Presentation on theme: "Complying With The Federal Information Security Act (FISMA)"— Presentation transcript:
1 Complying With The Federal Information Security Act (FISMA)
2 What is FISMA?FISMACongress included the FISMA as part of the E-Government Act ofFISMA is the primary legislation that governs required security activities associated with the Certification and Accreditation Process. It sets forth specific requirements for security programs as well as an annual reporting requirement. As a DAA you will be responsible for executive oversight on meeting program and reporting requirements as outlined on the following slides.
3 Purpose of FISMABringing Standardization to security control selection and assessment through:Providing a consistent framework for protecting information at the federal level.Providing effective management of risks to information security.Providing for the development of adequate controls to protect information and systems.Providing a mechanism for effective oversight of federal security programs.
4 FISMA RequirementsFederal agencies are required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency.Agencies are required to:assess the current level of risk associated with their information and information systemsdefine controls to protect those systemsimplement policies and procedures to cost-effectively reduce riskperiodically test and evaluate those controlstrain personnel on information security policies and proceduresand manage incidents (incident response plan/process).
5 FISMA Dictates… Responsibilities of chief security officers. Actions required to assess risk.Actions required to mitigate risk.Security awareness training.Testing of security practices and controls.Procedures for responding to security issues.Procedures for business continuity.
6 FISMA and NISTNIST provides guidance on FISMA that is detailed and in-depthNIST guidance includes:Standards for categorizing information and information systems by mission impact.Standards for minimum security requirements for information and information systems.Guidance for selecting appropriate security controls for information systems.Guidance for assessing security controls in information systems and determining security control effectiveness.Guidance for certifying and accrediting information systems.
7 NIST FISMA Related Publications FIPS Publication 199 (Security Categorization)FIPS Publication 200 (Minimum Security Requirements)NIST Special Publication , Rev 1 (Security Planning)NIST Special Publication , Rev 1 (Risk Management)NIST Special Publication (Certification & Accreditation)NIST Special Publication Rev 3 (Recommended Security Controls)NIST Special Publication A Rev 1(Security Control Assessment)NIST Special Publication (Security Category Mapping)
8 FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levelsInformation systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.
9 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Provides minimum information security requirements for information and information systems in each security category defined in FIPS 199Dictates the requirements to utilize NIST SP for the baseline security control requirements.
10 NIST SP 800-37 Rev 1, Guide to Apply the Risk Management Framework to Federal Information Systems Establishes a six-step Risk Management Framework for Federal Information Systems:Categorize the Information SystemSelect Security ControlsImplement Security ControlsAssess Security ControlsAuthorize the Information SystemMonitor the Security ControlsApplicable to non-national security information systems as defined in the Federal Information Security Management Act of 2002
11 NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems Defines the format and content for Security Plans, as required by OMB Circular No. A-130.The Security Plan main functions include:Overviewing the system’s security requirementsDescribing the controls in place or planned for meeting those requirementsDelineating responsibilities and expected behavior of all individuals who access the systemDocumenting the structured process of planning adequate, cost-effective security protection for the system
12 NIST SP 800-30 Rev 1, Risk Management Guide for Information Technology Systems Definitional and Practical Guidance regarding concept and practice of managing IT-related risksRisk Management provides balance between operational objectives and economic costs of protective measuresbetter securing of IT systems that store, process, or transmit organizational information;enabling management to make well-informed risk management decisions to justify the expendituresassisting management in authorizing (or accrediting) the IT systems
13 NIST SP 800-34 Rev 1, Contingency Planning Guide For Federal Information Systems Provides instructions, recommendations, and considerations for government IT contingency planning.Provides specific contingency planning recommendations for seven IT platformsStrategies and techniques common to all systems
14 NIST SP Rev 3, Recommended Security Controls for Federal Information Systems and OrganizationsThe purpose of NIST Special Publication , rev 3 is to provide guidelines for selecting and specifying security controls for information systems…Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systemsProvides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems
15 NIST SP 800-53a Rev 1, Guide for Assessing the Security Controls In Federal Information Systems Provides standardized techniques and procedures to verify the effectiveness of security controlsProvides a single baseline verification procedure for each security control in SP , rev 3Allows additional verification techniques and procedures to be applied at the discretion of the agency
16 NIST SP Vol I and Vol II, Guide for Mapping Types of Information and Information Systems to Security CategoriesProvides guidelines recommending the types of information and information systems to be included in each category of potential security impact.Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).
17 SUMMARYKey activities in managing enterprise-level risk—risk resulting from the operation of an information system:Categorize the information systemSelect set of minimum (baseline) security controlsRefine the security control set based on risk assessmentDocument security controls in system security planImplement the security controls in the information systemAssess the security controlsDetermine agency-level risk and risk acceptabilityAuthorize information system operationMonitor security controls on a continuous basis