20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]
1. Foundational Basis for the Assessment
of NASA Information Systems
January 12, 2017
Presented by: Cybersecurity and Integration Division (CSID)
Code 710
Information Technology & Communications Directorate (ITCD)
Code 700
2. Summary
2Code 7XX DSR 11/05/14
To provide a thorough understanding of all relevant
Federal mandates and guidance regarding the continuous
monitoring of NASA Federal Information Systems
through the process of independent annual security
control assessments.
4. Federal Laws
4
The Federal Information Systems Management Act of 2002
(Public Law 107-347) and Federal Information Systems
Modernization Act of 2014 (Public Law 113-283), known as
FISMA 2002 and FISMA 2014 respectively, require the Office
of Management and Budget (OMB) and Department of
Homeland Security (DHS) to issue regulations as per the security
of federally managed information systems.
5. FISMA 2002
5
Mandates the head of each federal agency to be responsible for
“providing information security protections commensurate with
the risk and magnitude of the harm resulting from unauthorized
access, use, disclosure, disruption, modification or destruction.”
To achieve this end, FISMA 2002 requires that “senior agency
officials” accomplish the following objectives:
• Assess risk and magnitude of harm that could result from a breach of
security;
• Determine the appropriate level of security on a system-by-system basis;
• Implement policies and practices to reduce risk; and
• Periodically test and evaluate information security controls and techniques
to ensure that they are effectively implemented.
6. FISMA 2014
6
Updates FISMA 2002 by mandating that each independent
assessment shall include:
• Each year, each agency shall have performed an independent evaluation of
the information security program and practices of that agency to determine
the effectiveness of such programs and practices;
• Testing of the effectiveness of information security policies, procedures,
and practices of a representative subset of the agency’s information
systems;
• An assessment of the effectiveness of the information security policies,
procedures, and practices of the agency; and
• Separate presentations, as appropriate, regarding information security
relating to national security systems.
7. FISMA 2014 (cont.)
7
Mandates that security assessments be either carried out by the
Office of the Inspector General or by an “independent external
auditor” engaged by the head of the agency.
As such, any assessment performed by a stakeholder within the
organization of the information system does not meet the legal
requirement for independent annual assessments of federal
information systems.
8. Federal Directives (DHS)
8
DHS Binding Operational Directives (BODs)
DHS BOD-15-01
Addresses the cybersecurity landscape from a national security
perspective and provides directives to stake holders in federal
information systems.
Prescribes “identifying and mitigating vulnerabilities in the
information technology (IT) environment” as a key mechanism in
reducing the “risk of attackers penetrating their networks and
stealing their information.”
9. Federal Instructions (OMB)
9
OMB Instruction documents regarding security assessments for
federal information systems are OMB Circular No. A-130, OMB
Memo 15-01, OMB Memo 14-03, and OMB Memo 10-28.
The OMB mandates enhance the aforementioned laws by
specifying that agencies shall “regularly review and address risk
regarding processes, people and technology” by using the
guidance provided by the National Institute of Standards and
Technology (NIST) as well as Federal Information Processing
Standards (FIPS).
10. Federal Instructions (OMB) cont.
10
OMB Memo 15-01 specifically mandates that agencies are to “assess
information security risks on an ongoing basis” and that each agency is required
to “develop an Information Security Continuous Monitoring Strategy (ISCM).”
OMB Memo 14-03 states that it is the purpose of the ISCM Strategy to support
and enhance “the process of ongoing authorization by providing authorizing
officials with sufficient information regarding the current security state of their
information systems and environments of operations, including the security
controls employed within, and inherited by, the systems.”
Furthermore OMB Memo 14-03 states, "Continuous monitoring-generated
information used to support ongoing authorizations must satisfy the
independence requirements defined in NIST Special Publication (SP) 800-37
and SP 800-53.
11. NIST
11
• The National Institute of Standards and Technology
(NIST) is empowered by DHS and OMB to create the tools
and processes by which the security of these systems are
measured.
• Adherence to the NIST guidance is mandated by both OMB
and DHS.
12. NASAAgency Governance
12
• NASA annually issues a strategic plan for the securing of federal
information systems and regularly updates a series of IT Security Handbooks
(ITS-HBKs) which provide specific guidance on how all aforementioned
requirements are met.
• The fifth goal of the NASA ITCD Strategic Plan for 2016 is to, “Enhance
and strengthen information security to ensure the integrity, availability, and
confidentiality of NASA’s critical data and risk management solutions.”
• NASA publishes the ITS-HBK series which provides detailed information
and guidance regarding the processes to meet the NASA security program
requirements. These handbooks are authorized as official Agency guidance
by NASA Policy Directive (NPD) 2810.1e and NASA Procedural
Requirement (NPR) 2810.1a.
13. Summary of Publications and Resources
13Code 7XX DSR 11/05/14
Federal Laws
• Public Law 107-347
(FISMA 2002)
• Public Law 113-283
(FISMA 2014)
OMB Instructions
• OMB Circular No. A-130
• OMB Memorandum 10-28
• OMB Memorandum 14-03
• OMB Memorandum 15-01
DHS Directives
• DHS Binding Operational
Directive 15-01
NIST Special Publications (SPs)
• NIST SP 800-37
Guide for Applying the Risk Management
Framework to Federal Information Systems
• NIST SP 800-53
Security and Privacy Controls for Federal
Information Systems and Organizations
• NIST SP 800-53A
Assessing Security and Privacy Controls in
Federal Information Systems and Organizations
14. NASA Governance Documents
14Code 7XX DSR 11/05/14
• NASA Information Technology and Communications Division Strategic
Plan for 2016
• NASA Policy Directive 2810.1e
NASA Information Security Policy
• NASA Procedural Requirement 2810.1a
Security of Information Technology
• NASA IT Security Handbook 2810.02
Security Assessment and Authorization
• NASA IT Security Handbook 2810.04
Risk Assessment: Security Categorization, Risk Assessment, Vulnerability
Scanning, Expedited Patching, & Organizationally Defined Values