Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance.

Published byHolly Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance."— Presentation transcript:

1 How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance

2 Presentation Overview 1.Who we are 2.Why this talk 3.FISMA 101 4.What is good about FISMA 5.What is bad about FISMA 6.Organizational view of FISMA 7.Assessor view of FISMA

3 © SeNet International Corp. 20133June 2013 SeNet Who We Are – SeNet International

4 © SeNet International Corp. 20134June 2013 SeNet The opinions expressed in this presentation are our own personal opinions and do not represent our employer’s view in any way. All examples in this presentation have been redacted and in some cases modified. We really enjoy doing FISMA and C&A work and would like to continue that (maybe). Disclaimer

5 © SeNet International Corp. 20135June 2013 SeNet Who We Are – Gus Fritschie CTO of SeNet International Knows more about FISMA and C&A then I like to admit Have lost count on the number of times have gotten drawn into arguments on whether a vulnerability maps to CM-6 or CM-7 Most importantly hold the highly coveted CAP certification @gfritschie

6 © SeNet International Corp. 20136June 2013 SeNet Who We Are – Andrew Du Work for a Richmond-based federal contractor. A security "hobbyist" since childhood, security architecture by profession, reverse engineer by passion.

7 © SeNet International Corp. 20137June 2013 SeNet Why This Talk? First, nobody is here for Department of Commerce right? We don’t really dislike FISMA (really we don’t)! But because you, or someone you know, relative, or significant other, currently, recently, or in the future will be tasked to certify your system because it supports or integrates with some sort of federal information somewhere somehow. We want you to know the pros and cons and how to best “defend” against FISMA and get real value out of the process.

8 © SeNet International Corp. 20138June 2013 SeNet What is FISMA?

9 © SeNet International Corp. 20139June 2013 SeNet Brief History of FISMA Federal Information Security Management Act of 2002 (FISMA) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 Prior to this we had OMB A-130, which is still valid and started this whole mess NIST was given the authority to establish guidelines and have releases a series of the Special Publications and FIPS

10 © SeNet International Corp. 201310June 2013 SeNet Brief History of FISMA (Cont.) FIPS 199 and 200 FIPS vs. SP’s

11 © SeNet International Corp. 201311June 2013 SeNet Other Compliance Standards

12 © SeNet International Corp. 201312June 2013 SeNet Other Compliance Standards (Cont.) What is different about these standards? Have you ever had to do a cross-walk between them?

13 © SeNet International Corp. 201313June 2013 SeNet Current State of FISMA 800-137 Continuous Monitoring 800-60 Rev1 Security Categorization 800-53 Rev3 Security Controls (Rev4 just released April 2013) 800-53A 800-37 Rev1 Risk Management Framework 800-34 Rev1 Contingency Planning 800-30 Rev1 Risk Management 800-18 Rev1 Security Plans

14 © SeNet International Corp. 201314June 2013 SeNet 800-37 and the RMF

15 © SeNet International Corp. 201315June 2013 SeNet In my opinion one of the most important components. 800-53 Controls

16 © SeNet International Corp. 201316June 2013 SeNet Continuous Monitoring, What? This will solve all of our problems, right?

17 © SeNet International Corp. 201317June 2013 SeNet FISMA’s Good Points

18 © SeNet International Corp. 201318June 2013 SeNet FISMA’s Good Points (Cont.) It is a good starting point and better than not doing anything A lot of smart people and organizations had input into it It raises the level of attention of information security The controls selected cover a wide range of important areas There is a lot of flexibility in how it is implemented

19 © SeNet International Corp. 201319June 2013 SeNet What is Wrong with FISMA It is just a starting point Organizations comply with FISMA for the wrong reasons Controls are easy to confuse or misinterpret Focuses attention/money on specific security controls (sometime the wrong ones) Has become somewhat of a paper drill

20 © SeNet International Corp. 201320June 2013 SeNet Top 10 FISMA Mistakes

21 © SeNet International Corp. 201321June 2013 SeNet Copying the control requirements and restating them as your compliance statement. FISMA Mistake #1

22 © SeNet International Corp. 201322June 2013 SeNet Inheriting controls that you can’t and/or having controls listed as common when they really are hybrid. FISMA Mistake #2

23 © SeNet International Corp. 201323June 2013 SeNet Systems that have incorrect security categorizations. System A “I’m a very important system so I have to be a high system. What? I have to implement and document all these other controls? On second thought…….” System B “Yeah, so what I have PII and sensitive financial information. It is not important and nobody uses this system, I must be a low.” FISMA Mistake #3

24 © SeNet International Corp. 201324June 2013 SeNet Incorrect system boundaries FISMA Mistake #4

25 © SeNet International Corp. 201325June 2013 SeNet ISSO’s not keeping the C&A documentation updated on a regular basis FISMA Mistake #5

26 © SeNet International Corp. 201326June 2013 SeNet Waiting too long to start the process FISMA Mistake #6

27 © SeNet International Corp. 201327June 2013 SeNet Not having skilled/technical personnel to prepare the documentation and perform the testing FISMA Mistake #7

28 © SeNet International Corp. 201328June 2013 SeNet Assuming since you have an ATO you are secure ATO != Secure FISMA Mistake #8

29 © SeNet International Corp. 201329June 2013 SeNet Moving to the cloud will solve all your FISMA problems FISMA Mistake #9

30 © SeNet International Corp. 201330June 2013 SeNet Treating the C&A process as building a Potemkin village FISMA Mistake #10

31 © SeNet International Corp. 201331June 2013 SeNet How Organizations Really Comply With FISMA

32 © SeNet International Corp. 201332June 2013 SeNet How Organizations Really Comply With FISMA (Cont.) Parent agency inherited minimum requirements + baselines Gov't contract written requirements and impact assessments Internal security certification/authorization programs Privacy impact assessment Separation of impact levels by system partitioning External authentication risk analysis Corporate security policies Rules of behavior Risk based decisions Significant user identification Self-assessments and system test + evaluations

33 © SeNet International Corp. 201333June 2013 SeNet How Organizations Really Comply With FISMA (Cont.) Access control management programs Budgeting Inventory management Configuration management and/or change control Intrusion management Incident response program Prototyping labs Third-party vulnerability assessments PMO integration Interconnection agreements

34 © SeNet International Corp. 201334June 2013 SeNet Risk Management Creating an internal risk acceptance process Standardizing internal asset impact assessment and weighting – Effect on OLA's and SLA's Building it into the architecture

35 © SeNet International Corp. 201335June 2013 SeNet Defenders POV 800-53 Management C&A, SCA (CA-1: Certification, Accreditation, and Security Assessment Policies and Procedures) + (PM-1: InfoSec Program) – Possibly the most important from an implementer’s perspective. – Inject organizational security policies and risk management. – Organizational information authorization procedures. – Address elevated roles specifically and separately. Dedicated InfoSec budgeting (SA-2: Allocation of Resources) – Ok, you know federal budgeting is key, right?? – Don’t just keep renewing and upgrading; revisit the implementation. Vulnerability scanning schedule (RA-5) – It’s much more than just network scanning! – Appliances, autonomous stuff, session reconstruction and some really cool, but shady stuff… – Code stuff. Development Config Management + Security Testing (SA-10) – Better code and quality? – Code-level, vs assembly-level, vs application-level. – It’s not just code.

36 © SeNet International Corp. 201336June 2013 SeNet Defenders POV 800-53 Operational Baseline Configuration (CM-2) – Why this is really, really important. And no, a backup does not count. – From all angles – network, servers, application Disaster recovery criteria (CP-7) – Dual purpose site. – Return from failover. – Retention criteria. Media Transport (MP-5) – True cost of information loss. – Realistically securing the endpoint. System monitoring (SI-4) – SIEM dependence on shared infrastructure. – Importance of time sync. – Error event correlation with audit events.

37 © SeNet International Corp. 201337June 2013 SeNet Defenders POV 800-53 Technical Access control policy and procedures (CA-1) – Accepting/accounting for ACL risk exposure – Admin account review intervals Least privilege (AC-6) – ACLs – Impersonation vs delegation – Kerberos constrained delegation – Federated authentication – Monitoring/accounting for compliance – Group policies Audit record retention (AU-11) – Tiered retention by risk exposure. Session concurrency, lock, replay (AC-10, AC-11) – Securing external identifiers – Preventing app “nesting” Architectural design elements (all SC’s) – System partitioning from the ground (physical) and up – Careful with resource sharing – esp with virtualization

38 © SeNet International Corp. 201338June 2013 SeNet Examples From Good Organizations Organizational InfoSec program Service management initiatives + PMO integration Architecture and design Software development – Code reviews – Coding policies, standards – QA security function

39 © SeNet International Corp. 201339June 2013 SeNet Built Into the SDLC Risk-based approach vs compliance-only focus.

40 © SeNet International Corp. 201340June 2013 SeNet Built Into the SDLC (Cont.) Security integration to system development is critical to front-end design (not to confuse the term "front-end" with network design terms).

41 © SeNet International Corp. 201341June 2013 SeNet Built Into the SDLC (Cont.) Align the application design to your corporate information security program initiatives (you have one, right??).

42 © SeNet International Corp. 201342June 2013 SeNet Built Into the SDLC (Cont.) Examples: Audit logging design possibly include redundancy, retention, and reliability (unintentional 3 r's there); Session design possibly include concurrency control, lock, identification, replay Access, authentication, and authorization (intentional 3 a's there) Error handling design Unit test automation by check-in gates Code coverage Design for functional testing Information input restriction RBAC Partitioning Information validation Rules engine/input validation, app firewall

43 © SeNet International Corp. 201343June 2013 SeNet Built Into the SDLC (Cont.) Risks behind an insufficiently documented system

44 © SeNet International Corp. 201344June 2013 SeNet How Do These Controls Get Assessed 800-53A Interviews Examinations Testing* * This is the phase that suffers the must in C&A testing.

45 © SeNet International Corp. 201345June 2013 SeNet Tools that Perform 800-53 Compliance ASSERT CSAM Trusted Agent FISMA RSAM Maybe more?

46 © SeNet International Corp. 201346June 2013 SeNet The U.S. Office of Management and Budget has required, in the August 11, 2008, M-08-22 memorandum to Federal CIOs, that "Both industry and government information technology providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring." SCAP Tools

47 © SeNet International Corp. 201347June 2013 SeNet Assessors POV 800-53 Management Most often assessed via interviews and document collection. While important concepts, rarely do they equate to the direct security of a system.

48 © SeNet International Corp. 201348June 2013 SeNet Often assessing these controls is easy and straightforward. Do some interviews and collect some evidence. But you still have to be careful because you will get compliance descriptions like this that may look right but really aren’t. Assessors POV 800-53 Management (Cont.)

49 © SeNet International Corp. 201349June 2013 SeNet Assessors POV 800-53 Operational The largest control class, with several critical controls that directly impact the security posture of the system. Some aren’t that important IMO (AT, PS, MA) But the CM and SI have several critical controls that can indicate a fundamental flaw in processes and procedures (CM-3, CM-6, CM-7, SI-2) Others like CP are important, but often are overlooked and don’t get the attention they deserve (CP tests). While still assessed mostly via interviews and examination, more technical testing is required here. Many of you technical findings can be mapped back to CM-6 or SI-2.

50 © SeNet International Corp. 201350June 2013 SeNet Assessors POV 800-53 Operational (Cont.) We get a lot of “non-technical” findings in the Operational class

51 © SeNet International Corp. 201351June 2013 SeNet Assessors POV 800-53 Operational (Cont.) But we also get to have some fun by running tools like Nessus and Nmap. At least it is something……….

52 © SeNet International Corp. 201352June 2013 SeNet Assessors POV 800-53 Technical Don’t let this trick you plenty of interviews and examinations still take place at this level. Have spent hours going over AC-2 and all of its enhancements if done right (often it is not). This is the phase where we can have some fun (Yeah penetration testing!!!) sorta. Also an area where many mistakes are made on the development of documentation side because they do not have technical resources working on it.

53 © SeNet International Corp. 201353June 2013 SeNet Assessors POV 800-53 Technical (Cont.)

54 © SeNet International Corp. 201354June 2013 SeNet So just a typical SQLi issue, why is this important? Because the SSP for this system states for SI-10 (actually an operational control) that the application validates all input and prevents against these types of attacks And the exact same application had been through a C&A and granted an ATO at another agency…… Assessors POV 800-53 Technical (Cont.)

55 © SeNet International Corp. 201355June 2013 SeNet How Can We Fix FISMA? Some laws have recently been passed or are close to being passed. Executive Order 13636 Federal Information Security Amendments Act of 2013 Other organization have alternatives. SANS Twenty Critical Security Controls Other ideas? Require organizations and people to be certified to perform C&A activities. Though it is debatable how well that has worked for QSA and the PCI sectors……

56 © SeNet International Corp. 201356June 2013 SeNet Conclusion It is easy to comply with FISMA, it is harder to build real security into our systems and networks. Until we move beyond the “paperwork” drill this problem will not be fixed. Making sure these controls are integrated into the SDLC and then properly monitoring them is the key. Believe we are and will continue to see these regulations changing and adapting, for the better.

57 © SeNet International Corp. 201357June 2013 SeNet Questions

Download ppt "How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance."

Similar presentations

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework

Risk Management Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.

1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.

Similar presentations

Ads by Google