1 © Material United States Department of the Interior Federal Information Security Management Act...
-
Upload
loraine-mcdaniel -
Category
Documents
-
view
216 -
download
2
Transcript of 1 © Material United States Department of the Interior Federal Information Security Management Act...
1© Material
United States Department of the
Interior
United States Department of the
Interior
Federal Information Security Management
Act (FISMA)
April 2008
Larry Ruffin &
Joe Seger
Agenda
FISMA - It’s about enabling mission success through the protection of our sensitive agency information.
Federal Legislation & Directives
BIG PICTURE
Roles and Responsibilities Mission Executives & Chief Information Officers
System Owners & Information System Security Managers
Certification & Accreditation Assessments, Audits, Evaluations and Testing
Plans of Actions and Milestones
Enabling Efficient Mission Delivery and Success Mission Efficiency through Business and Information Technology Integration
Integrating Risk Management into the Enterprise
Federal Legislation & Directives- Driving IT Security Improvements -
E-Government Act of 2002 - Public Law 107-347 Enhance management and promote e-Gov services/processes
Title III - FISMA Development and maintain minimum controls to protect Federal systems
Section 208 – Privacy Provisions Protect the privacy of personal information
OMB Circular A-130 (Office of Management and Budget) Policy for the management of Federal information resources.
Requires protection commensurate with risk and magnitude of harm
Requires security’s role be explicit in IT investments and capital programming
Appendix III - Security of Federal Automated Information Resources Minimum set of controls for Federal information security programs
Requires a security plan for information systems
Requires reviews of security controls
Big Picture
Federal Information Security Federal Information Security Management ActManagement Act
E-Government ActE-Government Act
Presidential Management Presidential Management AgendaAgenda
C&AC&A CIRTCIRT SATESATE PMPM
Assess-Assess-mentsments
CIPCIP EA (IS)EA (IS)
Capital Capital PlanningPlanning
Patch Patch MgmtMgmt
System & System & ProgramProgramPOA&MsPOA&Ms
Asset Asset InventoryInventory
Security Security ProgramProgram
E-Gov: • Enhance management and promote electronic Government services and processes• Establish a Federal CIO in OMB• Establish a framework of measures• Enhance citizen access to Government information and services
E-Gov: • Enhance management and promote electronic Government services and processes• Establish a Federal CIO in OMB• Establish a framework of measures• Enhance citizen access to Government information and services
FISMA (Title III of E-gov): • Comprehensive framework to ensure effectiveness of system controls• Recognize highly networked nature of Federal computing• Minimum controls required to protect Federal Information
FISMA (Title III of E-gov): • Comprehensive framework to ensure effectiveness of system controls• Recognize highly networked nature of Federal computing• Minimum controls required to protect Federal Information
PMA: • Strategic management of human capital• Budget and performance integration• Competitive sourcing• Electronic-Government • Improved financial management
PMA: • Strategic management of human capital• Budget and performance integration• Competitive sourcing• Electronic-Government • Improved financial management
FISMA – Programs that make a comprehensive security program.
Protecting our Critical Infrastructure, responding quickly to incidents, educating the community, assess ourselves, Planning for security from the start, and of course documenting proof of what we have done and performing risk analysis and management through C&A. These are just a few of the elements that FISMA mandates, but how do we know it’s effective?
E-Gov – It measures how well we are managing our e-business, and how well is our business serving the U.S. citizens. E-Govs mandates the reporting how well we are managing electronic services, but how do we know we are working toward the same goal as the rest of the Federal Government?
PMA – Managing human capital, budget and performance, competitive sourcing, and the financial services we provide is essential to carrying out an efficient, accurate, and effective mission, for which we are accountable. The electronic-Government mission is the common thread that runs through all missions. It supports them all, so it must be planned for, properly implemented, protected, and reviewed periodically, all in an efficient manner.
Integration is the key to making this all work together, and to optimize resources.
Roles & Responsibilities
Mission Executives (Business Process Owners) Responsible to ensure security controls commensurate with risk
(control the budget and the requirements)
Missions require the deployment of systems before relevant IT security disciplines are defined, integrated, and standardized
Chief Information Officers Ensure compliance with security requirements while enabling the
mission
Provide assurance of security effectiveness
Roles & Responsibilities
System owner Procures, implements, and integrates information systems
Represents mission priorities and security requirements to the Designated Approving Authority (DAA) supporting risk-based decisions
Makes judgments on independent advise of reasonable risk
Information System Security Manager Ensures systems are Certified and Accredited
Implements agency policies and standards
Coordinates with system owners and business process owners
Balances mission risk in consideration of IT Security Risks
Certification and Accreditation
Accountability for:
Adequate safeguards and countermeasures are employed within information systems.
Information system safeguards and countermeasures are effective in their application.
Risk to organizational operations, assets, individuals, other organizations, and the Nation is explicitly understood and accepted by leaders at all levels.
Certification and Accreditation
Federal Information Systems
An information system used or operated by an executive agency (of the federal government), by a contractor of an executive agency, or by another organization on behalf of an executive agency.
Federal information systems process, store, and/or transmit federal information.
Authorization decisions for federal information systems are an inherently federal responsibility and cannot be delegated to other than federal officials.
Certification and Accreditation
Accreditation Boundary
All components of an organizational information system to be accredited by an authorizing official; excludes separately accredited systems, to which the information system is connected.
Defines the scope of protection for the organizational information system (i.e., what the organization agrees to protect under its direct control).
Includes the people, processes, and technologies that are part of the information system supporting enterprise missions and business processes.
Certification and Accreditation
Four Phase C&A Process
Initiation Phase Certification Phase Accreditation Phase Continuous Monitoring Phase
Expressed within the context of the NIST Risk Management Framework as follows…
C&A Risk Management Framework
ASSESSSecurity Controls
MONITORSecurity Controls
DOCUMENT Security Controls
AUTHORIZE Information System
SUPPLEMENT Security Controls
SELECT Security Controls
IMPLEMENT Security Controls
CATEGORIZE Information System
Starting Point
Management Controls
Security Planning
Risk Assessment
System and Services Acquisition
Certification, Accreditation, and Security Assessments
Operational Controls
Security Awareness and Training
Configuration Management
Contingency Planning
Media Protection
Physical and Environmental Protection
System and Information Integrity
Incident Response
System Maintenance
Personnel Security
Technical Controls
Access Control
Auditing and Accountability
Identification and Authentication
System and Communications Protection
Types of Controls
Plans of Actions and Milestones
Audit or Assessment Findings:Identified vulnerabilities and weaknessesDocumented on program- or system-level POA&MsCorrective/mitigating action plans tracked to resolution
I found a weakness!
IT System Lifecycle
Plan Design Build Test Deploy Operate Dispose
MissionCustomers
Suppliers Partners
Employees
IT Security Lifecycle
Plan Design Build Test Deploy Operate
Identify Risks
Implement Controls
Inspect ControlsCapital Planning
& Investment Resolve Weaknesses
Dispose
Monitor & Respond
Enabling Efficient Mission Delivery and Success
“Baking-in” IT Security & Privacy Protections
Information security requirements must be considered first order requirements and are critical to mission and business success.
An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.
Enabling Mission Efficiency through Information Technology
Mission – Provide what’s needed to get the job done
Challenge – Meet mission and security needs and remain effective
Critical assets are frequently updated and customized
Business solutions require interconnections to internal and external systems
Security of interconnections relies on cooperation and integration
MissionCustomers
Suppliers Partners
Employees
NIST Computer Security Division & OMB Sites
Computer Security Resource Center (CSRC) library
http://csrc.nist.gov/index.html
Federal Information Processing Standard (FIPS) publications
FIPS 199 and 200
http://csrc.nist.gov/publications/fips
Special Publications (SP) 800 Series (primarily 800-18, 34, 37, 47, 53, 53A and 60)
http://csrc.nist.gov/publications/nistpubs/index.html
OMB Memoranda Memoranda M07-19, 06-19, 05-15, 04-25 and 03-19
http://www.whitehouse.gov/omb/memoranda/index.html