ebook img

FISMA Compliance Handbook PDF

356 Pages·2013·9.399 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview FISMA Compliance Handbook

CHAPTER 1 FISMA Compliance Overview Thelawcannotbeenforcedwheneveryoneisanoffender. —ChineseProverb TOPICS IN THIS CHAPTER (cid:129) Terminology (cid:129) Processesandpaperwork (cid:129) Templatesstreamlinetheprocess (cid:129) Oversightandgovernance (cid:129) Supportinggovernmentsecurityregulations INTRODUCTION TheFederalInformationSecurityManagementAct(FISMA)isthemostimportant cybersecuritylawaffectingU.S.federalagencies.Noothercybersecuritylawcre- ates as much oversight, audit, and scrutiny as FISMA—at least as far as federal departments andagencies are concerned. FISMA,alsoknownasTitleIIIoftheE-GovernmentAct(PublicLaw107-347), requiresthatallsystemsandapplicationsthatresideonU.S.governmentnetworks undergo a formal security assessment before being put into production. System authorization is the ultimate output of a FISMA compliance project, and a system orapplicationcannotbeauthorizedunlessitmeetsspecificsecuritycontrolrequire- ments.However,keepinmindthatnosystemcanbecompletelysecure—unlessitis poweredoffandlockedinavault.Ofcourse,thenitisnotveryusable.Determining the security controls for the system is a balancing act between making the system usable and making the system secure. These two endeavors are often at odds with each other. In order to find the balance, security experts analyze the probability andimpactofvulnerabilitiesbeingexploited(ornot)andthenmakerisk-baseddeci- sionsbasedontheanalysis.Clearly,thegoalofFISMAistoforcefederalagenciesto putintoproductionsecuresystemsandapplicationsandthentoanalyzeriskperiod- ically, all for the purposeof making risk-based decisions. BeforeFISMAcamealong,implementingsecuritycontrolsonU.S.government networks was optional. Some agencies did a good job and others didn’t. Today, 1 2 CHAPTER 1 FISMA Compliance Overview implementingsecuritycontrols,lookingforvulnerabilities,andperformingsecurity assessmentsarenolongeranoption.Allfederalagenciesanddepartmentsworkon FISMAcomplianceprojectsforalloftheirsystemsasaroutinepartoftheirinfor- mation security agenda. New applications and systems require a security assessment and authorization beforetheycanbeputintoproduction,andexistingapplicationsandsystemsrequire anewassessment andauthorization every3years.Systemsthathavealreadybeen authorized tooperate mustbe reassessedevery3 years. An additional requirement of FISMA is that federal departments and agencies developandimplementanagency-wideInformationSecurityProgram.Theagency Information Security Program should be described in a document known as an Information Security Program Plan. I’ll talk more about what goes into an Infor- mationSecurityProgram Plan inChapter5. ThoughU.S.federaldepartmentsandagencieshavenochoicebuttocomplywith FISMA,privatesectororganizationscanoptionallytakeadvantageofFISMAcom- pliancemethodologiestohelpmitigaterisksontheirowninformationsystemsand networks. About 90% of the nation’s critical infrastructure is on private networks thatarenotpartofanyU.S.federaldepartmentoragency.Thenation’scriticalinfra- structureincludesthoseinformationtechnologysystemsthatrunelectricalsystems, chemicalsystems,nuclearpowerplants,transportationsystems,telecommunication systems, banking and financial systems, and agricultural, food and water supply systems—to name only a few. The FISMA compliance methodologies described inthisbookcanbeadoptedandusedbynotjustfederalagenciesbutbytheprivate sectoraswell.Thoughfederaldepartmentsandagenciesseemtogetrepeatedcrit- icisms belittling their security initiatives, it’s my experience and belief that the criticisms are somewhat exaggerated and that their security conscientiousness far exceedsthatofprivateindustry.AnyenterpriseorganizationcanadopttheFISMA compliancemethodologiesexplainedinthisbook.Aspeciallicenseisnotrequired, and no special tools are required to make use of the model—it is simply a way of doingthings related toinformationsecurity. TheFISMAcomplianceprocessculminateswithaverycomprehensiveandstan- dardizedsecurityassessment.Essentially,thesecurityassessmentisanaudit.Having workedinbothprivateindustryandongovernmentnetworks,myexperienceshows that contrary to what you read in the news, most private and public companies do notputnearly asmuchtime,effort,andresourcesintoimplementingsecurity con- trolsasgovernmentagenciesdo.Exceptforsecurityincidentsinvolvingpersonally identifiable information, there are few federal laws that require companies to dis- closesecurityincidents.Thepercentageofthosesecurityincidentsthataredisclosed is very small. Many organizations purposefully do not report incidents to avoid bad press. TodemonstrateFISMAcompliance,descriptionsofsecuritycontrolimplemen- tations,policies,procedures,andrisksareexplainedformallyinacollectionofdoc- uments known as a Security Package. The Security Package includes details of a review and analysis of all the hardware and software components of the system, Terminology 3 aswellasthedatacenter,orlocationwherethesystemresides.Insomecases,asys- temmayspanmultiplegeographiclocationsandmayconsistsofnumerousconnec- tionsfromoneormultipledatacenterstootherdatacentersthatareeitherpartofthe system or are owned by other entities. A system’s Security Package demonstrates thatdue-diligenceinmitigatingrisksandmaintainingappropriatesecuritycontrols has occurred. TERMINOLOGY Since the first edition of this book, FISMA terminology has changed somewhat. Originally,theprocessbywhichagenciescompliedwithFISMAwasknownasCer- tificationandAccreditation(C&A).Thosetermswereoriginallycoinedbysomeone attheNationalSecurityAgencyandweregradually adoptedbytheDepartmentof Defense, the National Institute of Standards and Technology (NIST), and all the civilian federal agencies. A Security Package was originally referred to as a C&A Package. In the first edition of this book, I said that the term “Certification” can beconfusingbecausethesystemdoesnotreallyget“Certified”byanyoneforany- thing.Ialsosaidthatamoreaproposnamemighthavebeena“SecurityPackage.”As luckwouldhaveit,inthenewlyrevisedversionofNIST800-37(Revision1)[1],the termsCertificationandAccreditationweredroppedandNISTchangedtheterminol- ogyofthesuiteofsecuritydocumentsfromaC&APackagetoaSecurityPackage. TheoriginalversionofNIST800-37wastitledGuidefortheCertificationand Accreditation of Federal Information Systems. Revision 1 of Special Publication 800-37 is titled Guide for Applying the Risk Management Framework to Federal Information Systems. However, old traditions die hard and government agencies are slow to change. Therefore, many federal departments and agencies still use the terms “Certification” and “Accreditation” or “C&A” when referring to their FISMAcomplianceprocess.Ifyou’regoingtobeworkingonFISMAcompliance, itwillhelpyoutounderstandthemeaningoftheseoriginalterms,eveniftheyhave fallenoutoffashion.Asofthiswriting,manyfederalagenciesstillusetheseterms, even though current standards have abandoned them. TheoriginalversionofNISTSpecialPublication800-37[2]definedCertification as: Acomprehensiveassessmentofthemanagement,operational,andtechnicalsecu- ritycontrolsinaninformationsystem,madeinsupportofsecurityaccreditation, todeterminetheextenttowhichthecontrolsareimplementedcorrectly,operating asintended,andproducingthedesiredoutcomewithrespecttomeetingthesecu- rityrequirementsforthesystem. Expertsamongusdon’talwaysagreeonthedefinitionofaparticulartermandgov- ernmentagenciesarenodifferent.InJune2006,theCommitteeonNationalSecurity Systems, Chaired by the Department of Defense, defined Certification in the National InformationAssurance Glossary [3], as: 4 CHAPTER 1 FISMA Compliance Overview Acomprehensiveevaluationofthetechnicalandnontechnicalsecuritysafeguards ofanIStosupporttheaccreditationestablishestheextenttowhichaparticular designandimplementationmeetsasetofspecifiedsecurityrequirements. Thedefinitionsaresimilarenoughandifyou’regoingtobeworkinginthisindustry, you’llhearbothtermssoonerorlater.Fromalegalstandpoint,thetermCertification meansattestingtothetruthaboutsomething.Youmayatsomepointinyourlifeneed to sign a document that says something like “I certify that this, that, and the other thing are true.” You could be held liable for any falsifications made if you certify something.Theideabehindcertifyingasetofinformationsecuritydocumentsmeans that you’reattesting tothe truth about the fact thatthey are accurate. Accreditation refers to the positive evaluation made on the Certification and AccreditationPackagebyanevaluationteam.TheoriginalversionofNISTSpecial Publication800-37 referred toaccreditation as: Theofficialmanagementdecisiongivenbyasenioragencyofficialtoauthorize operation of an information system and to explicitly accept the risk to agency operations (including mission functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. And the National InformationAssurance Glossaryreferred to accreditation asa: Formal declaration by a Designated Accrediting Authority (DAA) that an IS is approvedtooperationatanacceptablelevelofrisk,basedontheimplementation ofanapprovedsetoftechnical,managerial,andproceduralsafeguards. An accreditation is a statement about a decision. As far as FISMA goes, before a systemisdeemedFISMAcompliant,adecisionismadebyanoversightteamafter reviewing a suite of documents containing information about the system and its risk exposure. The oversight team may be referred to by different names in dif- ferentagencies.Youshouldthinkoftheoversightteamasspecializedinformation securityauditorsandthesedays,theyaremostcommonlyreferredtoasindependent assessors. Since the most current version of NIST Special Publication 800-37 refers to these folks as independent assessors, that is the term that I will be using in thisbook. EachagencyhastheirownindependentassessorstoevaluatethevariousSecurity Packages within their own agency. The independentassessors review the system’s securitycontrols,interviewthesystemownerandteammembers,andcreateaSecu- rityAssessmentReportthatdescribesthevulnerabilities,threats,andrisks.TheAO thenmakesarisk-baseddecisiononwhethertoissueanAuthoritytoOperate(ATO). OnceaSecurityPackagehasbeenevaluated,theindependentassessorsthenpro- viderecommendationstotheAuthorizingOfficial(AO)basedontheirfindings.The Senior Agency Information Security Officer (SAISO)1 then makes a decision on 1SAISOsaresometimesreferredtoasChiefInformationSecurityOfficers(CISO). Processes and Paperwork 5 whethertoissueanAuthoritytoOperate(ATO)forthesystem.Apositiveauthori- zationindicatesthatasenioragencyofficialhasformallymadethedecisionthatthe documented risks to the agency, assets, and individuals are acceptable. Senior agency officials employ large teams of information assurance oversight staff that goovertheSecurityPackageswithfine-toothedcombs.Authorizationdoesnotcome lightly and occurs only after each Security Package has undergone a scrupulous review. By authorizing an information system, the senior agency official agrees to take responsibility for the accuracy of the information in the Security Package andconsentstobeheldaccountableforanysecurityincidentsthatmayariserelated tothe system. Much of the terminology that federal agencies use in their FISMA compliance programs comes from the Office of Management and Budget (OMB) Circular A-130, Appendix III (listed in Appendix B). The OMB was created in 1970 and essentially replaced the Bureau of Budget and is part of the Executive Office of thePresidentoftheUnitedStates.Asidefromassistingthepresidentwiththebudget, theOMB’smissionisalsotocreateandoverseeinformationandregulatorypolicies. The fact that the OMB plays a significant regulatory role in FISMA compliance showsjusthowimportantinformationsecurityhasbecometoournationalinfrastruc- ture. It also means that FISMA compliance initiatives will have a budget and are clearly a priority to the Executive Office of the President of the United States— and that’s a goodthing. PROCESSES AND PAPERWORK FederalagenciestypicallyuseastandardizedprocessforFISMAcompliance.Each agencydecideswhattheirstandardizedsecurityprocessconsistsofanddocumentsit. ThedifferentU.S.federaldepartmentsandagenciesdeveloptheirownuniquestan- dardized process based on standards and guidance from one of the following organizations: (cid:129) the National Institute ofStandards (NIST) (cid:129) the National Security Agency (NSA) (cid:129) the Committeeon National Security Systems (CNSS) (cid:129) the Department ofDefense (DoD). Federalagenciescreatemultipledocumentsrelatedtothesecurityofthesystem toserveasevidenceofcompliance.Thisbookwillhelpyoulearnhowtodevelopthe various documents and artifacts required for FISMA compliance. The amount of security documentation that you will find in one Security Package is extensive, and these tomes of documents needed to prove compliance with FISMA have receivedmuchcriticismfromsomeindustryexperts.Unfortunately,today,showing evidence of compliance on paper is really the only way that compliance can be verified. 6 CHAPTER 1 FISMA Compliance Overview Whilesomeaspectsofcompliancecanbeautomated,todaytherearenosolutions availabletofullyautomatethecontinuousmonitoringofanentiresystem.Thefutur- istic goal of automated compliance aside, many security experts fail to realize the valuethattheSecurityPackageoffersasidefromcompliance.Mostlargecomplex engineering feats require that the details of the design and operations are written down and there are many reasons for doing so. First, complex systems need to be managed and it’s hard to know what you’re managing if you don’t have reference documents that spell out the details. No one would ever expect anyone to be able tomanagealloftheintricaciesoftheHooverDamwithoutalloftherequisiteoper- ationdocuments.BoeingwouldneverdeliveranF-15EStrikeEagletotheU.S.Air Forcewithoutanyreferencedocumentsonhowtoperformmaintenance.Howwould youfeelifournuclearpowerplantswerebeingoperatedwithoutanymanuals?Even ifaChiefInformationSecurityOfficer(CISO)isbriefedonhowasystemandnet- workisarchitected,itisnotpossibleforanyCISOtosimplyhearallthedetailsonce and then remember them. Wewritethingsdownwhenthereistoomuchinformationtoremember.Inthe 1800s, a German psychologist, Herman Ebbinghaus, performed some important studies on the limitations of human memory. In the 1870s, Ebbinghaus researched theretentionoflearninganddevelopedacurveofforgetting.Heprovedempirically thatonlyone-thirdofanaudienceremembersadeliveredmessageafter1hour.After 2days,theretentiongoesdownto28%.Ifanyofustriedtomemorizealloftheintri- caciesofanenterpriseinformationsystem,wewouldfailmiserably.Forthatreason, the thousands of details about how enterprise information systems are built and configuredneedtobewrittendown.Peoplewhomanagecomplexsystemsperform better when they have reference documents. Trying to manage complex enterprise systemsandnetworkswithoutreferencedocumentsisaroadmaptofailure.People involvedinFISMAcomplianceprojectsshouldunderstandthatdevelopingthesuite ofdocumentsthatarerequiredfortheSecurityPackageisnotjustacomplianceexer- cise. The Security Package documents should be considered living documents and that CISOs (also referred to as SAISOs) count on using these documents to help manage the security ofthe system itdescribes. TEMPLATES STREAMLINE THE PROCESS Tocreatesomeorderoutofthepaperworkchallenge,mostagenciesnowhavetem- platesthattheyuseforallthedifferenttypesofdocumentsthatgointotheSecurity Package.Templatesensurethatallthedifferenttypesofdocumentsthatgointothe SecurityPackageshavethesamelookandfeel.Usingtemplatesisawayofstandard- izing the documentation to create recurring best practices to enable efficiencies. Agoodtemplatehelpstoensurethatallkeyinformationisincludedinthedocument. Well-written templates also assist oversight teams in finding the information that theyarelookingforbecausetheywillknowexactlyinwhichsectionofthedocument to expect it. FISMA Oversight and Governance 7 TheamountofinformationthatisrequiredinanyoneSecurityPackageissogreat thatifeachSecurityPackagehadadifferentformat,itwouldbenearlyimpossiblefor assessorstoevaluatethepackage.WhenindependentassessorsevaluateaSecurity Package, they want to know where to look to find key information and they don’t wanttohavetohuntforit.IhaveseenSecurityPackagesreceivenegativefindings not because the right information wasn’t in the Security Package, but because the right informationwas notwhereit was supposed tobe. InspiteofthecriticismsofthevoluminousdocumentationrequiredforFISMA,it would be amistake toget rid ofit all. FISMA OVERSIGHT AND GOVERNANCE AgoalforanyagencyistomakesurethatallSecurityPackagesareproperlyeval- uatedandthatallproductionsystemshaveATOs.Eachagencyisauditedannuallyby an Inspector General (IG) and most agencies have a dedicated Office of Inspector General (OIG). Inspectors come on site annually and review agency Information SecurityProgramsandthevarioussystemsthatcomeunderthepurviewofthepro- gram. They look tosee if allsystems have ATOs, andthey also look tosee ifvul- nerabilities that were previously reported are being mitigated. You can go to any agencyWebsiteandfindoutvariousinformationabouttheOfficeofInspectorGen- eralbyputting“OIG”intothesearchboxontheagencyhomepage.Herearesome agency OIG sites that you can browsethrough: U.S. Treasury Office ofInspectorGeneral http://www.treasury.gov/about/organizational-structure/ig/Pages/default.aspx U.S. Department ofJustice Office of InspectorGeneral http://www.justice.gov/oig/ U.S. Department ofAgriculture Office of InspectorGeneral http://www.usda.gov/oig/ InspectorGeneralsensurethatcompliancetakesplaceandtheyproducecompli- ancereportsonFISMAforeachagencyeveryyear.HerearesomeFISMAcompli- ance reportsproducedby InspectorGenerals that you can take a look at: U.S. GeneralServices AdministrationFY 2012 FISMA Audit http://www.gsaig.gov/?LinkServID¼51BAE9CB-F490-F070- EA662E16B12CB00A&showMeta¼0 U.S. Department ofVeteran’s Affairs FY2012 FISMA Audit http://www.va.gov/oig/pubs/VAOIG-11-00320-138.pdf U.S. Department ofTransportationFY2012FISMA Audit http://www.oig.dot.gov/sites/dot/files/FISMA%2011-14-2011.pdf TheDepartmentofHomelandSecurity(DHS)keepstrackofFISMAmetricsfor all U.S. federal departments and agencies. They track whether or not agencies are 8 CHAPTER 1 FISMA Compliance Overview improvingtheircybersecuritypostureanddecreasingvulnerabilitiesornotandthen they report the statistics to Congress. Agency CIOs, CISOs, and SAISOs naturally wantthe reportsontheir agency tobefavorable. Additionally,theU.S.GovernmentAccountabilityOfficealsoreportsonFISMA periodically to Congress. The GAO reports reflect how effective agency security practices are and how effective agencies are at implementing security controls. A current GAO report on FISMA that you can browse through is located here: http://www.gao.gov/assets/590/585570.pdf. SUPPORTING GOVERNMENT SECURITY REGULATIONS Though FISMA is the overriding law that necessitates the need for system risk assessment,thereareotherlaws,regulations,andnationalpoliciesthatprovidesec- ondaryauthority.Thesecondarylaws,regulations,andpoliciesthatsupportFISMA initiatives include: (cid:129) The Clinger-Cohen Actof 19962 (cid:129) Homeland Security Presidential Directive (HSPD-7) (cid:129) The Government Management ReformAct (GMRA)of1994 (cid:129) The Government Performance andResults Act (GPRA) of1993 (cid:129) Critical Infrastructure Protection Act of2001 (cid:129) Homeland Security Actof 2002 (Public Law 107-296) (cid:129) Homeland Security Presidential Directive 12 (cid:129) OMB Circular A-123, Management Accountability andControl (cid:129) OMB Circular A-130, Management of Federal Information Resources (cid:129) Executive Order 13130 of July 14,1999—NationalInfrastructure Assurance Council (cid:129) The Computer Security Act of1987 (cid:129) The Computer Fraud and Abuse Act of1986 (cid:129) The Computer Abuse AmendmentsAct of1990 (cid:129) Executive Order 12958 of April 17,1995, Classified National Security Information (cid:129) The E-Government Actof 2002 (cid:129) The Privacy Actof 1974 (cid:129) Executive Order 10865 of February 20,1960—Safeguarding Classified InformationWithin Industry 2Clinger-CohenActwasformerlyknownastheInformationTechnologyManagementReformAct. References 9 SUMMARY In the first edition of this book, I forecasted that in the future, the importance of FISMAwouldincrease—andthathasturnedouttobetrue.Inspectorscomedown tougheronagenciesthatdon’tcomplywiththelaw.Congresshasintroducedbillsto amend,modify,andchangeFISMAmoretimesthanIcancount.Manylawmakersin Congressseemdeterminedtogettheirnameonacybersecuritylaw.However,none ofthebillsintroducedtochangeFISMAhaveeverbeenpassed.Asofthiswriting, thereisnosuchthingas“FISMA2.0”eventhoughyoumayseereferencestothatin traderags.TheoriginaltextoftheFISMAlawhasneverbeenchanged.Itstillexists inits originalincantation. The current trend is that security incidents continue to wreak havoc on federal information systems and private sector information systems. Breaches in security onbothgovernmentinformationsystemsandthosemaintainedbytheprivatesector createmillionsofdollarsinlossesandalsothreatenthenationalsecurityofourcoun- try, and everyone in it. In 2011, 107,655 security incidents were reported to US- CERT and within those incidents, 43,889 occurred at U.S. federal agencies [4]. Threatsarebecomingmoresophisticatedandterroristscontinuetousehightechnol- ogytothreatennotjustdataandourinfrastructure,butworseyet,humanlives.With security incidents at federal agencies on the rise, securing government systems becomes more important everyday. References [1] JointTaskForceTransformationInitiative,SpecialPublication800-37,Revision1.Guide for applying the risk management framework to federal information systems. National InstituteofStandardsandTechnology;February2010. [2] RonRoss,MarianneSwanson,GaryStoneburner,StuartKatzke,ArnoldJohnson.NIST Special Publication 800-37. Guide for the security certification and accreditation of federalinformationsystems.NationalInstituteofStandardsandTechnology;May2004. [3] NationalInformationAssuranceGlossary.CNSSInstructionNo.4009,http://www.cnss. gov/Assets/pdf/cnssi_4009.pdf;RevisedJune2006. [4] FiscalYear2011.ReporttoCongressontheimplementationoftheFederalInformation SecurityManagementActof2002;March7,2012. CHAPTER 2 FISMA Trickles into the Private Sector I’llliehereinthegutter,andyou’lltrickledownonme,right? —BillMurrayonSaturdayNightLive TOPICS IN THIS CHAPTER (cid:129) Introductionandauthorities (cid:129) InspectorGeneralreports (cid:129) WhatshouldNGOsdoregardingFISMA? (cid:129) FISMAcompliancetools INTRODUCTION AND AUTHORITIES Ithasbeenover10yearssinceFISMAwasfirstpassed.Inthebeginning,itwasall federalagenciescoulddotoputcomplianceprocessesinplaceinternally.However, tobesure,Congressalwaysintendedforprivatecompanieswhohavecontractswith thegovernmenttocomplywithFISMA.Theword“contractor”isusedninetimesin the text ofFISMA. Section3543 says: The Director shall oversee agency information security policies and practices, including requiring agencies, consistent with the standards promulgated under such section 11331 and the requirements of this subchapter, to identify and provideinformationsecurityprotectionscommensuratewiththeriskandmagni- tude of the—harm resulting from the unauthorized access, use, disclosure, dis- ruption, modification,or destructionof...informationsystems usedor operated by an agency or by a contractor of an agency or other organization on behalf ofanagency. A little bit further in the text of FISMA, Section 3544(a)(1)(A)(ii) of FISMA describesfederalagencysecurityresponsibilitiesasincluding“informationsystems usedoroperatedbyanagencyorbyacontractorofanagencyorotherorganization on behalf ofan agency.” Intheearlyyears,agenciesweresomewhatlaxonenforcingFISMAcompliance with their managed service providers. However, that phenomenon has changed. Government contract officers are now educated in what sort of contract clauses to insert into contracts with service providers. The U.S. Department of Health and 11

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.