NIST it by that much.
NIST it by that much.
Using and Abusing the NIST 800 Series
NIST it by that much.
Who We Are and Why We’re Here
•
Adam Stone
– LBNL – University of California Managed Department of Energy
Laboratory (fundamental, unclassified research).
– Regulatory Environment: Highly activated. 18 Cyber Security Audits in
24 months. C&A, OMB, NIST; GAO, IG, UC, Red Teams
•
Stephen Lau
– UCSF – Dedicated health sciences campus
– Many National Institutes of Health and Veterans Administration
researchers
– Regulatory environment:
• HIPAA, SB1386, FERPA, e-Discovery, etc.
•
•
Both of us have seen NIST 800 Series being applied in a positive and
negative fashion
The NIST 800 Series can be your friend or your worst nightmare…
NIST it by that much.
How did we get here?
Title 3 of the E-gov Act
AKA FISMA
NIST it by that much.
The Current Environment
NIST it by that much.
Current Environment Continued…
• What do DOE/OMB people see when they look out at the world?
But R&E typically looks different
•Outsourced, centrally managed IT •Self Managed or Lightly Managed
•Totally locked down desktops
•Few lockdowns, default allow
•Central patch management
•User patch management
•Tiny visible footprint networks
•Mostly visible footprint networks
•Standardized OS and Software Load•Open systems for collaboration
•Duplicative IT investments
•Users are smart and expect
•Low Quality Project Management inflexibility and autonomy.
IT
•Most systems are not very risky
•All Federal Systems are RISKY
systems!
What is the future of this disconnect?
NIST it by that much.
What is NIST?
• NIST - National Institute of Standards and Technology
(www.nist.gov)
– Part of the U.S. Department of Commerce
• Establishes standards for U.S. federal government
– Weights, measures, etc.
– Previously concentrated on esoterica…. now given free
reign over government information security
• NIST has published a series of information security guidelines
documents
– Collectively known as “NIST 800 Series”
– http://csrc.nist.gov/publications/nistpubs/
• Covers a wide spectrum of topics
– Risk assessments, wireless security, encryption,
telecommuting, etc.
NIST it by that much.
Why Should I Care?
•
Many federal agencies are requiring “NIST compliant” security
documentation for federally funded projects or for collaborations
– National Institute of Health, Veterans Administration, Department of
Defense, Department of Homeland security, etc.
– Your colleagues, users, clients and funding sources may ask:
• Is the resource you provide “NIST Compliant”?
• Can you help me become “NIST Compliant”?
•
Information security documents may utilize NIST methodology in
regards to “risk” and “controls”
– Controls are security techniques that address a risk
• e.g. passwords, firewalls, documentation
– Requirement documents may ask you about “risk” and “controls”
•
The model is useful, even if the level of detail probably (definitely)
exceeds that which is useful for most University/research
environments.
NIST it by that much.
What the NIST Documents Are Not
•
They should not be viewed as “checklists” to complete
•
They are not rules you must abide by
– NIST documents contain many loopholes and generalities on purpose
• “Compensating controls” (more on this in a bit).
• “Residual risk”
• “Risk acceptance”
•
Doing everything in the NIST documents won’t make you make secure
– It’ll just kill a lot of trees and give you a false sense of security
•
They are not comprehensive nor complete
– Some of the documents are woefully out of date
Caveat emptor!
NIST it by that much.
So What Are They Good For?
•
Useful as a model for approaching information security
– Risk Based Model
• What are the consequences of “bad things”?
• low/medium/high risk
– Controls and Compensating Controls
• One size doesn’t fit all, different things can achieve the same result
• Ideal for diverse distributed environments
•
Unified, consistent approach to information security
– Common language and methodology
•
Good as reference guide and to ensure “covering of all bases”
– See examples coming up…
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-53 / FIPS 200 / SP 800-30
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-53 / FIPS 200
/ SP 800-30
Security
Categorization
(FIPS 199)
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
•Confidentiality
SP 800-18
•Integrity
Security Control
Documentation
•Availability
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
Low, Medium, High: High Water Mark
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
SP 800-37
Security
Categorization
Defines category of information
system according to potential
impact of loss
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-53 / FIPS 200 / SP 800-30
Security
Control Selection (800-53 Catalog)
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
authorizes information system processing
Determines risk to agency operations, agency
•The NIST Low, Medium, and High Baselines
assets, or individuals and, if acceptable,
SP 800-18
Key Concept:
Common Controls
SP 800-70
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Categories of Control
NIST it by that much.
We don’t
Just mean
Shared authN.
NIST it by that much.
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
Refining the Controls:
system that may affect security controls and
assesses control effectiveness
Making Risk Based Judgments
SP 800-53 / FIPS 200 / SP 800-30
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
SP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
• Scoping
risk to agency operations, agency
• Compensating Determines
assets, or individuals and, if acceptable,
authorizes information system processing
• Organization Defined Controls
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Tailoring the Baseline
NIST it by that much.
Scoping Guidance

Common security control-related considerations

Operational/environmental-related considerations

Physical Infrastructure-related considerations

Public access-related considerations

Technology-related considerations

Policy/regulatory-related considerations

Common controls are managed by an organizational entity other than the information system owner. Organizational decisions on which security controls are viewed as
common controls may greatly affect the responsibilities of individual information system owners.
Security controls that are dependent on the nature of the operational environment are applicable only if the information system is employed in an environment necessitating
the controls.
Security controls that refer to organizational facilities (e.g., physical controls such as locks and guards, environmental controls for temperature,
humidity, lighting, fire, and power) are applicable only to those sections of the facilities that directly provide protection to, support for, or are
related to the information system.
Security controls associated with public access information systems should be carefully considered and applied with discretion since some
security controls from the specified control baselines (e.g., identification and authentication, personnel security controls) may not be applicable
to users accessing information systems through public interfaces.
Security controls that refer to specific technologies (e.g., wireless, cryptography, public key infrastructure) are applicable only if those
technologies are employed or are required to be employed within the information system. Also
Security controls that address matters governed by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g.,
privacy impact assessments) are required only if the employment of those controls is consistent with the types of information and information
systems covered by the applicable laws, Executive Orders, directives, policies, standards, or regulations.
Security objective-related considerations
Security controls that uniquely support the confidentiality, integrity, or availability security objectives may be downgraded to the corresponding
control in a lower baseline (or appropriately modified or eliminated if not defined in a lower baseline) if, and only if, the downgrading action: (i) is
consistent with the FIPS 199 security categorization before moving to the high water mark; (ii) is supported by an organizational assessment of
risk; and (iii) does not affect the security-relevant information within the information system.
Next 3 slides stolen from NIST
NIST it by that much.
Compensating Security Controls
 The organization selects a compensating control from NIST SP 800-53, or if an
appropriate compensating control is not available in the security control catalog,
the organization adopts a suitable compensating control;
 The organization provides a complete and convincing rationale for how the
compensating control provides an equivalent security capability or level of
protection for the information system and why the related baseline security
control could not be employed; and
 The organization assesses and formally accepts the risk associated with
employing the compensating control in the information system.
NIST it by that much.
Organization-defined Parameters

Security controls containing organization-defined parameters (i.e., assignment and/or selection
operations) give organizations the flexibility to define selected portions of the controls- to support
specific organizational requirements or objectives.
CP-9
INFORMATION SYSTEM BACKUP
Control: The organization conducts backups of user-level and system-level information (including
system state information) contained in the information system [Assignment: organization-defined
frequency] and protects backup information at the storage location.
Slide stolen from NIST
NIST it by that much.
Nistiverse
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
SP 800-53 / FIPS 200 / SP 800-30
Security Control
Refinement
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
SP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
Documentation:
The painful part.
FIPS 199 / SP 800-60
Security
Categorization
SP 800-37
Security Control
ADefines
broad
scale
look
at
the
controls.
Monitoring
category of information
system according to potential
impact of loss
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
The notion of common controls:
SP 800-37
where can application or subsystem
System
owners turn to know what
(if
Authorization
risk to agency
operations, agency
anything) is beingDetermines
provided
centrally.
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
SP 800-37
Implementation:
Self Explanatory
Security
Security Control
Categorization
(and
actually the important
part)
Monitoring
Defines category of information
system according to potential
impact of loss
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-53 / FIPS 200 / SP 800-30
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Assessment:
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Security
Categorization
Defines category of information
system according to potential
impact of loss
800-53a (the mother of the mother
of SP
all800-53
checklists)
/ FIPS 200 / SP 800-30
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
Technical Testing and Auditing
ArtifactsSP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Authorization:
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Certify & Accredit
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-53 / FIPS 200 / SP 800-30
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Accredit:
It appears to be and the
SP 800-18
SP 800-70
remaining
risk
is
acceptable.
Security Control
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-37
Certify:
This
is working as described
Security
Control
and isRefinement
appropriate
Documentation
SP 800-37
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
System
Authorization
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
Nistiverse
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Continuous
Monitoring:
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or in
place to protect the information system
Is it working?
Is itSP 800-53
sufficient?
/ FIPS 200 / SP 800-30
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-18
Security Control
Documentation
In system security plan, provides an overview
of the security requirements for the
information system and documents the
security controls planned or in place
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security controls
are implemented correctly, operating as
intended, and producing desired outcome with
respect to meeting security requirements
NIST it by that much.
NIST at UCSF
•
UCSF conducting Campus-wide information security risk assessments
– Divided Campus into “control points”
– Risk categorization based upon NIST “low/medium/high” concept
– Using NIST “controls” concept to make sure “all bases are covered”
• e.g. access, physical security, documentation, user education, etc.
•
Developed our own “risk impacts”
– Risks endemic to a University (not necessarily covered by NIST)
– e.g. Campus Reputation
• low – work unit impact
• medium - department/school wide
• high – national/international reputation of UCSF
•
Developed “suite of interview questions”
– Same series of questions being asked across Campus
– Same questions phrased differently
• Sometimes get different answers based up phrasing
NIST it by that much.
NIST at UCSF
•
Goal: Develop continual risk assessment of UCSF
– Identify similar “high risks” facing entire Campus (target those)
– Revisit risks assessments to see progress made (if any)
• Consider availability of resources to address risk
– Because that’s a risk in itself!
•
Goal II: Security plans based upon risk across entire Campus, subdivided into
“control points”
•
Interim Results:
– Have uncovered high risk areas not normally considered when focusing
solely on “legal” requirements, e.g. SB1386, HIPAA
• e.g. Animal research databases, hazardous chemicals information, politically
sensitive databases
NIST it by that much.
NIST @ LBL
The documentation-heavy version.
• Approximately 300 pages of security plans for five enclaves and
supporting docs.
• An interactive database for each control which allows each
enclave owner to see how other people implement.
• Extensive wikis for managing documentation requirements
• C&A is (sadly) a hundreds of thousands of dollars effort.
The documentation light version,
• SCRAPs
Enclaves as a way of thinking about risk.
NIST it by that much.
NIST it by that much.
Regulatory Outlook
• More regulations are coming down the pipe
– Increased mixing of a highly activated OMB/NIST regulatory
machines with University rules and regulations.
– Increasingly activated University internal auditors with
interest in cyber security.
– DHS and NSA are both interested in “helping” nongovernmental networks.
But Higher Ed is different.
• Laws are becoming financially burdensome for sites
– CA SB1386 requires notifications for exposure of personally
identifiable information
• Estimates are around $100.00/notice
• e.g. 50,000 individuals to be notified == Big $$
NIST it by that much.
Regulatory Outlook 2
• Collaborations with Government Research Entities are
becoming more and more difficult:
– NASA, NIH, National Laboratories, some FFRDCs (but not
all)
– Sharing data with government entities (VA, NIH, CDC)
seems likely to get more and more difficult.
• Ongoing government consolidation and security projects seem
likely to negatively impact the interaction between Higher Ed
and Government research:
– Network consolidation
– System lockdown
– Movement of previously open information behind firewalls.
– Expansion of the notion of “IT Project” subject to reporting
controls.
NIST it by that much.
The Big Takeaways
• NIST is useful, take a graded approach.
– It’s not a sacred text (nor is it intended to be)
• Doing everything NIST wants you to do does not equal security,
it just kills trees and annoys people (do the good parts).
• If it doesn’t reflect reality, don’t write it down.
• Holistic Risk Assessment is critical (and lacking)
Once the rockets are up, who cares where they come down.
That’s not my department, said Wernher Von Braun…
NIST it by that much.
Wilson, Bureaucracy, What Government Agencies Do and Why They Do It.
Whatever behavior will get an agency executive in trouble will get a
manager in trouble; whatever gets a manager in trouble will get an
operator in trouble…This means that even talented and motivated
operators will not be free to violate rules that threaten their agency,
even if the rule itself is silly.
Many agency executives do not understand this. They are eager to
deflect or mollify critics of their agencies. In their eagerness they
suppose that announcing a rule designed to forbid whatever
behavior led to the criticism actually will work. Their immediate
subordinates, remote from field pressures (and perhaps eager to
ingratiate themselves with the executives) will assure their bosses
that the new rule will solve the problem. But unless the rule actually
redefines the core tasks of the operators value, the rule will be
seen as just one more constraint on getting the job done (or, more
graphically, as "just another piece of chicken****")."
Artifacts and policy that don’t kill the core task.
NIST it by that much.
Contact Information
Stephen Lau
University of California, San Francisco
Enterprise Information Security / OAAIS
Email: stephen.lau@ucsf.edu
Phone: +1 (415) 476-3106
PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B
Adam Stone
Berkeley Lab
Assoc. Liaison for IT (Policy & Assurance)
Email: adstone@lbl.gov