Organizations
DHS – Major US Government agency focused on cyber security is DHS. They focus on the physical and cyber threats to the nation.
US-CERT (United States Computer Emergency Readiness Team) – coordinates cyber information sharing and manages national cyber risks. (www.us-cert.gov). They also distribute vulnerability and threat information to National Awareness System (NCAS) and sponsors the Vulnerability Notes Database and Common Vulnerabilities and Exposures (CVE) dictionary. US-CERT operates the National Cybersecurity Protection Systems (NCPS), which provides IDPS to federal departments and agencies. (Intrusion Detection and Prevention Systems)
Below is an organization chart for Department of Homeland Security (DHS)
NIST – provides standards, guidelines, tests and metrics to protect non-national security federal information and communications infrastructure.
FISMA
FISMA, or the Federal Information Security Management Act, was drafted in 2002 as a set of standardized guidelines government agencies could use to protect sensitive data (eGovernment Act of 200 2). It covers the storage and processing of government data, and the security controls that should be applied to both processes.
FISMA (through A-130) recommends guidance issued by NIST, such as FIPS 199, FIPS 200, and NIST SP 800-53A Revision 4 (“Recommended Security Controls for Federal Information Systems and Organizations”) for the selection and implementation of security controls based on the system impact level. The control selection, implementation, and testing is where IT professionals responsible for “FISMA compliance” perform the majority of work especially when meeting compliance is essential to receiving an Authority to Operate (ATO) by government agencies.
FISMA defined three security objectives for information types and information systems:
- C – Confidentiality
- Preserve authorized restrictions on information access. Includes means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
- I – Integrity
- Guarding against improper information modification or destruction and includes ensuring information non-repudiation authenticity. A loss of integrity is the unauthorized modification or destruction of information.
- A – Availability
- Ensuring timely and reliable access to and use of information. A loss of availability is the disrption of access to or use of information or information systems.
FedRAMP
FedRAMP, or Federal Risk and Authorization Management Program (FedRAMP), was passed in 2011 and standardizes the approach to security assessments, authorization, and cloud service provider monitoring.
FedRAMP is a result of the ”Cloud First” policy by Security Authorization of Information Systems in Cloud Computing requiring the use of FedRAMP authorized cloud services by agencies in an effort to reduce costs and to streamline the IT procurement process. This policy requires that government agencies move IT services to cloud solutions. FedRAMP has been developed as a program for CSPs to receive an independent security assessment, conducted by a 3PAO. Since these assessments are also based on NIST SP 800-53 Rev 4, FedRAMP can be thought of as “FISMA for the cloud” as it inherits the NIST baseline of controls and is tailored for cloud computing initiatives.
Both FISMA and FedRAMP are part of NIST 800-53 (“Recommended Security Controls for Federal Information Systems” ) and have different controls, which are categorized based on risk impact from Low, Moderate and High. Below are the number of current controls in NIST 800-53. One key difference between the required controls for FISMA and FedRAMP is that FedRAMP has defined required parameters linked to specific controls for a CSP to implement.
Below shows a table of the different FIPS 200 control families and the number of controls for FISMA and FedRAMP. These numbers were summed in the table above.
For a cloud service provider to achieve and maintain an ATO (Authority to Operate), each of the above controls must be met, specifically the FedRAMP controls. FedRAMP could be seen as a cloud provider’s version of FISMA. FISMA is the standard that government agencies and contractors must comply with, which means if they are using a cloud provider they need to have similar level of compliance in FedRAMP based on the risk impact levels.
Cloud service provider’s pursuing FedRAMP must pass security assessment by a third-party assessment organization (3PAO). Upon completion of this assessment the cloud provider must then complete Joint Authorization Board Provisional Authority to Operate (JAB P-ATO) review. This JAB review is performed by the FedRAMP Project Management Office (PMO) and JAB. The JAB board has officials from the General Services Administration (GSA), Department of Homeland Security (DHS) and Department of Defense (DoD).
An example of a 3PAO is Coalfire. They are a cybersecurity firm focusing on risk management and compliance. Coalfire recommends the following actions for firms pursuing either FISMA or FedRAMP:
- Accurate System Boundary –The system boundary includes a complete inventory of assets comprised of all network components, hardware, and software/applications supporting federal operations. Boundaries should clearly state where they begin and end including when there is a relationship with another CSP entailing stacking of cloud services.
- Complete System Security Plans – The System Security Plan (SSP) is the core document describing how security controls are implemented. Too often SSPs do not have the technical depth required. Instead, the SSP should be an encompassing document that provides detailed understanding of the security operations in-place in terms of tools, technologies, and services.
- Define Gaps – Once the system has been documented, the organization will have an understanding of which controls are not being met and can plan to remediate these findings. Ideally, the gaps can be prioritized in relation to the protected assets.
- Implement Automated Processes – There are many opportunities to create integrated and automated security processes that provide system administrators accurate, timely, and actionable information. Effective areas to automate are in detection, auditing, inventory, network scanning, and configuration modification.
NIST
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations — from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.
Mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST will be the world’s leader in creating critical measurement solutions and promoting equitable standards.
Examples of common NIST standards followed by enterprise IT:
- SP 800-34 – Contingency Planning Guide for Federal Information Systems
- This publication assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle.
- SP 800-37 – Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. A type of Information System Security Plan (ISSP) which requires Approval to Operate (ATO) from an Authorizing Official (AO).
- SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
- The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.
- SP 800-53 – Security and Privacy Controls for Information Systems and Organizations
- This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. Essentially this describes the role an organization’s cybersecurity, information security and computer security.
- Risk Management Framework (RMF) – The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.
- Risk management incorporates a thorough analysis of threats and vulnerabilities, and considers mitigations provided by security controls planned and in place.
- Risk is a function of the probability of a given threat-source in exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
- Risk assessment is a process in which a quantitative or qualitative value of risk is determined as is relates to a given situation and a recognized threat. Assessing risk requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur.
FIPS / SP
Federal Information Processing Standards and NIST Special Publication
NIST develops Federal Information Processing Standards (FIPS) in congruence with FISMA. The Secretary of Commerce approves FIPS, with which federal agencies must comply – federal agencies may not waive the use of the standards. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series. The Office of Management and Budget (OMB) policies require that agencies must comply with NIST guidance, unless they are national security programs and systems.
Below are some common cyber security standards per FIPS
- FIPS 140 covers cryptographic module and testing requirements in both hardware and software.
- FIPS 180 specifies how organizations can be FIPS compliant when using secure hash algorithms for computing a condensed message.
- FIPS 186 is a group of algorithms for generating a digital signature.
- FIPS 197 is a standard that created the Advanced Encryption Standard, which is a publicly accessible cipher approved by the National Security Agency (NSA) for top secret information.
- FIPS 198 is about a mechanism for message authentication that utilizes cryptographic hash functions.
- FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. Standardizes how federal agencies categorize and secure information and information systems the agency collects or maintains.
- FIPS 200 Minimum Security Requirements for Federal Information and Information Systems. A standard that helps federal agencies with risk management through levels of information security based on risk levels.
- FIPS 201 specifies the standard for common identification for federal employees and contractors.
- FIPS 202 gives the specifications for the Secure Hash Algorithm-3 (SHA-3) family of four cryptographic hash functions and two extendable-output functions.
Below are some common Special Publications (SP)
- SP 800-37: Guide to Applying the Risk Management Framework (RMF) to Federal Information Systems: A Security Life Cycle Approach
- SP 800-39: Managing Information Security Risk
- SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
- SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations
- SP 800-59: Guideline for Identifying an Information System as Nation Security System
- SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories
- SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
FIPS 200 specifies requirements and risk-based process (for Low, Moderate or High impact systems) for selecting the security controls necessary to satisfy the minimum security requirements. There are currently 17 Security Control Families plus the PM office:
- AC – Access Control
- AT – Awareness and Training
- AU – Audi and Accountability
- CA – Certification, Accreditation and Security Assessments
- CM – Configuration Management
- IA – Identification and Authentication
- IR – Incident Response
- MA – Maintenance
- MP – Media Protection
- PE – Physical and Environmental Protection
- PL – Planning
- PS – Personnel Security
- RA – Risk Assessment
- SA – System and Services Acquisition
- SC – System and Communications Protection
- SI – System and Information integrity
- PM – Program Management
Note that each of the above control families have security controls within them. For example, the AC control family, there are 15 sub-controls (AC-1 to AC-15). These sub-controls have baselines defined (low, moderate, high).
SP 800-52 is the fundamental reference document for security controls across the Government. It is the basis for FedRAMP and National Security Systems (DoD). It provides comprehensive set of security controls with baselines low, moderate, high) and guidance for tailoring appropriate baseline to organization specific needs.
Risk Management Framework Overview
The below diagram shows the RMF life cycle.
POAM (Plan of Actions and Milestones)
POA&M is a document that reports security findings for a system that is not compliant to FISMA/FedRAMP standards or considered vulnerabilities to a system. These findings can occur during Annual Assessments, Continuous Monintoring or any security control assessment. The POA&M identifies:
- Tasks needing to be accomplished
- Resources required to accomplish the plan
- Milestones that need to meet for the tasks
- Schedule of completion dates for the milestones
KEY NIST DOCS:
800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems”
800-39 “Managing Risk from Information Systems – An Organizational Perspective”
800-30 “Risk Management Guide for Information Technology Systems”
References
https://www.ftptoday.com/blog/fedramp-vs-fisma-similarities-and-differences
https://coalfire.com
https://digitalguardian.com/blog/what-nist-compliance
https://www.fedramp.gov/developing-a-plan-of-actions-milestones/