Security Certification & Accreditation of Federal Information Systems A Tutorial

Similar documents

Guide for the Security Certification and Accreditation of Federal Information Systems

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Get Confidence in Mission Security with IV&V Information Assurance

Information Security for Managers

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

HIPAA Compliance Evaluation Report

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

FedRAMP Standard Contract Language

CTR System Report FISMA

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Dr. Ron Ross National Institute of Standards and Technology

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

FISMA Implementation Project

National Information Assurance Certification and Accreditation Process (NIACAP)

IT Security Management Risk Analysis and Controls

From Chaos to Clarity: Embedding Security into the SDLC

POSTAL REGULATORY COMMISSION

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

John Essner, CISO Office of Information Technology State of New Jersey

Minimum Security Requirements for Federal Information and Information Systems

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Virginia Commonwealth University School of Medicine Information Security Standard

HHS Information System Security Controls Catalog V 1.0

Department of Veterans Affairs VA Handbook Information Security Program

Compliance Risk Management IT Governance Assurance

Information Technology Security Certification and Accreditation Guidelines

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

Understanding changes to the Trust Services Principles for SOC 2 reporting

Standards for Security Categorization of Federal Information and Information Systems

Office of Inspector General

Security Controls Assessment for Federal Information Systems

International Trade Administration

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

System Security Certification and Accreditation (C&A) Framework

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Information Security for IT Administrators

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

Information Technology Policy

Management of Cloud Computing Contracts and Environment

State of Oregon. State of Oregon 1

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Missouri Student Information System Data Governance

Security Controls What Works. Southside Virginia Community College: Security Awareness

UCI FISMA Core Program Procedures & Processes Frequently Asked Questions (FAQs)

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

FACT SHEET: Ransomware and HIPAA

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

PII Compliance Guidelines

Network Security: Policies and Guidelines for Effective Network Management

NASA Information Technology Requirement

Public Law th Congress An Act

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Computer Security Incident Reporting and Response Policy

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Privacy Impact Assessment (PIA) Consular Affairs Enterprise Service Bus (CAESB) Last Updated: May 1, 2015

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

VMware vcloud Air HIPAA Matrix

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

VA Office of Inspector General

Final Audit Report. Report No. 4A-CI-OO

Security Control Standards Catalog

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Course Title: Disaster Recovery, 1st Edition

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

SECURITY RISK MANAGEMENT

UF Risk IT Assessment Guidelines

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

A Secure System Development Framework for SaaS Applications in Cloud Computing

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Our Commitment to Information Security

NIST National Institute of Standards and Technology

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

The Information Assurance Process: Charting a Path Towards Compliance

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Transcription:

29 Jun 2009 Security Certification & Accreditation of Federal Information Systems A Tutorial An Introduction to NIST s 800-37 Dr. Vijay Madisetti Professor, Georgia Tech - ECE vkm@gatech.edu

Tutorial Outline Objectives & Introduction: C&A Information Security Certification & Accreditation Foundations (as per NIST 800-37) C&A Process Flow Summary 2

Information Security Classification Cost 3

Types of Information Security Breaches 4

Objectives of Security C&A To provide consistent, comparable & repeatable assessments of Security Controls in Information Systems To obtain better understanding of Agencyrelated mission risks To obtain complete, reliable & trustworthy information that will facilitate security analyses Security Accreditation is an official management decision to authorize operation of an information system and accept associated risks. 5

Basic Values of Security C&A Acceptance of responsibility and accountability by the program office for the operation of an information system. Difference between Certification & Accreditation? Risk Thresholds 1. Security Plan Certification Information + Evidence Accreditation 2. C&A Decision 3. Risk Assessments Agency Mission Category Note: An agency has the operations of a mission, functions, image and reputation. 6

Security Certification Security Certification is a comprehensive assessment of Management (Related to Risks/Policies) Operational (Related to People) Technical (Related to hardware, software, firmware) Security Controls in an Information System, to determine the extent to which controls are implemented: (a) correctly, (b) as intended, and (c) produce desired outcomes. 7

Objectives of Information Security Information Security is the protection of an Information System from Unauthorized access Unauthorized use Disclosure Disruption Modification Destruction } Result Confidentiality Integrity Availability Definition: An Information System is a discrete set of information resources organized expressly for collection, processing, maintenance, use, sharing, dissemination and disposition of information. 8

Output of C&A Process Security Plan Risk Assessments Contingency Plans Incident Response Plans Security Awareness & Training Plans Information System Rules & Behavior Configuration Management Plans Security Configuration Checklists Privacy Impact Assessments System Interconnection Agreements 9

Questions during C&A Process Does the potential risk to the agency operations, assets or individuals described in the Security Plan (before C&A) appear to be correct and is the risk acceptable? Are the security controls in the information system effective in achieving the desired level of protection defined by the requirements? What specific actions have been taken (or are planned) to correct any deficiencies in the security controls to reduce or eliminate vulnerabilities? Have adequate resources and funding been allocated? How do the results of the security certification affect agency risk? 10

How Security Certification is done? Interviewing Inspecting Studying Testing Demonstrating Analyzing Security Certification does NOT include analyzing risk to agency operations, assets or individuals (that is a task for the Accreditation Activity) 11

What can one say post-c&a? We have confidence in the information system Vulnerabilities have been considered in the risk assessment Appropriate plans and funds deployed for correction 12

Types of Accreditation Decisions Decisions Authority to Operation (ATO) Interim Authority to Operate (for a finite duration till deficiencies are addressed) Denial of Authorization to Operate C&A Package Approved System Security Plan Security Assessment Report (How Controls have been implemented) Plan of Actions & Milestones 13

NIST s C&A Process Source: NIST 800-37 14

Initiation Phase Task1 PREPARATION 15

Initiation Phase (Contd) (Task 1) 16

Initiation Phase (Task 2) Task 2: NOTIFICATION & RESOURCE ID 17

Initiation Phase (Task 3) Task 3: SYSTEM SECURITY PLAN ANALYSIS, UPDATE & ACCEPTANCE 18

Initiation Phase (Task 3) Task 3 (Contd). 19

Security Certification Phase Task 4: SECURITY CONTROL ASSESSMENT 20

Security Certification Phase (Contd) Task 5: SECURITY CERTIFICATION DOCUMENTATION 21

Milestone: Security Certification 22

Security Accreditation Phase Task 6: SECURITY ACCREDITATION DECISION 23

Security Accreditation Phase Task 7: SECURITY ACCREDITATION DOCUMENTATION 24

Continuous Monitoring Phase Task 8: CONFIGURATION MANAGEMENT & CONTROL 25

Continuous Monitoring Phase Task 9: SECURITY CONTROL MONITORING 26

Continuous Monitoring Phase Task 10: STATUS REPORTING & DOCUMENTATION 27

Responsibility Charts Source: NIST 800-37 28

DIACAP Activities (DoD s Standard) DoD s DIACAP is similar to NIST s 800-37 (four phases and similar sets of activities) Source: General Dynamics 29

Summary Provided an introduction to Unified Security Certification & Accreditation Methodology (based on forthcoming NIST 800-37) Introduced the C&A Process Described the Ten Tasks within C&A 30

Questions 31