KSC_FIPS_FISMA101
-
Upload
kenneth-silsbee-ms -
Category
Documents
-
view
131 -
download
0
Transcript of KSC_FIPS_FISMA101
![Page 1: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/1.jpg)
Working for Uncle SamFIPS/FISMA 101
Kenneth SilsbeePrincipal Consultant, Yeoman Security [email protected]
![Page 2: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/2.jpg)
Who Am I?Kenneth SilsbeeIn IT for over 20 years. In Information Security over 10 years. Over 10 years teaching business management and security. 6 years consulting, Built 2 software security programs from scratch.Worked in numerous Fortune 500 companies and 2 startups.I’ve seen telecommunications, aerospace, manufacturing, insurance, and commercial software.Recent efforts in HIPAA, FISMA, and PCI compliance.
Security IT leadership & Program Management,
specializing in software and data protection.
![Page 3: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/3.jpg)
FISMA-FIPS, FIPS-FISMA. . .I’m Sooo Confused!!E-Government Act of 2002
Recognized importance of information security to the US Every federal agency and contractor needs a security program FISMA part of the act.
FISMA (Federal Information Security Management Act) Sets the requirements for an overall risk-based program to
manage information security Specifies the framework of policies and procedures to address
security risks
FIPS (Federal Information Processing Standards) Government standards for computer systems used by
non-military government agencies and contractors FIPS 100 document series are required standards
![Page 4: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/4.jpg)
And Then There is NISTNational Institute of Standards and Testing
Computer Security Division Develops standards and guidelines for Federal
computer systems Creates FIPS where no acceptable industry standards
or solutions exist Using voluntary industry standards (eg ANSI) encouraged
Key NIST Publication Types FIPS 100 Series Publications on
mandatory security standards ITL (Information Technology Laboratory) Security Bulletins
– special topics 800 Series Special Publications on security
![Page 5: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/5.jpg)
The Link Between FISMA, FIPS, and NIST
FISMA Relies on NIST Special Publications for How to Execute a Security Program
Relies on FIPS Publications for Specific Security Standards
NISTAlso Provides Supplemental Security Guidanceand Guidelines not identified by FISMA or FIPS
![Page 6: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/6.jpg)
Compliant vs CertifiedFIPS“FIPS compliant” if using the methods and technologies specified by the FIPS 100 document series
Usually references cryptography (FIPS 140 compliant)
“FIPS Certified” applies to custom cryptography tested bythird-party laboratories
Part of the Cryptographic Module Validation Program (CMVP) NIST FIPS 140-2 for details
FISMACertification and accreditation programFirst, system controls are certified to function appropriatelyNext, the information system’s security accredited by review and government authorizationNIST SP 800-37 for details
![Page 7: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/7.jpg)
FISMA ComplianceFramework PI1. Create an Information Systems Inventory
“The elements used for a common purpose”(NIST SP 800-18)
1. Categorize Information and Information Systems by Risk Level Maps to impact level & response
(NIST SP 800-18)
1. Select Minimum Security Controls Flexible match of security controls to need
(NIST SP 800-53)
![Page 8: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/8.jpg)
FISMA ComplianceFramework PII4. Assess the Effectiveness of the System
Risk assessment adjusts security needs (NIST SP 800-30)
5. Maintain a System Security Plan Defines a repeatable evaluation process
(NIST SP 800-18)
6. Perform Continuous Monitoring Part of the Risk Management Framework (RMF)
(NIST SP 800-137 , NIST FAQ Continuous Monitoring)
![Page 9: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/9.jpg)
What do I do toWork for Uncle Sam? Any device with software (eg defibrillator) or a
software application at a minimum must: Be categorized by risk level (FIPS 199) Meet minimum security requirements
(FIPS 200 & NIST SP 800-53)
An Information System (integrated components for collecting, storing and processing data or delivering information or knowledge) must: Become FISMA compliant (includes FIPS)
Although mandated, only 7 of 14government agencies FISMA compliant
![Page 10: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/10.jpg)
Best Practices Appoint somebody to own data security
Ultimate oversight (doesn’t need to be CIO)
Meet FIPS first (FISMA next – If needed)
Expend resources based on risk – Some risk is OK. ID most crucial security controls
Monitor where it counts – vulnerability scanners, etc.
Use Integrity testing tools to ID system changes & potential compromises
![Page 11: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/11.jpg)
For More InformationFISMA Resourced
http://csrc.nist.gov/groups/SMA/fisma/
FIPS and NIST Documentshttp://csrc.nist.gov/publications/
FISMA Advicehttp://www.cliftonlarsonallen.com/Federal-Government/CMS-Security-Guidelines-Contractors-FISMA-Compliance.aspx
Meeting FISMA Effectivelyhttp://www.informationweek.com/whitepaper/government/security/six-critical-elements-to-achieving-economies-in-f-wp1278458862136
![Page 12: KSC_FIPS_FISMA101](https://reader033.fdocuments.in/reader033/viewer/2022051710/58ed3c661a28ab0d3c8b4567/html5/thumbnails/12.jpg)
QUESTIONS?
Kenneth Silsbee
Principal Consultant, Yeoman Security Consutling
425-413-3979