FISMA and the Private Sector

December 17, 2008 · Filed Under FISMA, Security · Comment 

In a couple of earlier posts, FISMA was described as a risk management approach of securing information systems for the federal government. So, what does that mean for those companies in the private sector concerned about their risk management?  With the introduction of NIST SP 800-53 rev2, it means that a lot of the groundwork has been done by the federal government to show a path for private companies to comply with their various industry compliances. Read more

Tags: , , ,

Securing Critical IT Infrastructure

November 22, 2008 · Filed Under Security · Comments Off 

Tags: , , , ,

Certification and Accreditation Part II

October 21, 2008 · Filed Under C&A, Certification and Accreditation · Comment 

In our previous post we discovered that all federal agencies in the United States must have their IT systems and infrastructure certified and accredited. Among industry experts, this certification and accreditation process is more informally known as C&A. It is a picayune process where auditors inspect reams of security documentation on an agency’s IT systems and infrastructure, and either pass them or fail them.

Background and Purpose

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) requires that all federal agencies develop and implement an agency-wide information security program designed to safeguard IT assets and data of the respective agency. FISMA is specific in its requirements and it stipulates that the information security program must include documentation and reports that clearly describe the following:

  • Periodic risk assessments
  • Information security policies and procedures
  • An assessment of threats, including their likelihood and impact
  • Policies and procedures for detecting security vulnerabilities
  • Evaluation and periodic testing of how well security policies are working
  • An inventory of software and hardware assets
  • Security awareness training and expected rules of behavior for end-users
  • An evaluation of the technical, management, and operational security controls
  • Procedures for reporting and responding to security incidents
  • A process for addressing any deficiencies reported
  • Contingency plans to ensure continuity of operations in the face of a disaster

FISMA forces federal agencies to understand the security of their systems and holds them accountable for resolving deficiencies. The methodologies that have evolved to address FISMA stipulations are sound ones and, though only federal agencies are required to abide by them, it would behoove financial institutions to adopt these methodologies to assess the security of their own systems.

C&A Methodology

There are generally tthree methodologies used for C & A initiatives:

  • DITSCAP/DIACAP
  • NIACAP
  • NIST

DITSCAP/DIACAP is an acronym for Defense Information Technology Systems Certification and Accreditation Process/Defense Information Assurance Certification Accreditation Program. It is based on a publication known as Defense Information Systems Certification and Accreditation regulation Department of Defense (DoD) 5200.40. DITSCAP/DIACAP is typically used only for defense agencies, although civilian agencies may opt to apply DITSCAP/DIACAP principles to their own customized C&A process.

NIACAP stands for National Information Assurance Certification and Accreditation Process. It is based on a process published by the National Security Telecommunications and Information System Security Instruction known as NSTISSI No. 1000.

NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. The main security controls are based upon NIST SP 800-53A and the System Security Plan (SSP) are based on NIST SP 800-18.  Under NIST it is important to mention that Risk Assessments are covered by NIST SP 800-30 and using the NIST Risk foundation gives you flexibility and direction in performing a thorough assessment.  Other publications that are pertinent under NIST are NIST SP 800-34 Contingency Planning, and NIST SP 800-60 a Guide for Mapping Types of Information and Information Systems to Security Objectives.  While many civilian agencies have traditionally used either the NIACAP or NIST methodologies, the current trend is that most agencies are moving away from NIACAP to embrace the new NIST methodology. One important mention is that every process within ITIL (Information Technology Infrastructure Library) can be mapped to a NIST document and NIST is the guidelines for building a secure infrastructure.

All three methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint. In short, the C&A process is a manual audit of policies, procedures, controls, and contingency planning. While some information security reports can be obtained about systems and networks from an online penetration test, an online penetration test cannot tell you if an organization has security policies and procedures in place, and if they are following these policies and procedures. The C&A process is much more cumbersome than a network penetration test (sometimes referred to as a security scan or online vulnerability assessment).

Preparing for C&A

The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what’s known as a Certification Package.

A typical Certification Package usually consists of specific documents (depending on agency), though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP/DIACAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.
In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

  • System Categorization Statement
  • System Description with System Boundaries Noted
  • Network Diagram and Data Flows
  • Software and Hardware Inventory
  • Business Risk Assessment
  • System Risk Assessment
  • Contingency Plan
  • Self-Assessment
  • System Security Plan

Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

Levels of Certification and Starting the Review

There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:

FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

Special Publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf Volume I
http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf Volume II

The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.

It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground.

Contractor Support

It’s often the case that federal agencies elect to outsource their C&A Review when their own resources are fatigued trying to meet other operational deadlines. There are a number of companies that specialize in assisting U.S. federal agencies with their C & A Review. If an agency is considering outsourcing the C&A Review, they should interview all potential consultancies and ask for references for other C&A initiatives the consultancy has previously completed. If a consultancy has successfully assisted agencies in obtaining full accreditation of their systems, this is a positive sign that they have a reputable track record.

Most U.S. federal agencies do not leave enough time to prepare a comprehensive C&A package. A medium-sized C&A effort requires six months for a team of three consultants who know what they are doing. If your project team is new at C & A, you can expect the process to take much longer. If you are the CIO of a U.S. federal agency, your systems will likely be shut down if they don’t pass the accreditation process, which could become career limiting. Therefore, if you don’t have enough in-house resources to get the job done, this is one particular case where you will definitely want to outsource the project to some expert consultants.

For additional information or assistance with building a secure infrastructure contact Computer Security Consulting, Inc (CSCI).

Tags: , , , , , ,

What is FISMA? Part II.

June 2, 2008 · Filed Under Certification and Accreditation, FISMA, Security · Comment 

This is a continuation of the previous article, “What is FISMA?“.

Implement - At this stage, security controls are implemented. This requires taking all of the information in the previous steps and applying them in a practical manner to the information systems. For example, if a system was given a security of categorization of Low from the Categorize step, the Low set of controls from NIST 800-53 would be implemented. In addition, any supplemental controls that management deemed necessary, would also be implemented. Read more

Tags: , , , ,

What is FISMA?

May 14, 2008 · Filed Under FISMA, Security · 2 Comments 

The Federal Information Security Management Act (FISMA) is part of the E-Government Act, which became a law in December 2002.  Title III of the E-Government Act is FISMA.  FISMA basically requires all government agencies to perform a Risk Based methodology on all information systems run by agencies and their contractors. Read more

Tags: , , ,

Certification and Accreditation

May 5, 2008 · Filed Under Certification and Accreditation · Comment 

Certification and Accreditation is a term used within the federal government sector to identify the process to compliance with the Federal Information Systems Management Act (FISMA). The public, Department of Defense, Health Care Providers, Legal, and Financial sectors require similar “Certification” processes. Regardless, the outcome of each of the “Audit” processes is; Security certification and accreditation are important activities that support a risk management process and are an integral part of an agency’s information security program. First, let’s explore the meaning: Read more

Tags: , , , , ,

Access Controls

May 5, 2008 · Filed Under Access Control · 1 Comment 

What are Access Controls? Access Controls provide the ability to control allowance of the use of an object by an entity. For example, a locked door denies the ability of a person to enter a house. The proper key would unlock the door then allow a person to enter the house through the door. Read more

Tags: ,