DojoSec FISMA Presentation

2,768 views

Published on

Presentation I gave at DojoSec on 2009-05-07 introducing FISMA and discussing some of its future direction.

Published in: Technology

DojoSec FISMA Presentation

  1. 1. FISMA It Doesn’t Bite
  2. 2. Dan Philpott OnPoint Consulting - Consultant FISMApedia.org – Founder guerilla-ciso.com – Guest Blogger Potomac Forum – FISMA Instructor CISSP, CAP, MCSE, ITIL ProType – Beta Tester, 1983
  3. 3. Structure •Compliance 1 •Story of FISMA 2 •How FISMA Works 3 •Future of FISMA 4
  4. 4. Story of FISMA
  5. 5. Once upon a time ... © Nic's events - Creative Commons Attribution-ShareAlike
  6. 6. The Suck © thebadastronomer - Creative Commons Attribution-ShareAlike
  7. 7. Barren Wasteland © Denis Defreyne - Creative Commons Attribution
  8. 8. Toothless Security © Oscar Alexander - Creative Commons Attribution
  9. 9. 9/11
  10. 10. Public Law 107-347 E-Government Act
  11. 11. “Each federal agency shall develop, document, and implement an agency- wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…”
  12. 12. quot;...information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction...quot;
  13. 13. Split Duties • OMB coordinates • NIST develops guidance
  14. 14. Testing and Evaluation © humeid - Creative Commons Attribution-NonCommercial-ShareAlike
  15. 15. Reporting © icadrews - Creative Commons Attribution-NonCommercial
  16. 16. Exemptions • National Security Systems • Department of Defense • Central Intelligence Agency
  17. 17. NO WAIVERS! © Mel B. - Creative Commons Attribution
  18. 18. Compliance
  19. 19. Compliance = Security or Compliance ≠ Security
  20. 20. Network Security Host Security Web App Security Secure Development Physical Security Security Training Cryptography + Compliance = Security
  21. 21. How FISMA Works
  22. 22. NIST Special Publication 800-37: Guide for the Security Certification and Accreditation of Federal Information Systems
  23. 23. NIST Special Publication 800-100: Information Security Handbook: A Guide for Managers
  24. 24. Phases Overview •Initiation Phase 1 •Security Certification Phase 2 •Security Accreditation Phase 3 •Continuous Monitoring Phase 4
  25. 25. Phase 1: Initiation
  26. 26. NIST FIPS 199: Standards for Security Categorization of Federal Information and Information Systems
  27. 27. NIST Special Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories
  28. 28. NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
  29. 29. NIST Special Publication 800-18: Guide for Developing Security Plans for Federal Information Systems
  30. 30. NIST FIPS 200: Minimum Security Requirements for Federal Information and Information Systems
  31. 31. NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems
  32. 32. Before we go further… • Common Controls • Tailoring the Baseline • Compensating Controls
  33. 33. Phase 2: Security Certification
  34. 34. NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems
  35. 35. Assessment Cases for NIST SP 800-53A
  36. 36. Phase 3: Security Accreditation
  37. 37. NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
  38. 38. Security Accreditation Package • System Security Plan • Security Assessment Report • Plan of Action and Milestones • Appendix: Final Risk Assessment
  39. 39. Security Accreditation Decision • Authorization To Operate (ATO) • Denial of Authorization To Operate (DATO) • Interim Authority To Operate (IATO) - Retired
  40. 40. Phase 4: Continuous Monitoring
  41. 41. NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems
  42. 42. Yearly Assessment
  43. 43. Future of FISMA
  44. 44. NIST Special Publication 800-37 Revision 1: Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
  45. 45. NIST Special Publication 800-64: Security Considerations in the System Development Life Cycle
  46. 46. System Development Life Cycle (SDLC)
  47. 47. NIST Special Publication 800-39: Managing Risk from Information Systems: An Organizational Perspective
  48. 48. Risk Management Framework Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to MONITOR SELECT potential worst-case, adverse impact to mission/business. Security Controls Security Controls Continuously track changes to the Select baseline security controls; information system that may affect apply tailoring guidance and security controls and reassess supplement controls as needed control effectiveness. based on risk assessment. Security Life Cycle AUTHORIZE IMPLEMENT Information System Security Controls Determine risk to organizational Implement security controls within operations and assets, individuals, enterprise architecture using sound other organizations, and the Nation; systems engineering practices; apply ASSESS if acceptable, authorize operation. security configuration settings. Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system).
  49. 49. Joint Task Force Transformation Initiative Office of the Director of National Intelligence Department of Defense Committee on National Security Systems National Institute of Standards and Technology
  50. 50. Publications NIST Special Publication 800-37 Revision 1: Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach NIST Special Publication 800-53 Revision 3: Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-39: Managing Risk from Information Systems: An Organizational Perspective
  51. 51. Separate National Security System Documents Security Categorization: NIST FIPS 199 → CNSS Instruction 1199 Security Controls: NIST SP 800-53 → CNSS Instruction 1253 Security Control Assessment: NIST SP 800-53A → CNSS Instruction 1253A Security Authorization: NIST SP 800-37 = NIST SP 800-37 Continuous Monitoring: NIST SP 800-37 = NIST SP 800-37 NIST SP 800-53A → CNSS Instruction 1253A
  52. 52. Three Phases 1. Preparing For The Authorization 2. Conducting The Authorization 3. Maintaining The Authorization
  53. 53. Continuous Monitoring Security Content Automation Protocol
  54. 54. Phase II: Organizational Credentialing Program Credentialing organizations to provide security assessments Training Initiative: Quick Start Guides, FAQs, and training class material Product and Services Assurance Assessment Initiative Product specific guidance on 800-53 controls Support Tools Initiative: Checklists, programs, protocols, references Harmonization Initiative: ISO 27000, ISO 9000, ISO 17000
  55. 55. Senate Bill S. 3474 (110th Congress) Federal Information Security Management Act of 2008 Sponsored by: Tom Carper (D-DE) Joseph Lieberman (I-CT) Creates CISO Role Creates CISO Council Requires audits, not evaluations DHS - Annual operational evaluations
  56. 56. Senate Bill S. 921 United States Information and Communications Enhancement Act of 2009 Sponsored by Tom Carper (D-DE) No Audits No CISO Council
  57. 57. Senate Bills S. 773 & S. 778 Cybersecurity Act of 2009 and Sponsored by: John (Jay) Rockefeller (D-WV) Olympia J. Snowe (R-Maine) Cyber-Katrina S. 778: Establish Office of the National Cybersecurity Advisor
  58. 58. NIST Resources They have a few other documents
  59. 59. What Else? • Bluetooth Security • Border Gateway Protocol (BGP) Security • Cell Phone Forensics • Cell Phone and PDA Security • Computer Security Log Management • Contingency Planning • DNSSEC • Electronic Mail Security • Engineering Principles for Security • Enterprise Password Management • Firewalls and Firewall Policy • General Server Security • IPsec VPNs
  60. 60. What Else? • Implementing Cryptography • Industrial Control Systems Security (SCADA) • Information Security Handbook • Information Security Training • Integrating Forensic Techniques into Incident Response • Introduction to Computer Security • Intrusion Detection and Prevention Systems (IDPS) • Malware Incident Prevention and Handling • Managing Risk • Media Sanitization • Mobile Agent Security • Network Security Testing • PBX Vulnerability Analysis
  61. 61. What Else? • PDA Forensics • PKI Specifications • Patch and Vulnerability Management • Performance Measurement for Information Security • Protecting the Confidentiality of Personally Identifiable Information (PII) • Radio Frequency Identification (RFID) Systems • Risk Management • SSL VPNs • Secure Web Services • Securing Public Web Servers • Security Awareness and Training • Security Configuration Checklists • Security for VOIP Systems
  62. 62. What Else? • Security Content Automation Protocol (SCAP) • Security Controls • Security Incident Handling • Security Metrics • Security for Telecommuting and Broadband Communications • Selecting IT Security Products • Storage Encryption Technologies • System Development Life Cycle • Technical Information Security Testing and Assessment • Technical Models for IT Security • Telecommunications Security • Telework and Remote Access • Wireless Robust Security Networks
  63. 63. Questions?
  64. 64. Links: NIST Special Publications: http://csrc.nist.gov/publications/PubsSPs.html NIST FIPS Publications: http://csrc.nist.gov/publications/PubsFIPS.html NIST Draft Publications: http://csrc.nist.gov/publications/PubsDrafts.html NIST Interagency Reports: http://csrc.nist.gov/publications/PubsNISTIRs.html NIST ITL Security Bulletins: http://csrc.nist.gov/publications/PubsITLSB.html OMB Memoranda: http://www.whitehouse.gov/omb/memoranda_default/
  65. 65. Links: Security Content Automation Protocol: http://nvd.nist.gov/scap.cfm Federal Desktop Core Configuration: http://nvd.nist.gov/fdcc/index.cfm National Checklist Program (SP 800-70): http://checklists.nist.gov/ Security Technical Implementation Guides (STIGS): http://iase.disa.mil/stigs/index.html NSA Security Configuration Guides: http://www.nsa.gov/ia/guidance/security_configuration_guides/ind ex.shtml The Center for Internet Security (CIS): http://www.cisecurity.org/benchmarks.html
  66. 66. Links: Assessment Cases for SP 800-53A: http://csrc.nist.gov/groups/SMA/fisma/assessment-cases- overview.html Federal Computer Security Program Managers' Forum: http://csrc.nist.gov/groups/SMA/forum/index.html Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val- all.htm Federal Information Systems Security Educators' Association (FISSEA): http://csrc.nist.gov/groups/SMA/fissea/index.html National Vulnerability Database: http://nvd.nist.gov/
  67. 67. Links: FISMApedia.org: http://fismapedia.org/index.php?title=Main_Page Guerilla-CISO.com http://www.guerilla-ciso.com/ How Is That Assurance Evidence? http://howisthatassuranceevidence.blogspot.com/

×