FISMAand the Risk Management Framework

Similar documents
Certification Exam Outline Effective Date: September 2013

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Agency Guide for FedRAMP Authorizations

INFORMATION ASSURANCE DIRECTORATE

RISK MANAGEMENT FRAMEWORK COURSE

MIS Week 9 Host Hardening

David Missouri VP- Governance ISACA

Fiscal Year 2013 Federal Information Security Management Act Report

IASM Support for FISMA

Guide to Understanding FedRAMP. Version 2.0

Streamlined FISMA Compliance For Hosted Information Systems

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FedRAMP Security Assessment Framework. Version 2.0

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

FedRAMP Security Assessment Framework. Version 2.1

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Moving to the Cloud. Developing Apps in. the New World of Cloud Computing. Dinkar Sitaram. Geetha Manjunath. David R. Deily ELSEVIER.

New Guidance on Privacy Controls for the Federal Government

Embedded Systems Architecture

Information Systems Security Requirements for Federal GIS Initiatives

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

Ensuring System Protection throughout the Operational Lifecycle

FedRAMP Security Assessment Plan (SAP) Training

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Appendix 12 Risk Assessment Plan

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Click to edit Master title style

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Appendix 12 Risk Assessment Plan

The NIST Cybersecurity Framework

FISMA Cybersecurity Performance Metrics and Scoring

Understand and Implement Effective PCI Data Security Standard Compliance

Continuous Monitoring Strategy & Guide

READ ME for the Agency ATO Review Template

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

Summary of Contents LIST OF FIGURES LIST OF TABLES

System Assurance. Beyond Detecting. Vulnerabilities. Djenana Campara. Nikolai Mansourov

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

IT-CNP, Inc. Capability Statement

Cybersecurity & Privacy Enhancements

Evolving Cybersecurity Strategies

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

NIST Security Certification and Accreditation Project

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

FedRAMP Digital Identity Requirements. Version 1.0

INFORMATION ASSURANCE DIRECTORATE

Exhibit A1-1. Risk Management Framework

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Solutions Technology, Inc. (STI) Corporate Capability Brief

MINIMUM SECURITY CONTROLS SUMMARY

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

CSAM Support for C&A Transformation

Executive Order 13556

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

NIST SP , Revision 1 CNSS Instruction 1253

Computers as Components Principles of Embedded Computing System Design

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

The next generation of knowledge and expertise

OFFICE OF INSPECTOR GENERAL

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

REQUEST FOR INFORMATION

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Security Management Models And Practices Feb 5, 2008

Securing an IT. Governance, Risk. Management, and Audit

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

Guide for Assessing the Security Controls in Federal Information Systems

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TEL2813/IS2621 Security Management

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Lunarline s School of Cyber Security Course Catalog

COMPLIANCE IN THE CLOUD

American Association for Laboratory Accreditation

INFORMATION ASSURANCE DIRECTORATE

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

TEL2813/IS2820 Security Management

Mobile Device Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

INFORMATION ASSURANCE DIRECTORATE

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

The Common Controls Framework BY ADOBE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

INFORMATION ASSURANCE DIRECTORATE

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

INFORMATION ASSURANCE DIRECTORATE

Transcription:

FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an Imprint of Elsevier

Trademarks Acknowledgements About the Author xvii xix xxi CHAPTER 1 Introduction 1 Introduction 1 Purpose and Rationale 3 How to Use This Book 5 Key Audience 5 FISMA Applicability and Implementation 6 Implementation Responsibilities 6 FISMA Progress to Date 7 FISMA Provisions 8 Standards and Guidelines for Federal Information Systems...9 System Certification and Accreditation 11 Strengths and Shortcomings of FISMA 12 Structure and Content 13 Relevant Source Material 18 References 19 CHAPTER 2 Federal Information Security Fundamentals 23 Information Security in the Federal Government 25 Brief History of Information Security 26 Civilian, Defense, and Intelligence Sector Practices 28 Legislative History of Information Security Management 33 Certification and Accreditation 34 HPS 102 35 DITSCAP 36 NIACAP 37 NIST Special Publication 800-37 39 DIACAP 40 NIST Risk Management Framework 41 Joint Task Force Transformation Initiative 42 Organizational Responsibilities 43 Office of Management and Budget (OMB) 44 National Institute of Standards and Technology (NIST) 44 Department of Defense (DoD) 45

viii Contents Office of the Director of National Intelligence (ODNI) 45 Department of Homeland Security (DHS) 45 National Security Agency (NSA) 46 General Services Administration (GSA) 46 Government Accountability Office (GAO) 46 Congress 46 Executive Office of the President 47 Relevant Source Material 47 References 48 CHAPTER 3 Thinking About Risk 53 Understanding Risk 54 Key Concepts 54 Types of Risk 57 Organizational Risk 63 Trust, Assurance, and Security 66 Trust and Trustworthiness 67 Assurance and Confidence 67 Security 68 Trust Models 68 Risk Associated with Information Systems 70 Risk Management Framework 71 Risk Management Life Cycle 72 Other Risk Management Frameworks Used in Government Organizations 73 Relevant Source Material 75 References 76 CHAPTER 4 Thinking About Systems 79 Defining Systems in Different Contexts 80 Information Systems in FISMA and the RMF 81 Information System Attributes 82 Perspectives on Information Systems 85 Information Security Management 85 Capital Planning and Investment Control 86 Enterprise Architecture 87 System Development Life Cycle 88 Information Privacy 90 Establishing Information System Boundaries 91 Subsystems 92 System Interconnections 95 Maintaining System Inventories 97

ix Relevant Source Material 98 References 99 CHAPTER 5 Success Factors 105 Prerequisites for Organizational Risk Management 106 Justifying Information Security 107 Key Upper Management Roles 109 Managing the Information Security Program Ill Organizational Policies, Procedures, Templates, and Guidance 114 Compliance and Reporting 114 Agency Reporting Requirements 115 Information Security Program Evaluation 115 Organizational Success Factors 116 Governance 116 Planning 117 Budgeting and Resource Allocation 118 Communication 118 Standardization, Automation, and Reuse 119 Flexibility 119 Measuring Security Effectiveness 120 Security Measurement Types 122 Security Measurement Process 123 Relevant Source Material 126 References 126 CHAPTER 6 Risk Management Framework Planning and Initiation 131 Planning 132 Planning the RMF Project 134 Aligning to the SDLC 135 Planning the RMF Timeline 136 Prerequisites for RMF Initiation 137 Inputs to Information System Categorization 138 Inputs to Security Control Selection 139 Organizational Policies, Procedures, Templates, and Guidance 140 Identifying Responsible Personnel 142 Establishing a Project Plan 143 Roles and Responsibilities 144 Getting the Project Underway 145

X Contents Relevant Source Material 148 References 149 CHAPTER 7 Risk Management Framework Steps 1 & 2 153 Purpose and Objectives 154 Standards and Guidance 154 Step 1: Categorize Information System 157 Security Categorization 158 Information System Description 166 Information System Registration 167 Step 2: Select Security Controls 168 Common Control Identification 174 Security Control Selection 176 Monitoring Strategy 180 Security Plan Approval 181 Relevant Source Material 181 References 182 CHAPTER 8 Risk Management Framework Steps 3 & 4 187 Working with Security Control Baselines 188 Assurance Requirements 189 Sources of Guidance on Security Controls 190 Roles and Responsibilities 194 Management Controls 194 Operational Controls 195 Technical Controls 195 Program Management, Infrastructure, and Other Common Controls 196 Step 3: Implement Security Controls 196 Security Architecture Design 198 Security Engineering and Control Implementation 198 Security Control Documentation 201 Step 4: Assess Security Controls 202 Security Control Assessment Components 204 Assessment Preparation 205 Security Control Assessment 211 Security Assessment Report 212 Remediation Actions 213 Relevant Source Material 214 References 215

xi CHAPTER 9 Risk Management Framework Steps 5 & 6 219 Preparing for System Authorization 220 Step 5: Authorize Information System 222 Plan of Action and Milestones 223 Security Authorization Package 226 Risk Determination 228 Risk Acceptance 229 Step 6: Monitor Security Controls 230 Information System and Environment Changes 233 Ongoing Security Control Assessments 234 Ongoing Remediation Actions 235 Key Updates 236 Security Status Reporting 237 Ongoing Risk Determination and Acceptance 238 Information System Removal and Decommissioning 238 Relevant Source Material 239 References 240 CHAPTER 10 System Security Plan 245 Purpose and Role of the System Security Plan 246 System Security Plan Scope 246 Defining the System Boundary 247 Key Roles and Responsibilities 249 The Role of the SSP within the RMF 249 Structure and Content of the System Security Plan 251 System Security Plan Format 252 SSP Linkage to Other Key Artifacts 264 Developing the System Security Plan 266 Rules of Behavior 267 Managing System Security Using the SSP 268 Relevant Source Material 269 References 269 CHAPTER 11 Security Assessment Report 275 Security Assessment Fundamentals 276 Security Control Assessors and Supporting Roles 276 Assessment Timing and Frequency 281 Scope and Level of Detail 284 Security Assessment Report Structure and Contents 288 Assessment Methods and Objects 290 Performing Security Control Assessments 293

Assessment Determinations 293 Producing the Security Assessment Report 296 The Security Assessment Report in Context 296 The Purpose and Role of the Security Assessment Report 298 Using the Security Assessment Report 300 Relevant Source Material 300 References 301 CHAPTER 12 Plan of Action and Milestones 305 Regulatory Background 307 Structure and Content of the Plan of Action and Milestones 308 Agency-Level POA&M 308 System-Level POA&M Information 309 Creating POA&M Items 313 Planning for Remediation 316 Oversight of POA&M Creation Weaknesses and Deficiencies 317 Risk Assessments 318 Risk Responses 319 Sources of Weaknesses 320 Producing the Plan of Action and Milestones 322 Timing and Frequency 322 Maintaining and Monitoring the Plan of Action v 317 and Milestones 323 Resolving POA&M Items 324 Relevant Source Material 324 References 326 CHAPTER 13 Risk Management 329 Risk Management 329 Key Risk Management Concepts 332 Three-Tiered Approach 335 Organizational Perspective 335 Mission and Business Perspective 339 Information System Perspective 342 Trust and Trustworthiness 343 Components of Risk Management 344 Frame 344 Assess 347 Respond 349 Monitor 352

xiii Information System Risk Assessments 353 Risk Models 355 Assessment Methods 356 Analysis Approaches 357 Prepare 357 Conduct 359 Maintain 359 Relevant Source Material 360 References 361 CHAPTER 14 Continuous Monitoring 367 The Role of Continuous Monitoring in the Risk Management Framework 369 Monitoring Strategy 373 Selecting Security Controls for Continuous Monitoring 374 Integrating Continuous Monitoring with Security Management 375 Roles and Responsibilities 375 Continuous Monitoring Process 377 Define ISCM Strategy 380 Establish ISCM Program 381 Implement ISCM Program 385 Analyze Data and Report Findings 385 Respond to Findings 386 Review and Update ISCM Program and Strategy 387 Technical Solutions for Continuous Monitoring 388 Manual vs. Automated Monitoring 388 Data Gathering 389 Aggregation and Analysis 394 Automation and Reference Data Sources 395 Relevant Source Material 395 References 396 CHAPTER 15 Contingency Planning 403 Introduction to Contingency Planning 403 Contingency Planning Drivers 404 Contingency Planning Controls 406 Contingency Planning and Continuity of Operations 411 Federal Requirements for Continuity of Operations Planning 412

xiv Contents Distinguishing Contingency Planning from Continuity of Operations Planning 413 Contingency Planning Components and Processes 414 Information System Contingency Planning 417 Develop Contingency Planning Policy 417 Conduct Business Impact Analysis 418 Identify Preventive Controls 419 Create Contingency Strategies 420 Develop Contingency Plan 422 Conduct Plan Testing, Training, and Exercises 422 Maintain Plan 424 Developing the Information System Contingency Plan 424 ISCP Introduction and Supporting Information 425 Concept of Operations 426 Activation and Notification 427 Recovery 428 Reconstitution 430 Appendices and Supplemental Information 431 Operational Requirements for Contingency Planning 432 System Development and Engineering 432 System Interconnections 433 Technical Contingency Planning Considerations 433 Relevant Source Material 437 References CHAPTER 16 Privacy 445 438 Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act 446 Privacy Provisions in the E-Government Act of 2002 447 Privacy and Minimum Security Controls 451 Privacy in FISMA Reporting 452 FISMA Incident Reporting and Handling 455 Federal Agency Requirements Under the Privacy Act 455 Fair Information Practices 456 Privacy Impact Assessments 461 Applicability of Privacy Impact Assessments 462 Conducting Privacy Impact Assessments 463 Documenting and Publishing PIA Results 464 System of Records Notices 465

xv Updates to Privacy Impact Assessments for Third-Party Sources 465 Privacy Impact Assessments within the Risk Management Framework 466 Protecting Personally Identifiable Information (PII) 466 Notification Requirements for Breaches of Personally Identifiable Information 468 Other Legal and Regulatory Sources of Privacy Requirements 470 Privacy Requirements Potentially Applicable to Agencies 470 Relevant Source Material 475 References 476 CHAPTER 17 Federal Initiatives 481 Network Security 481 US-CERT 482 Comprehensive National Cybersecurity Initiative 483 Trusted Internet Connections 484 EINSTEIN 484 Cloud Computing 485 FedRAMP 486 Application Security 487 Tested Security Technologies 488 Federal Information Processing Standards 488 Common Criteria 489 Secure Configuration Checklists 489 Identity and Access Management 490 Identity, Credential, and Access Management (ICAM) 491 Personal Identity Verification 491 Electronic Authentication 493. Federal PKI 496 Other Federal Security Management Requirements 497 Personally Identifiable Information Protection 498 OMB Memoranda 498 Information Resources Management 499 Federal Enterprise Architecture 499 Open Government 501 Relevant Source Material 501 References 502

xvi Contents APPENDIX A References 507 APPENDIX B Acronyms 521 APPENDIX C Glossary 527 INDEX 547

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback