FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an Imprint of Elsevier
Trademarks Acknowledgements About the Author xvii xix xxi CHAPTER 1 Introduction 1 Introduction 1 Purpose and Rationale 3 How to Use This Book 5 Key Audience 5 FISMA Applicability and Implementation 6 Implementation Responsibilities 6 FISMA Progress to Date 7 FISMA Provisions 8 Standards and Guidelines for Federal Information Systems...9 System Certification and Accreditation 11 Strengths and Shortcomings of FISMA 12 Structure and Content 13 Relevant Source Material 18 References 19 CHAPTER 2 Federal Information Security Fundamentals 23 Information Security in the Federal Government 25 Brief History of Information Security 26 Civilian, Defense, and Intelligence Sector Practices 28 Legislative History of Information Security Management 33 Certification and Accreditation 34 HPS 102 35 DITSCAP 36 NIACAP 37 NIST Special Publication 800-37 39 DIACAP 40 NIST Risk Management Framework 41 Joint Task Force Transformation Initiative 42 Organizational Responsibilities 43 Office of Management and Budget (OMB) 44 National Institute of Standards and Technology (NIST) 44 Department of Defense (DoD) 45
viii Contents Office of the Director of National Intelligence (ODNI) 45 Department of Homeland Security (DHS) 45 National Security Agency (NSA) 46 General Services Administration (GSA) 46 Government Accountability Office (GAO) 46 Congress 46 Executive Office of the President 47 Relevant Source Material 47 References 48 CHAPTER 3 Thinking About Risk 53 Understanding Risk 54 Key Concepts 54 Types of Risk 57 Organizational Risk 63 Trust, Assurance, and Security 66 Trust and Trustworthiness 67 Assurance and Confidence 67 Security 68 Trust Models 68 Risk Associated with Information Systems 70 Risk Management Framework 71 Risk Management Life Cycle 72 Other Risk Management Frameworks Used in Government Organizations 73 Relevant Source Material 75 References 76 CHAPTER 4 Thinking About Systems 79 Defining Systems in Different Contexts 80 Information Systems in FISMA and the RMF 81 Information System Attributes 82 Perspectives on Information Systems 85 Information Security Management 85 Capital Planning and Investment Control 86 Enterprise Architecture 87 System Development Life Cycle 88 Information Privacy 90 Establishing Information System Boundaries 91 Subsystems 92 System Interconnections 95 Maintaining System Inventories 97
ix Relevant Source Material 98 References 99 CHAPTER 5 Success Factors 105 Prerequisites for Organizational Risk Management 106 Justifying Information Security 107 Key Upper Management Roles 109 Managing the Information Security Program Ill Organizational Policies, Procedures, Templates, and Guidance 114 Compliance and Reporting 114 Agency Reporting Requirements 115 Information Security Program Evaluation 115 Organizational Success Factors 116 Governance 116 Planning 117 Budgeting and Resource Allocation 118 Communication 118 Standardization, Automation, and Reuse 119 Flexibility 119 Measuring Security Effectiveness 120 Security Measurement Types 122 Security Measurement Process 123 Relevant Source Material 126 References 126 CHAPTER 6 Risk Management Framework Planning and Initiation 131 Planning 132 Planning the RMF Project 134 Aligning to the SDLC 135 Planning the RMF Timeline 136 Prerequisites for RMF Initiation 137 Inputs to Information System Categorization 138 Inputs to Security Control Selection 139 Organizational Policies, Procedures, Templates, and Guidance 140 Identifying Responsible Personnel 142 Establishing a Project Plan 143 Roles and Responsibilities 144 Getting the Project Underway 145
X Contents Relevant Source Material 148 References 149 CHAPTER 7 Risk Management Framework Steps 1 & 2 153 Purpose and Objectives 154 Standards and Guidance 154 Step 1: Categorize Information System 157 Security Categorization 158 Information System Description 166 Information System Registration 167 Step 2: Select Security Controls 168 Common Control Identification 174 Security Control Selection 176 Monitoring Strategy 180 Security Plan Approval 181 Relevant Source Material 181 References 182 CHAPTER 8 Risk Management Framework Steps 3 & 4 187 Working with Security Control Baselines 188 Assurance Requirements 189 Sources of Guidance on Security Controls 190 Roles and Responsibilities 194 Management Controls 194 Operational Controls 195 Technical Controls 195 Program Management, Infrastructure, and Other Common Controls 196 Step 3: Implement Security Controls 196 Security Architecture Design 198 Security Engineering and Control Implementation 198 Security Control Documentation 201 Step 4: Assess Security Controls 202 Security Control Assessment Components 204 Assessment Preparation 205 Security Control Assessment 211 Security Assessment Report 212 Remediation Actions 213 Relevant Source Material 214 References 215
xi CHAPTER 9 Risk Management Framework Steps 5 & 6 219 Preparing for System Authorization 220 Step 5: Authorize Information System 222 Plan of Action and Milestones 223 Security Authorization Package 226 Risk Determination 228 Risk Acceptance 229 Step 6: Monitor Security Controls 230 Information System and Environment Changes 233 Ongoing Security Control Assessments 234 Ongoing Remediation Actions 235 Key Updates 236 Security Status Reporting 237 Ongoing Risk Determination and Acceptance 238 Information System Removal and Decommissioning 238 Relevant Source Material 239 References 240 CHAPTER 10 System Security Plan 245 Purpose and Role of the System Security Plan 246 System Security Plan Scope 246 Defining the System Boundary 247 Key Roles and Responsibilities 249 The Role of the SSP within the RMF 249 Structure and Content of the System Security Plan 251 System Security Plan Format 252 SSP Linkage to Other Key Artifacts 264 Developing the System Security Plan 266 Rules of Behavior 267 Managing System Security Using the SSP 268 Relevant Source Material 269 References 269 CHAPTER 11 Security Assessment Report 275 Security Assessment Fundamentals 276 Security Control Assessors and Supporting Roles 276 Assessment Timing and Frequency 281 Scope and Level of Detail 284 Security Assessment Report Structure and Contents 288 Assessment Methods and Objects 290 Performing Security Control Assessments 293
Assessment Determinations 293 Producing the Security Assessment Report 296 The Security Assessment Report in Context 296 The Purpose and Role of the Security Assessment Report 298 Using the Security Assessment Report 300 Relevant Source Material 300 References 301 CHAPTER 12 Plan of Action and Milestones 305 Regulatory Background 307 Structure and Content of the Plan of Action and Milestones 308 Agency-Level POA&M 308 System-Level POA&M Information 309 Creating POA&M Items 313 Planning for Remediation 316 Oversight of POA&M Creation Weaknesses and Deficiencies 317 Risk Assessments 318 Risk Responses 319 Sources of Weaknesses 320 Producing the Plan of Action and Milestones 322 Timing and Frequency 322 Maintaining and Monitoring the Plan of Action v 317 and Milestones 323 Resolving POA&M Items 324 Relevant Source Material 324 References 326 CHAPTER 13 Risk Management 329 Risk Management 329 Key Risk Management Concepts 332 Three-Tiered Approach 335 Organizational Perspective 335 Mission and Business Perspective 339 Information System Perspective 342 Trust and Trustworthiness 343 Components of Risk Management 344 Frame 344 Assess 347 Respond 349 Monitor 352
xiii Information System Risk Assessments 353 Risk Models 355 Assessment Methods 356 Analysis Approaches 357 Prepare 357 Conduct 359 Maintain 359 Relevant Source Material 360 References 361 CHAPTER 14 Continuous Monitoring 367 The Role of Continuous Monitoring in the Risk Management Framework 369 Monitoring Strategy 373 Selecting Security Controls for Continuous Monitoring 374 Integrating Continuous Monitoring with Security Management 375 Roles and Responsibilities 375 Continuous Monitoring Process 377 Define ISCM Strategy 380 Establish ISCM Program 381 Implement ISCM Program 385 Analyze Data and Report Findings 385 Respond to Findings 386 Review and Update ISCM Program and Strategy 387 Technical Solutions for Continuous Monitoring 388 Manual vs. Automated Monitoring 388 Data Gathering 389 Aggregation and Analysis 394 Automation and Reference Data Sources 395 Relevant Source Material 395 References 396 CHAPTER 15 Contingency Planning 403 Introduction to Contingency Planning 403 Contingency Planning Drivers 404 Contingency Planning Controls 406 Contingency Planning and Continuity of Operations 411 Federal Requirements for Continuity of Operations Planning 412
xiv Contents Distinguishing Contingency Planning from Continuity of Operations Planning 413 Contingency Planning Components and Processes 414 Information System Contingency Planning 417 Develop Contingency Planning Policy 417 Conduct Business Impact Analysis 418 Identify Preventive Controls 419 Create Contingency Strategies 420 Develop Contingency Plan 422 Conduct Plan Testing, Training, and Exercises 422 Maintain Plan 424 Developing the Information System Contingency Plan 424 ISCP Introduction and Supporting Information 425 Concept of Operations 426 Activation and Notification 427 Recovery 428 Reconstitution 430 Appendices and Supplemental Information 431 Operational Requirements for Contingency Planning 432 System Development and Engineering 432 System Interconnections 433 Technical Contingency Planning Considerations 433 Relevant Source Material 437 References CHAPTER 16 Privacy 445 438 Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act 446 Privacy Provisions in the E-Government Act of 2002 447 Privacy and Minimum Security Controls 451 Privacy in FISMA Reporting 452 FISMA Incident Reporting and Handling 455 Federal Agency Requirements Under the Privacy Act 455 Fair Information Practices 456 Privacy Impact Assessments 461 Applicability of Privacy Impact Assessments 462 Conducting Privacy Impact Assessments 463 Documenting and Publishing PIA Results 464 System of Records Notices 465
xv Updates to Privacy Impact Assessments for Third-Party Sources 465 Privacy Impact Assessments within the Risk Management Framework 466 Protecting Personally Identifiable Information (PII) 466 Notification Requirements for Breaches of Personally Identifiable Information 468 Other Legal and Regulatory Sources of Privacy Requirements 470 Privacy Requirements Potentially Applicable to Agencies 470 Relevant Source Material 475 References 476 CHAPTER 17 Federal Initiatives 481 Network Security 481 US-CERT 482 Comprehensive National Cybersecurity Initiative 483 Trusted Internet Connections 484 EINSTEIN 484 Cloud Computing 485 FedRAMP 486 Application Security 487 Tested Security Technologies 488 Federal Information Processing Standards 488 Common Criteria 489 Secure Configuration Checklists 489 Identity and Access Management 490 Identity, Credential, and Access Management (ICAM) 491 Personal Identity Verification 491 Electronic Authentication 493. Federal PKI 496 Other Federal Security Management Requirements 497 Personally Identifiable Information Protection 498 OMB Memoranda 498 Information Resources Management 499 Federal Enterprise Architecture 499 Open Government 501 Relevant Source Material 501 References 502
xvi Contents APPENDIX A References 507 APPENDIX B Acronyms 521 APPENDIX C Glossary 527 INDEX 547