Working for Uncle SamFIPS/FISMA 101

Kenneth SilsbeePrincipal Consultant, Yeoman Security Consultingksilsbee@yeomansecurity.com

Who Am I?Kenneth SilsbeeIn IT for over 20 years. In Information Security over 10 years. Over 10 years teaching business management and security. 6 years consulting, Built 2 software security programs from scratch.Worked in numerous Fortune 500 companies and 2 startups.I’ve seen telecommunications, aerospace, manufacturing, insurance, and commercial software.Recent efforts in HIPAA, FISMA, and PCI compliance.

Security IT leadership & Program Management,

specializing in software and data protection.

FISMA-FIPS, FIPS-FISMA. . .I’m Sooo Confused!!E-Government Act of 2002

Recognized importance of information security to the US Every federal agency and contractor needs a security program FISMA part of the act.

FISMA (Federal Information Security Management Act) Sets the requirements for an overall risk-based program to

manage information security Specifies the framework of policies and procedures to address

security risks

FIPS (Federal Information Processing Standards) Government standards for computer systems used by

non-military government agencies and contractors FIPS 100 document series are required standards

And Then There is NISTNational Institute of Standards and Testing

Computer Security Division Develops standards and guidelines for Federal

computer systems Creates FIPS where no acceptable industry standards

or solutions exist Using voluntary industry standards (eg ANSI) encouraged

Key NIST Publication Types FIPS 100 Series Publications on

mandatory security standards ITL (Information Technology Laboratory) Security Bulletins

– special topics 800 Series Special Publications on security

The Link Between FISMA, FIPS, and NIST

FISMA Relies on NIST Special Publications for How to Execute a Security Program

Relies on FIPS Publications for Specific Security Standards

NISTAlso Provides Supplemental Security Guidanceand Guidelines not identified by FISMA or FIPS

Compliant vs CertifiedFIPS“FIPS compliant” if using the methods and technologies specified by the FIPS 100 document series

Usually references cryptography (FIPS 140 compliant)

“FIPS Certified” applies to custom cryptography tested bythird-party laboratories

Part of the Cryptographic Module Validation Program (CMVP) NIST FIPS 140-2 for details

FISMACertification and accreditation programFirst, system controls are certified to function appropriatelyNext, the information system’s security accredited by review and government authorizationNIST SP 800-37 for details

FISMA ComplianceFramework PI1. Create an Information Systems Inventory

“The elements used for a common purpose”(NIST SP 800-18)

1. Categorize Information and Information Systems by Risk Level Maps to impact level & response

(NIST SP 800-18)

1. Select Minimum Security Controls Flexible match of security controls to need

(NIST SP 800-53)

FISMA ComplianceFramework PII4. Assess the Effectiveness of the System

Risk assessment adjusts security needs (NIST SP 800-30)

5. Maintain a System Security Plan Defines a repeatable evaluation process

(NIST SP 800-18)

6. Perform Continuous Monitoring Part of the Risk Management Framework (RMF)

(NIST SP 800-137 , NIST FAQ Continuous Monitoring)

What do I do toWork for Uncle Sam? Any device with software (eg defibrillator) or a

software application at a minimum must: Be categorized by risk level (FIPS 199) Meet minimum security requirements

(FIPS 200 & NIST SP 800-53)

An Information System (integrated components for collecting, storing and processing data or delivering information or knowledge) must: Become FISMA compliant (includes FIPS)

Although mandated, only 7 of 14government agencies FISMA compliant

Best Practices Appoint somebody to own data security

Ultimate oversight (doesn’t need to be CIO)

Meet FIPS first (FISMA next – If needed)

Expend resources based on risk – Some risk is OK. ID most crucial security controls

Monitor where it counts – vulnerability scanners, etc.

Use Integrity testing tools to ID system changes & potential compromises

For More InformationFISMA Resourced

http://csrc.nist.gov/groups/SMA/fisma/

FIPS and NIST Documentshttp://csrc.nist.gov/publications/

FISMA Advicehttp://www.cliftonlarsonallen.com/Federal-Government/CMS-Security-Guidelines-Contractors-FISMA-Compliance.aspx

Meeting FISMA Effectivelyhttp://www.informationweek.com/whitepaper/government/security/six-critical-elements-to-achieving-economies-in-f-wp1278458862136

QUESTIONS?

Kenneth Silsbee

Principal Consultant, Yeoman Security Consutling

ksilsbee@yeomansecurity.com

425-413-3979