3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

Transcription

1 Jonathan Cantor, Department of Commerce Gery Huelseman, U.S. Air Force Michael E. Reheuser, Department of Defense Background on FISMA-Reheuser NIST guidelines-cantor IT security-huelseman Federal Information Security Management Act Title III of E-Government Act of 2002 Requires federal agencies to develop, document and implement an agency-wide program to provide information security for information and information systems. 1

2 Requires agencies to implement procedures to reduce IT security risks Agencies must review info security program and report to OMB Starting in 2006, reporting requirements were expanded to include privacy issues Role of NIST From Report GAO INFORMATION SECURITY, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, July OMB Circular No. A-130 Appendix 1., Privacy Reviews Requirement Periodicity 1. Matching Programs Review annually 2. Recordkeeping Practices. Biennially 3. Privacy Act Training Biennially 4. Violations Biennially 5. Systems of Records Notices. Biennially 6. Section (m) Contracts. Every two years a random sample of agency contracts. 7. Routine Use Disclosures Every four years 8. Exemption of Systems of Every four years Records 6 2

3 Question 2: Links to PIAs and SORNS Question 3: SAOP Responsibilities Question 4: Information Privacy Training and Awareness Question 5: Written PIA and Web Privacy Practices Question 6: Reviews conducted in the last year Question 7: Written Privacy Complaints Question 8: Policy Compliance Review Question 9: Advice Provided by the SAOP Question 10: Use of Persistent Tracking Technology Question 11: Privacy POC Information FISMA charges NIST with developing Federal information security standards for nonnational security information systems Federal Information Processing Standards (FIPS) Guidelines ( Special Publications ) 3

4 FIPS Standards for Security Categorization of Federal Information and Information Systems Categorizing Information Systems (High, Moderate, Low) FIPS 200 Minimum Security Requirements for Federal Information and Information Systems Specifies minimum security requirements for information and information systems and a riskbased process for selecting the security controls necessary to satisfy the minimum security requirements. SP (Rev. 1) System Security Plans SP (Rev. 1) Risk Management Assessment Guide SP Guide for Applying the Risk Management Framework to Federal Information Systems SP Managing Information Security Risk: Organization, Mission, and Information System View 4

5 SP (Rev. 3) - Guide for Assessing the Security Controls in Federal Information Systems SP A - Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans Appendix to SP Full set of Privacy Controls Developed by NIST and Federal CIO Council Privacy Committee Goal was to bring the privacy and information security communities closer together, and to provide objective controls for privacy in IT systems SP Guide for Identifying an Information System as a National Security System SP (Rev. 1) - Guide for Mapping Types of Information and Information Systems to Security Categories SP Guide for Security-Focused Configuration Management of Information Systems SP Information Security Continuous Monitoring for Federal Information Systems and Organizations 5

6 Access Controls Digital Certificates and Encryption Media Protection Incident Response Plan Lifecycle Management Training and Awareness Shared Network Drives PORTALs & CoPs Cloud Computing Web Access Database Management Digital Certification Encryption capability 6

7 Data at Rest Encryption Removable Media Identify Type of Information and Networks Scope of Breach Containment Cleanup Investigate Reporting Requirements Requirements Design & Prototype Testing Deployment Sustainment Decommissioning 7

8 Senior Leaders System Admin, Information Assurance Customers 8