[ISN] ITL Bulletin for March 2004

From: InfoSec News (isn@private)
Date: Thu Mar 25 2004 - 02:44:27 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--Help Shape This Newsletter--March 24, 2004"

    Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
    
    ITL Bulletin, March 2004
    
    FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 199, 
    STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL 
    INFORMATION AND INFORMATION SYSTEMS
    
    Shirley Radack, Editor
    Computer Security Division
    Information Technology Laboratory
    National Institute of Standards and Technology
    Technology Administration
    U.S. Department of Commerce
    
    A new Federal Information Processing Standard (FIPS), recently
    approved by the Secretary of Commerce, will help federal agencies
    protect the information and information systems that support their
    operations and assets. FIPS 199, Standards for Security Categorization
    of Federal Information and Information Systems, is an important
    component of a suite of standards and guidelines that NIST is
    developing to improve the security in federal information systems,
    including those systems that are part of the nation's critical
    infrastructure. (See listing of these planned publications at the end
    of this bulletin.)
    
    FIPS 199 will enable agencies to meet the requirements of the Federal
    Information Security Management Act (FISMA) and improve the security
    of federal information systems. The security standard will also make
    it possible for federal agencies to establish priorities for
    protecting their information systems, ranging from very sensitive,
    mission-critical operations to lower-priority systems performing less
    critical operations.  Background information on NIST's efforts to
    provide the security standards, guidelines, and technical tools for
    implementing FISMA is available at:  
    http://csrc.nist.gov/sec-cert/ca-background.html.
    
    FIPS 199 was approved after an open public review and comment process
    that included notices published in the Federal Register and posted on
    the NIST website. Comments and recommendations were received from more
    than thirty individuals and groups. The new FIPS 199 is available
    electronically at: http://csrc.nist.gov/publications/fips.
    
    Applicability of FIPS 199
    FIPS 199 is effective immediately and applies to:
    
    All information within the federal government other than that
    information that has been determined pursuant to Executive Order
    12958, as amended by Executive Order 13292, or any predecessor order,
    or by the Atomic Energy Act of 1954, as amended, to require protection
    against unauthorized disclosure and is marked to indicate its
    classified status; and
    
    All federal information systems other than those information systems
    designated as national security systems as defined in 44 United States
    Code Section 3542(b)(2).
    
    Why Security Categorization Standards Are Needed
    
    FISMA, Title III of the E-Government Act of 2002 (Public Law 107-347),
    was passed by the one hundred and seventh Congress and signed into law
    by the President in December 2002. This legislation recognizes the
    importance of information security to the economic and national
    security interests of the United States, and tasked NIST with
    responsibilities for standards and guidelines, including the
    development of:
    
    * Standards to be used by all federal agencies to categorize all
    information and information systems collected or maintained by or on
    behalf of each agency based on the objectives of providing appropriate
    levels of information security according to a range of risk levels;
    
    * Guidelines recommending the types of information and information
    systems to be included in each category; and
    
    * Minimum information security requirements (i.e., management,
    operational, and technical controls) for information and information
    systems in each such category.
    
    By providing a common framework and method for categorizing
    information and information systems, FIPS 199 responds to the first
    task assigned to NIST. Use of this standard will enable agencies to
    identify and prioritize their most important information and
    information systems by defining the maximum impact a breach in
    confidentiality, integrity, or availability could have on the agency's
    operations, assets, and/or individuals.
    
    A FIPS 199 security categorization serves as the starting point for
    the selection of security controls for an agency's information
    system-controls that are commensurate with the importance of the
    information and information system to the agency. Additional NIST
    guidance will instruct agencies how to use FIPS 199 to select minimum
    security controls for an information system and subsequently assess
    the controls to determine the extent to which the controls are
    implemented correctly, operating as intended, and producing the
    desired outcome with respect to meeting the security requirements of
    the system. The standard also promotes more effective management,
    oversight, and expenditure of agency information security resources
    and more consistent reporting on the agency's security accomplishments
    to the Office of Management and Budget (OMB) and to the Congress.
    Future NIST standards and guidelines will focus on the second and
    third tasks above.
    
    A Risk-Based Approach
    
    FISMA and earlier legislation, the Information Technology Management
    Reform Act of 1996 (Clinger-Cohen Act), provide for a risk-based
    approach to information security.  OMB provides guidance in its
    Circular A-130, Appendix III, on carrying out the risk-based approach
    and requires agencies to:
    
    * Plan for adequate security of each information systems as 
      part of the agency management and planning processes,
    
    * Ensure that appropriate officials are assigned 
      responsibilities for security,
    
    * Periodically review the security controls in their 
      information systems, and
    
    * Authorize system processing prior to operations, and 
      periodically thereafter.
    
    The objective is to conduct agency operations and accomplish agency
    missions with adequate security or security commensurate with risk,
    considering threats, vulnerabilities, value of the information system
    or application, and the effectiveness of current or proposed security
    controls. The risk-based approach should be applied throughout the
    System Development Life Cycle (SDLC).
    
    Security Objectives, Impact Levels, and Security Categorization
    
    FIPS 199 is predicated on a simple and well-established
    concept-determining appropriate priorities for agency information
    systems and subsequently applying appropriate measures to adequately
    protect those systems. The security controls applied to a particular
    information system should be commensurate with the system's
    criticality and sensitivity. FIPS 199 assigns this level of
    criticality and sensitivity, called security categorization, to
    information and information systems based on potential impact on
    agency operations (mission, functions, image, or reputation), agency
    assets, or individuals should there be a breach in security due to the
    loss of confidentiality (i.e., unauthorized disclosure of
    information), integrity (i.e., unauthorized modification of
    information), or availability (i.e., denial of service).
    
    In FIPS 199, confidentiality, integrity, and availability are defined
    as security objectives for information and information systems:
    
    * Confidentiality: "Preserving authorized restrictions on information
    access and disclosure, including means for protecting personal privacy
    and proprietary information..."  A loss of confidentiality is the
    unauthorized disclosure of information.
    
    * Integrity:  "Guarding against improper information modification or
    destruction, and includes ensuring information non-repudiation and
    authenticity..." A loss of integrity is the unauthorized modification
    or destruction of information.
    
    * Availability:  "Ensuring timely and reliable access to and use of
    information..." A loss of availability is the disruption of access to
    or use of information or an information system.
    
    For each type of information that is processed, stored, or transmitted
    by an information system and for the information system itself, FIPS
    199 requires assigning a security category to the information and
    information system. The security category consists of an impact level
    for each of the three security objectives of confidentiality,
    integrity, and availability. An impact level of low (L), moderate (M),
    or high (H) represents the impact on agency operations (including
    mission, functions, image, or reputation), agency assets, or
    individuals should there be a breach in security in the respective
    security objective areas (i.e., for each security objective area, the
    impact level could be L, M, or H). The assignment of security
    categories must take place within the context of each organization and
    the overall national interest.
    
    Impact levels are defined in FIPS 199 as follows:
    
    The potential impact is low if the loss of confidentiality, integrity,
    or availability could be expected to have a limited adverse effect on
    organizational operations, organizational assets, or individuals. A
    limited adverse effect could mean that the loss of confidentiality,
    integrity, or availability might:
    
    * Cause a degradation in mission capability to an extent and duration
    that the organization is able to perform its primary functions, but
    the effectiveness of the functions is noticeably reduced;
    
    * Result in minor damage to organizational assets, minor financial
    loss, or minor harm to individuals.
    
    The potential impact is moderate if the loss of confidentiality,
    integrity, or availability could be expected to have a serious adverse
    effect on organizational operations, organizational assets, or
    individuals. A serious adverse effect could mean that the loss of
    confidentiality, integrity, or availability might: * Cause a
    significant degradation in mission capability to an extent and
    duration that the organization is able to perform its primary
    functions, but the effectiveness of the functions is significantly
    reduced; * Result in significant damage to organizational assets,
    significant financial loss, or significant harm to individuals, but
    not loss of life or serious life threatening injuries.
    
    The potential impact is high if the loss of confidentiality,
    integrity, or availability could be expected to have a severe or
    catastrophic adverse effect on organizational operations,
    organizational assets, or individuals. A severe or catastrophic
    adverse effect could mean that the loss of confidentiality, integrity,
    or availability might:
    
    * Cause a severe degradation in or loss of mission capability to an
    extent and duration that the organization is not able to perform one
    or more of its primary functions;
    
    * Result in major damage to organizational assets, major financial
    loss, or severe or catastrophic harm to individuals involving loss of
    life or serious life threatening injuries.
    
    Security Categorization Applied to Information Types and Information
    Systems
    
    The security category of an information type that is processed,
    stored, or transmitted by an information system can be associated with
    both user information and system information, and can be applicable to
    information in either electronic or non-electronic form. System
    information such as network routing tables, password files, and
    cryptographic key management information must always be protected at a
    level that is appropriate for the most critical or sensitive user
    information.
    
    In establishing the appropriate security category of an information
    type, organizations should determine the potential impact for each
    security objective associated with the particular information type.
    For example, an organization might determine that there is low
    potential impact from a loss of confidentiality of its public
    information, that there is a moderate potential impact from a loss of
    integrity, and that there is a moderate potential impact from a loss
    of availability. FIPS 199 provides examples of how to determine and to
    express the security categories of information types.
    
    In establishing the appropriate security category of an information
    system, organizations should consider the security categories of all
    information types that are processed, stored, or transmitted on the
    information system. For a system, the potential impact values assigned
    to the respective security objectives of confidentiality, integrity,
    and availability should be the highest values from among those
    security categories that have been determined for each type of
    information processed. For example, an organization might determine
    the security category for sensitive contract information in a system
    used for acquisitions is moderate (for confidentiality), moderate (for
    integrity), and low (for availability). The organization might also
    determine that security category for routine administrative
    information processed on the same system is low (for confidentiality),
    low (for integrity), and low (for availability). The security category
    for the information system should be expressed in terms of the maximum
    potential impact values for each security objective from the various
    information types resident on the acquisition system.  In this
    example, the system's security category would be moderate (for
    confidentiality), moderate (for integrity), and low (for
    availability).
    
    System Development Life Cycle and Future Standards and Guidelines
    
    Employed within the System Development Life Cycle (SDLC), FIPS 199 can
    be used as part of an agency's risk management program to help ensure
    that appropriate security controls are applied to each information
    system and that the controls are adequately assessed to determine the
    extent to which the controls are implemented correctly, operating as
    intended, and producing the desired outcome with respect to meeting
    the system security requirements. The following activities, consistent
    with NIST Special Publication 800-30, Risk Management Guide for
    Information Technology Systems, can be applied to both new and legacy
    information systems within the SDLC-
    
    * Categorize the information system (and the information resident
    within that system) based on a FIPS 199 impact analysis (See NIST
    Special Publication 800-60, Guide for Mapping Types of Information and
    Information Systems to Security Categories, for guidance in assigning
    security categories and refining the impact analysis).
    
    * Select an initial set of security controls for the information
    system (as a starting point) based on the FIPS 199 security
    categorization (See NIST Special Publication 800-53, Recommended
    Security Controls for Federal Information Systems, or FIPS 200,
    Security Controls for Federal Information Systems, which will replace
    NIST Special Publication 800-53 in December 2005 in fulfillment of the
    FISMA legislative requirement for mandatory minimum security
    requirements for federal information systems.)
    
    * Refine the initial set of security controls selected for the
    information system based on local conditions including agency-specific
    security requirements, specific threat information, cost-benefit
    analyses, the availability of compensating controls, or other special
    circumstances.
    
    * Document the agreed upon set of security controls in the security
    plan for the information system including the agency's rationale and
    justification for any refinements or adjustments to the initial set of
    controls (See NIST Special Publication 800-18, Guide for Developing
    Security Plans for Information Technology Systems).
    
    * Implement the security controls in the information system. For
    legacy systems, some or all of the security controls selected may
    already be in place.
    
    * Assess the security controls using appropriate assessment procedures
    to determine the extent to which the controls are implemented
    correctly, operating as intended, and producing the desired outcome
    with respect to meeting the security requirements for the system. (See
    NIST Special Publication 800-53A, Guide for Assessing the Security
    Controls in Federal Information Systems, summer 2004).
    
    * Determine the risk to agency operations (including mission,
    functions, image, or reputation), agency assets, or individuals
    resulting from the planned or continued operation of the information
    system (See NIST Special Publication 800-37, Guide for the Security
    Certification and Accreditation of Federal Information Systems).
    
    * Authorize system processing (or for legacy systems, authorize
    continued system processing) if the level of risk to the agency's
    operations, assets, or individuals is acceptable to the authorizing
    official (See NIST Special Publication 800-37, Guide for the Security
    Certification and Accreditation of Federal Information Systems).
    
    * Monitor selected security controls in the information system on an
    continuous basis including documenting changes to the system,
    conducting security impact analyses of the associated changes, and
    reporting the security status of the system to appropriate agency
    officials on a regular basis (See NIST Special Publication 800-37,
    Guide for the Security Certification and Accreditation of Federal
    Information Systems).
    
    Since some of the documents referenced above are either in development
    or planned at the time this bulletin was published, the reader should
    consult:  http://www.csrc.nist.gov for up-to-the minute progress
    reports on the FISMA program and related guidance documents.
    
    Disclaimer
    
    Any mention of commercial products or reference to commercial
    organizations is for information only; it does not imply
    recommendation or endorsement by NIST nor does it imply that the
    products mentioned are necessarily the best available for the purpose.
    
    
    
    _______________________________________________
    isn mailing list
    isn@private
    http://www.attrition.org/mailman/listinfo/isn
    



    This archive was generated by hypermail 2b30 : Thu Mar 25 2004 - 04:34:17 PST