NIST, FIPS, and you. . .
Bob Grill
Medi-Cal ISO
July 16, 2009
1
NIST
FISMA
FIPS
NIST
OMB
A-130
2
Security Characteristics
• Dynamic
 Definition
of security
changing continuously.
 Extremely expensive and
does not increase
productivity.
 Not visible to daily
operations -- unless
something bad happens.
 Can’t fix it immediately.
 Define “Risk” to Avoid
“Cost”.
 Have to know immediately.
• Governance
 Set
Standards, change standard
continuously. NIST
 Security has been legislated and
made mandatory. (OMB A-130)
 Continuous Monitoring to
address volatile controls.
 Manual or Rapidly Changing Env.
 Control Change – Security Risk
Assessment Process
 Periodic independent Security
Certification and Accreditation.
 Plan of Action and Milestones
 Set Baseline Standards.
 Host Intrusion Detection
 Logging and Monitoring
3
FISMA
• Federal Information Security Management Act of
2002 ("FISMA", 44 U.S.C. § 3541, et seq.)
U.S.
federal law enacted in 2002 as Title III of the EGovernment Act of 2002
~(Pub.L. 107-347, 116 Stat. 2899).
The
act was meant to bolster computer and network
security within the federal government and affiliated
parties (such as government contractors) by mandating
yearly audits.
4
FISMA Says Follow FIPS
• Federal Information Processing Standards
Publications (FIPS PUBS)
Issued
by the NIST after approval by the Secretary of
Commerce
~Pursuant to Section 5131 of the Information Technology
Management Reform Act of 1996 (PL 104-106) and the FISMA
of 2002 (PL 107-347).
• Summary
15
FIPS PUBS
Security Essentials:
~FIPS 199
~FIPS 200
~FIPS 140-3
Standards for Security Categorization of Federal
Information and Information Systems
Minimum Security Requirements for Federal
Information and Information Systems
Security Requirements for Cryptographic Modules
5
FIPS 199
• Standards for Security Categorization of Federal
Information and Information Systems
Determines
methodology for determining the impact of
the loss of confidentiality, integrity and availability.
Assess impact
~Impact makes Risk Acceptance not an option.
~Impact never changes.
~Mitigating controls are only option.
6
Potential Impact
Security Objective
LOW
MODERATE
HIGH
Confidentiality
The unauthorized disclosure
of information could be
expected to have a limited
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized disclosure
of information could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized disclosure
of information could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.
The unauthorized
modification or destruction
of information could be
expected to have a limited
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
modification or destruction
of information could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
modification or destruction
of information could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.
The disruption of access to
or use of information or an
information system could be
expected to have a limited
adverse effect on
organizational operations,
organizational assets, or
individuals.
The disruption of access to
or use of information or an
information system could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.
The disruption of access to or
use of information or an
information system could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.
Preserving authorized
restrictions on information
access and disclosure,
including means for protecting
personal privacy and
proprietary information.
[44 U.S.C., SEC. 3542]
Integrity
Guarding against improper
information modification
or destruction, and includes
ensuring information nonrepudiation and authenticity.
[44 U.S.C., SEC. 3542]
Availability
Ensuring timely and reliable
access to and use of
information.
[44 U.S.C., SEC. 3542]
Source: FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
7
FIPS 200
• Minimum Security Requirements for Federal
Information and Information Systems
This
is just a document for legal reasons that give NIST
the authority to make standards.
Defines Control Families
~Controls entity must follow is in NIST 800-53 – An Index to
Controls
8
FIPS 140
• Security Requirements for Cryptographic
Modules
Specifies
the security requirements for encryption.
~Computer and telecommunication systems (including voice
systems).
FIPS
140-3
~Adds an additional security level and incorporates extended and
new security features
9
NIST Compliance
• National Institute of Standards and Technology.
The
standards-defining agency of the U.S. government,
that fall under the Technology Administration
(www.technology.gov), a branch of the U.S. Commerce
Department
• Next Steps
President
Orders Federal Government to Follow NIST
OMB A-130 Appendix III
2006 – CMS orders DHCS to follow NIST
2006 – DHCS order EDS to follow NIST
~Key NIST standards only 2 years old at the time and still being
vetted by community.
10
Relationship Between Publications
Source: NIST SP 800-39, Managing Risk from Information Systems: An Organizational Perspective
11
NIST Special Publications
NIST
SP 800-37
~Guide for Security Authorization of Federal Information Systems:
A Security Lifecycle Approach
NIST
SP 800-39
~Managing Risk from Information Systems: An Organizational
Perspective
NIST
SP 800-53A
~Recommended Security Controls for Federal Information
Systems
NIST
SP 800-60
~Guide for Mapping Types of Information and Information
Systems to Security Categories
NIST
SP 800-70
~Security Configuration Checklists Program for IT Products
12
Monitoring Change After Certification
• Create a Baseline
• Design Securely
• Conduct Independent Reviews
• Conduct Annual Risk Assessment
• Monitor Volatile Controls
Rating
Overall Environment
Process in place
Windows
UNIX
Oracle
Process functioning as intended
Management Commitment
Improvement Strategy
13
Plan of Action & Milestones
(Continuous Improvement)
• Remediation Validation
Document
vulnerabilities that can’t be fixed right away.
~Get a sample – screenshot, file, video, e-mail, etc.
~Set scope, roles and responsibilities.
~Assess risk impact.
Make
a corrective plan:
~Incorporate into an existing project.
~Start a new project.
~Estimate cost.
Get
owner approval and track to correction.
~Keep a scorecard.
• Verification
Retest
for the vulnerability after correction.
Use an independent review.
Source: NIST SP 800-37, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
14
Real Time Monitoring - HIDS
CSA Audit
Score Card
Incident Response
Critical or
above
IP Source
Filtering
Date
1/1/1999
Response Comments
time
Same day The process
'C:\WINDOWS\system32\svchost.exe'
(as user NT AUTHORITY\SYSTEM)
attempted to accept a connection as a
server on TCP port 8443. The operation
was denied.
Resolved: Added IP address to the
block list.
15
Typical Deliverables
(Prove You Did Work)
• Create a Baseline
• Monitor Change
• Monitor Drift
• Real Time Monitoring
• Maintain a POA&M
16
Recap
• NIST & FIPS required by law
• Prepare deliverables to prove compliance
• Monitor change, drift and volatile controls
• Annual assessment to plan compliance reviews
• Independent review to verify compliance
17
Questions
18