,
roles may be delegated and appropriately
documented.
• Officials may appoint qualified individuals
including contractors or regular employees.
– exceptions Chief Information Officer & Authorizing
Official.
Four phases to the security
certification and accreditation process
1. Initiation
Four phases to the security
certification and accreditation process
1. Initiation
2. Certification
Four phases to the security
certification and accreditation process
1. Initiation
2. Certification
3. Accreditation
Four phases to the security
certification and accreditation process
1. Initiation
2. Certification
3. Accreditation
4. Monitoring
Four phases to the security
certification and accreditation process
1. Initiation
2. Certification
3. Accreditation
4. Monitoring
• Each phase is broken up into tasks and each
task has a series of sub-tasks
Phases, Tasks, & Sub-Tasks
• There are a total of
– 4 phases
– 10 tasks
– 31 sub-tasks
Phase 1: Initiation
• The purpose of this phase is to ensure the AO
and ISO are in agreement with the contents of
the
– System security plan
– System’s security requirements
• The CA begins the assessment of the security
controls for the information system after
phase 1 is completed.
Phase 1: Initiation Tasks
• Three tasks must be completed for the
initiation phase:
1.Preparation
2.
3.
The ISO is responsible for all three tasks.
Phase 1: Initiation Tasks
• Three tasks must be completed for the
initiation phase:
1.Preparation
2.Notification and resource identification
3.
The ISO is responsible for all three tasks.
Phase 1: Initiation Tasks
• Three tasks must be completed for the
initiation phase:
1.Preparation
2.Notification and resource identification
3.System security plan analysis update and
acceptance
The ISO is responsible for all three tasks.
Initiation: Preparation Task 1
Include the following in a security plan:
•
•
•
•
•
Describe the system and define the boundary
Determine the security category of the system.
Identify threats
Identify vulnerabilities
Identify the security controls (safeguards to minimize
risks)
• Determine initial risks
Task 1 Guidance Example
•
•
•
•
•
•
•
•
Give the system a unique identification
Status with respect to the development life-cycle.
Location
Contact information
Purpose and function
Hardware and software used
Network topology
Etc.
Initiation: Notification and Resource
Identification, Task 2
• ISO Notifies officials that the process of
certification and accreditation procedure is
progressing.
• AO prepares a plan of execution to identify
the level of resources required for the
certification and accreditation procedure.
Initiation: Analyze, Update and accept
System Security Plan, Task-3
• Review of the appropriateness of the security
plan by the AO and CA.
• Analyze security plan by the AO and CA.
• Update security plan by the ISO. Updates are
based on recommendations of the CA and AO.
• Obtain AO acceptance of the security plan.
Phase 2: Certification
Two Tasks of certification:
1.Assess and evaluate security controls
2.Document security certification
Phase 2: Certification
Two Tasks of certification:
1.Assess and evaluate security controls
2.Document security certification
The purpose of this phase is to determine if the
security controls are implemented correctly,
operating as intended, and produce the desired
outcome.
Phase 2: Certification: Assess and evaluate
security controls, Task-4
• Prepare documentation and supporting
materials. This is completed by the ISO for the
CA. Procedures, reports, and logs showing
evidence of security controls are in place.
Phase 2: Certification: Assess and evaluate
security controls, Task-4
• Prepare documentation and supporting
materials. This is completed by the ISO for the
CA. Procedures, reports, and logs showing
evidence of security controls are in place.
• Review methods and test procedures (CA)
Phase 2: Certification: Assess and evaluate
security controls, Task-4
• Prepare documentation and supporting
materials. This is completed by the ISO for the
CA. Procedures, reports, and logs showing
evidence of security controls are in place.
• Review methods and test procedures (CA)
• Assess and evaluate security controls. (CA)
Phase 2: Certification: Assess and evaluate
security controls, Task-4
• Prepare documentation and supporting
materials. This is completed by the ISO for the
CA. Procedures, reports, and logs showing
evidence of security controls are in place.
• Review methods and test procedures (CA)
• Assess and evaluate security controls. (CA)
• Report security assessment results (CA). This is
part of the accreditation package.
Phase 2: Certification: document security
certification, Task-5
• Provide findings and recommendations (CA)
Phase 2: Certification: document security
certification, Task-5
• Provide findings and recommendations (CA)
• Update security plan by the ISO.
Phase 2: Certification: document security
certification, Task-5
• Provide findings and recommendations (CA)
• Update security plan by the ISO.
• The ISO prepares a plan of action and sets
milestones based on the CA
recommendations.
Phase 2: Certification: document security
certification, Task-5
• Provide findings and recommendations (CA)
• Update security plan by the ISO.
• The ISO prepares a plan of action and sets
milestones based on the CA
recommendations.
• The ISO assembles the accreditation package
and submits it to the Authorizing Official.
Phase 3: Accreditation
Two tasks completed by the AO
• Make Security Accreditation decision
• Document Security Accreditation
Accreditation: Make Security Accreditation
Decision, Task 6
•
•
AO determines final risk levels
AO then makes a decision about accepting
any residual risk.
Accreditation: Make Security Accreditation
Decision, Task 6
Possible AO decisions:
1. Authorization to operate
Accreditation: Make Security Accreditation
Decision, Task 6
Possible AO decisions:
1. Authorization to operate
2. Interim authorization to operate under
specific terms and conditions (things to fix).
Accreditation: Make Security Accreditation
Decision, Task 6
Possible AO decisions:
1. Authorization to operate
2. Interim authorization to operate under
specific terms and conditions (things to fix).
3. Denial of authorization to operate.
Phase 3: Accreditation: Document Security
Accreditation, Task-7
• The AO transmits the Security Accreditation
package along with the accreditation letter to
the ISO and other officials.
• The ISO updates the security plan
Phase 4: Monitoring
Three tasks managed by the ISO
1.Manage and control configuration
2.
3.
The purpose of this phase to provide oversight
and monitoring of the security controls in the
information system on an ongoing basis.
Phase 4: Monitoring
Three tasks managed by the ISO
1.Manage and control configuration
2.Monitor security controls
3.
The purpose of this phase to provide oversight
and monitoring of the security controls in the
information system on an ongoing basis.
Phase 4: Monitoring
Three tasks managed by the ISO
1.Manage and control configuration
2.Monitor security controls
3.Report and document status
The purpose of this phase to provide oversight
and monitoring of the security controls in the
information system on an ongoing basis.
Phase 4: Monitoring: Manage and Control
Configuration, Task-8
• The ISO documents system changes.
Phase 4: Monitoring: Manage and Control
Configuration, Task-8
• The ISO documents system changes.
• The ISO analyzes and documents security
impacts resulting from system changes.
Phase 4: Monitoring: Monitor security
controls, Task 9
• Select in-place security controls to monitor
Phase 4: Monitoring: Monitor security
controls, Task 9
• Select in-place security controls to monitor
• Assess selected security controls to determine
if they operate as intended.
Phase 4: Monitoring: Status Reporting and
Documentation, Task-10
• ISO updates the security plan as dictated by
events over time.
Phase 4: Monitoring: Status Reporting and
Documentation, Task-10
• ISO updates the security plan as dictated by
events over time.
• The ISO updates the plan of action and
milestones
Phase 4: Monitoring: Status Reporting and
Documentation, Task-10
• ISO updates the security plan as dictated by
events over time.
• The ISO updates the plan of action and
milestones
• ISO sends the security status of the
information system to the AO.
Download