David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator (CCNA) @ITT Exelis in IRAQ & Afghanistan 1997-Present- Residential Custom Home Builder @ Huios Development, LLC
Topics FISMA NIST 800-53 What do I do?!
Federal Information Security Modernization Act (FISMA) of 2014 FISMA 2014 codifies the Department of Homeland Security s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies compliance with those policies, and assisting OMB in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. It also: Authorizes DHS to provide operational and technical assistance to other federal Executive Branch civilian agencies at the agency s request; Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law; Authorizes DHS technology deployments to other agencies' networks (upon those agencies' request); Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches; Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually; and Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents. The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA).
Federal Information Security Management Act of 2002 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.
FISMA Purpose of the act: FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information security systems. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.
FISMA Requirements Inventory of information systems Categorize information and information systems according to risk level Security controls Risk assessment System Authorization (Certification & Accreditation) Continuous monitoring
How Do I Implement the ACT? The Risk Management Framework (RMF), illustrated in the next slide, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF steps include: Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials
RMF
How often do I have to do this? 1. The security plan should be reauthorized every three years or at any major change to the system. 2. The security controls should be divided by 3. a third of the controls should be self assessed in the first and second year, while all of the controls should be audited in the third year, by a third party.
NIST 800-53 rev 4 NIST 800-53 is a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.
NIST 800-53 rev 5 Major Changes Removing the words federal and information. This change makes the controls apply to all organizations and systems, so no more federal information systems. The controls will read the organization systems.
Where do I find the NIST controls? NVD - 800-53 - National Vulnerability Database NIST https://web.nvd.nist.gov/view/800-53/home NIST SP 800-53 database represents the security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations.
What do I do? They want me to implement FISMA Identify a senior C level executive to champion information security and play the role of the Authorization Official Categorize your data Select NIST controls Implement the controls Assess the controls Obtain authorization Continue to monitor controls