Federal Government Perspectives on Secure Information Sharing Technology Leadership Series

1

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Federal Government Perspectives on Secure Information Sharing

Technology Leadership Series

August 14, 2007

Dr. Ron Ross

Computer Security DivisionInformation Technology Laboratory

2


Current State of Affairs Continuing serious attacks on federal information

systems; targeting key federal operations and assets. Adversaries are nation states, terrorist groups,

hackers, criminals, disgruntled employees. Attacks are organized, disciplined, aggressive, and

well resourced; many are extremely sophisticated. Significant exfiltration of critical and sensitive

information and implantation of malicious software.

3


Threats to SecurityConnectivity

Complexity

4


Challenges for Agencies Large, complex information technology

infrastructures; many information systems to manage.

Dynamic operational environments with changing threats, vulnerabilities, and technologies.

Obtaining adequate staffing with requisite information security skills and expertise.

5


Changing Models of Protection

Risk Avoidance Risk Management

Information Protection Information Protection Information Sharing

Confidentiality Confidentiality, Integrity, Availability

6


The Desired End StateSecurity Visibility Among Business/Mission Partners

Organization One

Information System

Plan of Action and Milestones

Security Assessment Report

System Security Plan

Determining the risk to the first organization’s operations and assets and

the acceptability of such risk

Business / MissionInformation Flow

The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin…establishing levels of security due diligence and trust.

Determining the risk to the second organization’s operations and assets and

the acceptability of such risk

Organization Two

Information System

Plan of Action and Milestones

Security Assessment Report

System Security Plan

Security Information

7


Information Security ImperativesFor an Information Sharing Partnership

The need to share depends on a need to trust. Trust cannot be conferred; it must be earned. Trust is earned by understanding the security state of

your partner’s information system. Understanding the security state of an information

system depends on the evidence produced by organizations demonstrating the effective employment of safeguards and countermeasures. Trust but verify…

8


Information Security Paradigm Shift From: Policy-based compliance

Policy dictates discrete, pre-defined information security requirements and associated safeguards/countermeasures;

Minimal flexibility in implementation; and Little emphasis on explicit acceptance of mission risk.

To: Risk-based mission protection Enterprise missions and business functions drive security

requirements and associated safeguards/countermeasures; Highly flexible in implementation; and Focuses on acknowledgement and acceptance of mission risk.

9


FISMA Strategic Vision Building a solid foundation of information security across one of the

largest information technology infrastructures in the world based on comprehensive security standards and guidelines.

Institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies and contractors.

Establishing a fundamental level of “information security due diligence” for federal agencies based on a common process to determine adequate protection for enterprise missions and business functions.

10


Risk Management Framework The Risk Management Framework and the

associated security standards and guidelines provide a process that is: Disciplined Structured Flexible Extensible Repeatable

“Building information security into the infrastructure of the organization…so that critical enterprise missions and business functions will be protected.”

11


Managing Enterprise Risk Key activities in managing enterprise-level risk—risk to the enterprise

and to other organizations resulting from the operation of an information system:

Categorize the information system (criticality/sensitivity)Select and tailor baseline (minimum) security controlsSupplement the security controls based on risk assessmentDocument security controls in system security plan Implement the security controls in the information systemAssess the security controls for effectivenessAuthorize information system operation based on mission riskMonitor security controls on a continuous basis

12


Risk Management Framework

Determine security control effectiveness (i.e., controls implemented correctly, operating as

intended, meeting security requirements)

SP 800-53A

ASSESSSecurity Controls

Continuously track changes to the information system that may affect security controls and

reassess control effectiveness

SP 800-37 / SP 800-53A

MONITORSecurity Controls

Document in the security plan, the security requirements for the information system and

the security controls planned or in place

SP 800-18

DOCUMENT Security Controls

SP 800-37

AUTHORIZE Information System

Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation

SP 800-53 / SP 800-30

SUPPLEMENT Security Controls

Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence

FIPS 200 / SP 800-53

SELECT Security Controls

Select baseline (minimum) security controls to protect the information system; apply tailoring

guidance as appropriate

Implement security controls; apply security configuration settings

IMPLEMENT Security Controls

SP 800-70

Define criticality /sensitivity of information system according to

potential impact of loss

FIPS 199 / SP 800-60

CATEGORIZE Information System

Starting Point

13


Information Security Program

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls

14


The Common FoundationFor Managing Enterprise Risk

The Generalized Model

Common Information Security Requirements

Unique Information Security Requirements

The “Delta”

Foundational Set of Information Security Standards and Guidance

• Standardized risk management framework• Standardized security categorization (criticality/sensitivity)• Standardized security controls and control enhancements• Standardized security control assessment procedures

Intelligence Community

Department of Defense

Federal Civil Agencies

National security and non national security information systems

15


Enterprise-wide Strategy Facilitates enterprise-wide, mission-oriented decisions on

risk mitigation activities based on organizational priorities; Provides global view of systemic weaknesses and

deficiencies occurring in information systems across the organization;

Promotes the development of enterprise-wide solutions to information security problems; and

Increases knowledge base for system owners regarding threats, vulnerabilities, and strategies for more cost-effective solutions to common problems.

16


Defense-in-Breadth Strategy Diversify information technology assets.

Reduce the information technology target size.

Consider vulnerabilities of new information technologies before deployment.

Apply a balanced set of management, operational, and technical security controls in a defense-in-depth approach.

17


Key Standards and Guidelines FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18 (Security Planning) NIST Special Publication 800-30 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A (Security Control Assessment) NIST Special Publication 800-59 (National Security Systems) NIST Special Publication 800-60 (Security Category Mapping)

Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation…

18


Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]

Senior Information Security Researchers and Technical SupportMarianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 [email protected] [email protected]

Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 [email protected] [email protected]

Matt Scholl Information and Feedback(301) 975-2941 Web: csrc.nist.gov/[email protected] Comments: [email protected]

Federal Government Perspectives on Secure Information Sharing Technology Leadership Series

Documents

Transcript of Federal Government Perspectives on Secure Information Sharing Technology Leadership Series