SECURITY ASSESSMENT OF AUDIOVISUAL CONTROL AND DISTRIBUTION IN THE RISK MANAGEMENT FRAMEWORK Paul Zielie Manager, Enterprise Solutions Harman Professional 11/16/2015
GOVERNMENT TEAM Paul Cantwell VP, Government Sales 240.676.4001 Paul.Cantwell@harman.com Whitney Michener Marketing Manager, Government 603.988.7849 Whitney.Michener@harman.com Sonny Lastrella Director, Army Programs 303.856.6996 Sonny.Lastrella@harman.com Troy Trujillo Director, Air Force Programs 202-595-4666 Troy.Trujillo@harman.com Kevin Felts Director, Navy/USMC Programs 858.249.9620 Kevin.Felts@harman.com Richard Gatchell Director, Civilian Programs 240.299.2429 Richard.Gatchell@harman.com Bobby Ramoz Government Channels 214.914.9419 Bobby.Ramoz@harman.com Jon Parker Government Inside Sales 469.624.6518 Jon.Parker@harman.com
HISTORY TRADITIONALLY AV HAS BEEN AN ISOLATED APPLICATION PROPRIETARY COMMUNICATIONS (AXLINK) RS232, IR, RELAY WHEN ETHERNET WAS INTRODUCED THE AV INDUSTRY CONTINUED TO TREAT AV AS AN ISOLATED APPLICATION GROWING TRENDS REQUIRE AV TO INTERACT WITH THE ENTERPRISE NETWORK UNIFIED COMMUNICATIONS CLOUD BASED APPLICATIONS ENTERPRISE MANAGEMENT 3
TODAY 4
REQUIREMENTS FOR AV / IT SECURITY ORGANIZATIONAL EXPECTATIONS AS AV SYSTEMS ARE BEING MIGRATED ONTO ENTERPRISE DATA NETWORKS, USER ORGANIZATIONS ARE EXPECTING THE AV SYSTEM TO MAINTAIN A SECURITY POSTURE IN ALIGNMENT WITH THEIR SECURITY GOALS. BEST PRACTICE VS REGULATORY COMPLIANCE IN MANY CASES THESE PRACTICES MAY BE MORE THAN A CASE OF BUSINESS BEST PRACTICES, BUT MAY BE A MATTER OF REGULATORY COMPLIANCE. NON-COMPLIANCE IS A MAJOR IMPEDANCE FOR THE END CUSTOMER AND MAY IN SOME CASES DISALLOW INSTALLATION 5
COMPLIANCE STANDARDS FISMA (Federal Information Security Management Act of 2002) Risk Management Framework (RMF) Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53 Rev. 4) FIPS-140-2 FIPS-197(AES) National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Department Of Defense (DoD) Risk Management Framework (RMF) STIGs Security Technical Implementation Guides (STIGs) Common Criteria (NIAP) Control Correlation Identifiers (CCIs), NIST SP 800-53 Appendix F. Unified Communications Approved Product List (UC APL) ISO 27000 series standards
DOD RMF IMPLEMENTATION Department of Defense Instruction (DoDI) 8510.01, March 12, 2014 Establishes an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) Replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP). Applies to all organizational entities within the Department of Defense and all DoD IT assets which receive, process, store, display, or transmit DoD information.
DOD CONTROL GUIDELINES IT products will be configured in accordance with applicable Security Technical Implementation Guides (STIGs) under a cognizant Information System Security Manager (ISSM) and Security Control Assessor (SCA). STIGs are product-specific and document applicable DoD policies and security requirements, as well as best practices and configuration guidelines. STIGs are associated with security controls through Control Correlation Identifiers (CCIs), referenced in NIST SP 800-53 Appendix F. Security Requirements Guides (SRGs) are developed by DISA to provide general security compliance guidelines and serve as source guidance documents for STIGs. When a STIG is not available for a product, an SRG may be used. STIG and SRG compliance results for products will be documented as security control assessment results within a product level Security Assessment Report (SAR) Plan of Action and Milestones (POA&M) must be developed and maintained to address known vulnerabilities in the IS or PIT system.
CHALLENGES There is no standardized security control guidance for nonbusiness IT related products. This forces every installation to be treated as an exception to policy with local security authorities interpreting security requirements and accreditation. Additional Paperwork Market Confusion Inconsistent Customer expectations
RISK MANAGEMENT FRAMEWORK (RMF) SECURITY CONTROL CATALOG ACCESS CONTROL (AC) (1-25) AWARENESS AND TRAINING (AT) (1-5) AUDIT AND ACCOUNTABILITY (AU) (1-16) SECURITY ASSESSMENT AND AUTHORIZATION (CA) (1-9) CONFIGURATION MANAGEMENT (CM) (1-11) CONTINGENCY PLANNING (CP) (1-13) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) INCIDENT RESPONSE (IR) (1-9) MAINTENANCE (MA) (1-6) MEDIA PROTECTION POLICY AND PROCEDURES (MP) (1-8) PHYSICAL AND ENVIRONMENTAL PROTECTION (PE) (1-20) SECURITY PLANNING POLICY AND PROCEDURES (PL) (1-9) PERSONNEL SECURITY POLICY AND PROCEDURES (PS) (1-8) RISK ASSESSMENT(RA) (1-6) SYSTEM AND SERVICES ACQUISITION (SA) (1-22) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) SYSTEM AND INFORMATION INTEGRITY (SI) (1-17) INFORMATION SECURITY PROGRAMS PROGRAM MANAGEMENT CONTROLS (PM) (1-16) PRIVACY CONTROL CATALOG AUTHORITY AND PURPOSE (AP) (1-2) ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT (AR) (1-8) DATA QUALITY AND INTEGRITY (DI) (1-2) DATA MINIMIZATION AND RETENTION (DM) (1-3) INDIVIDUAL PARTICIPATION AND REDRESS (IP) (1-4) SECURITY (SE) (1-2) TRANSPARENCY (TR) (1-3) USE LIMITATION (UL) (1-2) 254 42
RMF PROCESS Step 1: Categorize 2 3 Committee on National Security Systems (CNSS) Instruction No. 1253 Step 2: Select Select an initial set of baseline security controls 1 Select Implement 4 Step 3: Implement 1 0 Implement the security controls and document how the controls are implemented. 2 3 Classify 4 Step 4: Assess 6 5 Asess Assess the security controls using appropriate procedures Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis Monitor Authorize
STEP 1: CATEGORIZE Committee on National Security Systems (CNSS) Instruction No. 1253 Security Categorization and Control Selection for National Security Systems Impact on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the Unite States. Confidentiality Integrity Availability DoDD 8500.1 Classification IT products Individual elements (including applications) and devices which perform control, communications, or computing functions in a DoD environment. IT services IT services outside the service user organization s authorization boundary Platform IT (PIT) Computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. An IT system or IT component cannot be classified as Platform IT simply because it is stand-alone. (DoDD 8500.1)
STEP 2: SELECT Select an initial set of baseline security controls Interaction ACCESS CONTROL (AC) (1-25) IDENTIFICATION AND AUTHENTICATION (IA) (1-11) CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) Data flows IDENTIFICATION AND AUTHENTICATION (IA) (1-11) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44) System protections CONFIGURATION MANAGEMENT (CM) (1-11) MAINTENANCE (MA) (1-6) SYSTEM AND COMMUNICATIONS PROTECTION (SC) (1-44 ACCESS CONTROL (AC) (1-25) Audit AUDIT AND ACCOUNTABILITY (AU) (1-16) SP 800-53 CCI FISMA FIPS DoDI 8510 SRG STIG
EXAMPLE: PASSWORD POLICY IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT IA-6 AUTHENTICATOR FEEDBACK IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION IA-11 RE-AUTHENTICATION
EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; c) Stores and transmits only cryptographically-protected passwords; d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; e) Prohibits password reuse for [Assignment: organization-defined number] generations; and f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
EXAMPLE: PASSWORD POLICY Specific Control Severity SP 800-53v4 CCI SRG The operating system must enforce password complexity by requiring that at least one upper-case character be used. CAT II IA-5 (1) (a) CCI-000192 SRG-OS-000069- GPOS-00037 The operating system must enforce password complexity by requiring that at least one lower-case character be used. CAT II IA-5 (1) (a) CCI-000193 SRG-OS-000070- GPOS-00038 The operating system must enforce password complexity by requiring that at least one numeric character be used. CAT II IA-5 (1) (a) CCI-000194 SRG-OS-000071- GPOS-00039 The operating system must enforce a minimum 15-character password length. CAT II IA-5 (1) (a) CCI-000205 SRG-OS-000078- GPOS-00046 The operating system must require the change of at least eight of the total number of characters when passwords are changed. CAT II IA-5 (1) (b) CCI-000195 SRG-OS-000072- GPOS-00040 The operating system must store only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI-000196 SRG-OS-000073- GPOS-00041 The operating system must transmit only encrypted representations of passwords. CAT II IA-5 (1) (c) CCI-000197 SRG-OS-000074- GPOS-00042 Operating systems must enforce 24 hours/1 day as the minimum password lifetime. CAT II IA-5 (1) (d) CCI-000198 SRG-OS-000075- GPOS-00043 Operating systems must enforce a 60-day maximum password lifetime restriction. CAT II IA-5 (1) (d) CCI-000199 SRG-OS-000076- GPOS-00044 The operating system must prohibit password reuse for a minimum of five generations. CAT II IA-5 (1) (e) CCI-000200 SRG-OS-000077- GPOS-00045 The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. CAT II IA-6 CCI-000206 SRG-OS-000079- GPOS-00047
EXAMPLE: PASSWORD POLICY IA-5 AUTHENTICATOR MANAGEMENT Control Enhancements: 1) The information system, for password-based authentication: a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lowercase letters, numbers, and special characters, including minimum requirements for each type]; SP 800-53v4 CCI Specific Control IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) IA-5 (1) (a) CCI-000192 The operating system must enforce password complexity by requiring that at least one upper-case character be used. CCI-000193 The operating system must enforce password complexity by requiring that at least one lower-case character be used. CCI-000194 The operating system must enforce password complexity by requiring that at least one numeric character be used. CCI-000205 The operating system must enforce a minimum 15-character password length.
STEP 3: IMPLEMENT Select an initial set of baseline security controls Mission owner(s) must translate security controls into system specifications, ensure the successful integration of those specifications into the system design, and ensure security engineering trades do not impact the ability of the system to meet the fundamental mission requirements. DoDI 8510.01
STEP 4: ASESS Assess the security controls using appropriate procedures
Step 5: Authorize Step 6: Monitor Monitor on an ongoing basis
AV / IT SECURITY QUESTIONS? 21
COLLATERAL http://www.amx.com/automate/workbook-securitynetworked-av.aspx http://www2.amx.com/avsecuritypart2 Risk Analysis Worksheet http://www2.amx.com/avsecurityreq
COLLATERAL www.amx.com/automate/workbook-security-networked-av.aspx
COLLATERAL http://www2.amx.com/avsecurityp art2
COLLATERAL Risk Analysis Worksheet www2.amx.com/avsecurityreq
REFERENCES http://iase.disa.mil/stigs/cci/pages/index.aspx http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf