1. NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI 48917 Dean_E_Brown@yahoo.com

2. Agenda Ground Level 0 (Zero) = What is NIST (Really Fast) Basics 101 – Controls By The Section / Number (Spreadsheet) Specific Application (Beware the Minimum) References

3. What Is NIST? - 1 National Institute of Standards and Technology is a USA Federally sponsored agency. They set the standards that all other agencies have to follow. Federal Information Processing Standard Publication (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

4. What is NIST? – 2 FIPS "Federal Information Processing Standard" / FIPPS "Fair Information Practice Principles (FIPPs)" Introductory Reading, Should be required; Summary of NIST SP 800-53 Revision 4.

5. What is NIST – 3? FIPS 200 and NIST Special Publication 800-53, in combination, ensure that appropriate security requirements and security controls are applied to all federal information and information systems. An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of security due diligence for the organization. OK so if you are going down the NIST SP 800-53r4 path, you have to put FIPS 200 in your backpack. This presentation is NOT about FIPS 200. I will come back to that in section 3.

6. Basics 101 - 1 Risk Based Framework Divided into 3 Catagories Control Familes Uses Priorities Considered the defacto standard

7. Basics 101 - 2 Key quote that you need to embrace: “the security controls and control enhancements listed in the initial baselines are not a minimum— but rather a proposed starting point from which controls and controls enhancements may be removed or added.”

8. Basics 101 - 3 Based on Security Impact of the System » Low Impact » Moderate Impact » High Impact

9. Basics 101 - 4 267 Controls – Management Controls Catagory Management Controls Certification, Accreditation, and Security Assessments Planning Risk Assessment System and Services Acquisition

10. Basics 101 - 5 267 Controls – Operational Controls Catagory Operational Controls Awareness and Training Configuration Management Contingency Planning Incident response Maintenance Media Protection Physical and environmental Protection Personnel Security System and Information Integrity

11. Basics 101 - 6 267 Controls – Technical Controls Catagory Technical Controls Access Control Audit and Accountability Identification and Authentication System and Communications Protection

12. Basics 101 - 6 267 Controls – Technical Controls Catagory Technical Controls Access Control Audit and Accountability Identification and Authentication System and Communications Protection

13. Basics 101 - 7 Doing this in slides is hard to wrap your mind around. It is easier to think in spreadsheets. In the main document there are some really great appendix pieces. DO NOT IGNORE THEM!

14. Basics 101 - 8 NIST is the defacto standard. From SANS NewsBites February 23, 2016 Vol. 18, Num. 015 OPM CIO and Inspector General Out. Appropriate Accountability At Last. (February 22, 2016) The chief information officer of the U.S. Office of Personnel Management (OPM) quit today, under pressure, two days before she was due to testify before a Congressional panel. She was responsible for cybersecurity programs at OPM that followed NIST guidance but did not implement and measure the Critical Security Controls, which are widely recognized as the minimum standard of due care. Her resignation follows the resignation of the OPM Inspector General (IG) who was equally responsible for forcing the agency to follow guidelines (from OMB and NIST) that documented the cybersecurity gaps but did not close those gaps. Bold added for clarity.

15. Specific Application – 1 Work / Practice Sessions Example Practice Session

16. Specific Application – 2 Beware the Minimum from FIPS 200 (2006 is the last published edition as of 2-29-2016. DANGER - Your Regulators will use more current standards. Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200.) Federal Information Processing Standard

17. References - 1 All NIST Documents http://csrc.nist.gov/publications/PubsSPs.html Main SP800 53R4 Document - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

18. References - 2 Given to the this meetings organizers - NIST – SP800-53 Table.xls (My Modified Spreadsheet that includes priorities and Risk Levels.) SP800-53r4_summary.pdf (From NIST main site.)