[ISN] ITL Bulletin for May 2004

From: InfoSec News (isn@private)
Date: Fri May 21 2004 - 07:54:31 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-21"

    Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
    
    ITL Bulletin for May 2004
    
    GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF 
    FEDERAL INFORMATION SYSTEMS
    Elizabeth B. Lennon, Editor
    Information Technology Laboratory
    National Institute of Standards and Technology
    Technology Administration
    U.S. Department of Commerce
    
    Introduction
    
    In response to the requirements of the E-Government Act (Public Law
    107-347), Title III, Federal Information Security Management Act
    (FISMA) of December 2002, ITL recently published NIST Special
    Publication (SP) 800-37, Guide for the Security Certification and
    Accreditation of Federal Information Systems. Developed through an
    extensive public review process, the document represents a significant
    contribution to federal agency security management by providing
    specific recommendations on how to certify and accredit information
    systems. State, local, and tribal governments, as well as private
    sector organizations, are encouraged to use the guidelines, as
    appropriate. This ITL Bulletin summarizes the document, which is
    available at http://csrc.nist.gov/sec-cert/.
    
    NIST SP 800-37 provides guidelines for the security certification and
    accreditation of information systems supporting the executive agencies
    of the federal government. The guidelines have been developed to help
    achieve more secure information systems within the federal government
    by:
    
    * Enabling more consistent, comparable, and repeatable assessments of
      security controls in federal information systems;
    
    * Promoting a better understanding of agency-related mission risks
      resulting from the operation of information systems; and
    
    * Creating more complete, reliable, and trustworthy information for
      authorizing officials-to facilitate more informed security
      accreditation decisions.
    
    Security Certification and Accreditation
    
    Security certification and accreditation are important activities that
    support a risk management process and an integral part of an agency's
    information security program.
    
    Security accreditation is the official management decision given by a
    senior agency official to authorize operation of an information system
    and to explicitly accept the risk to agency operations, agency assets,
    or individuals based on the implementation of an agreed-upon set of
    security controls. Required by OMB Circular A-130, Appendix III,
    security accreditation provides a form of quality control and
    challenges managers and technical staffs at all levels to implement
    the most effective security controls possible in an information
    system, given mission requirements, technical constraints, operational
    constraints, and cost/schedule constraints. By accrediting an
    information system, an agency official accepts responsibility for the
    security of the system and is fully accountable for any adverse
    impacts to the agency if a breach of security occurs. Thus,
    responsibility and accountability are core principles that
    characterize security accreditation.
    
    It is essential that agency officials have the most complete,
    accurate, and trustworthy information possible on the security status
    of their information systems in order to make timely, credible,
    risk-based decisions on whether to authorize operation of those
    systems. The information and supporting evidence needed for security
    accreditation is often developed during a detailed security review of
    an information system, typically referred to as security
    certification. Security certification is a comprehensive assessment of
    the management, operational, and technical security controls in an
    information system, made in support of security accreditation, to
    determine the extent to which the controls are implemented correctly,
    operating as intended, and producing the desired outcome with respect
    to meeting the security requirements for the system. The results of a
    security certification are used to reassess the risks and update the
    system security plan, thus providing the factual basis for an
    authorizing official to render a security accreditation decision.
    
    Roles and Responsibilities
    
    NIST SP 800-37 describes the roles and responsibilities of key
    participants, summarized below, involved in an agency's security
    certification and accreditation process:
    
    * The Chief Information Officer is the agency official responsible
    for: (i) designating a senior agency information security officer;  
    (ii) developing and maintaining information security policies,
    procedures, and control techniques to address all applicable
    requirements;  (iii) training and overseeing personnel with
    significant responsibilities for information security; (iv)  
    assisting senior agency officials concerning their security
    responsibilities; and (v) in coordination with other senior agency
    officials, reporting annually to the agency head on the effectiveness
    of the agency information security program, including progress of
    remedial actions.
    
    * The authorizing official (or designated approving/accrediting
      authority as referred to by some agencies) is a senior management
      official or executive with the authority to formally assume
      responsibility for operating an information system at an acceptable
      level of risk to agency operations, agency assets, or individuals.
    
    * The authorizing official's designated representative is an
      individual acting on the authorizing official's behalf in 
      coordinating and carrying out the necessary activities required 
      during the security certification and accreditation of an 
      information system.
    
    * The senior agency information security officer is the agency
      official responsible for: (i) carrying out the Chief Information
      Officer responsibilities under FISMA; (ii)  possessing professional
      qualifications, including training and experience, required to
      administer the information security program functions; (iii) having
      information security duties as that official's primary duty; and 
      (iv) heading an office with the mission and resources to assist in 
      ensuring agency compliance with FISMA.
    
    * The information system owner is an agency official responsible for
      the overall procurement, development, integration, modification, or
      operation and maintenance of an information system.
    
    * The information owner is an agency official with statutory or
      operational authority for specified information and responsibility 
      for establishing the controls for its generation, collection, 
      processing, dissemination, and disposal.
    
    * The information system security officer is the individual
      responsible to the authorizing official, information system owner, 
      or the senior agency information security officer for ensuring the
      appropriate operational security posture is maintained for an
      information system or program.
    
    * The certification agent is an individual, group, or organization
      responsible for conducting a security certification, or 
      comprehensive assessment of the management, operational, and 
      technical security controls in an information system to determine 
      the extent to which the controls are implemented correctly, 
      operating as intended, and producing the desired outcome with 
      respect to meeting the security requirements for the system.
    
    * User representatives are individuals that represent the operational
      interests of the user community and serve as liaisons for that
      community throughout the system development life cycle of the
      information system. At the discretion of senior agency officials,
      certain security certification and accreditation roles may be
      delegated, and if so, appropriately documented. Individuals serving 
      in delegated roles are able to operate with the authority of agency
      officials within the limits defined for the specific certification 
      and accreditation activities.  Agency officials retain ultimate
      responsibility, however, for the results of actions performed by
      individuals serving in delegated roles.
    
    The Process
    
    The security certification and accreditation process consists of four
    distinct phases:
    
    * Initiation Phase;
    
    * Security Certification Phase;
    
    * Security Accreditation Phase; and
    
    * Continuous Monitoring Phase.
    
    Each phase in the security certification and accreditation process
    consists of a set of well-defined tasks and subtasks that are to be
    carried out, as indicated, by responsible individuals (e.g., the Chief
    Information Officer, authorizing official, authorizing official's
    designated representative, senior agency information security officer,
    information system owner, information owner, information system
    security officer, certification agent, and user representatives).
    
    The Initiation Phase consists of three tasks: (i)  preparation; (ii)
    notification and resource identification;  and (iii) system security
    plan review, analysis, and acceptance. The purpose of this phase is to
    ensure that the authorizing official and senior agency information
    security officer are in agreement with the contents of the system
    security plan before the certification agent begins the assessment of
    the security controls in the information system.
    
    The Security Certification Phase consists of two tasks: (i)  security
    control assessment; and (ii) security certification documentation. The
    purpose of this phase is to determine the extent to which the security
    controls in the information system are implemented correctly,
    operating as intended, and producing the desired outcome with respect
    to meeting the security requirements for the system. This phase also
    addresses specific actions taken or planned to correct deficiencies in
    the security controls and to reduce or eliminate known vulnerabilities
    in the information system. Upon successful completion of this phase,
    the authorizing official will have the information needed from the
    security certification to determine the risk to agency operations,
    agency assets, or individuals, and thus will be able to render an
    appropriate security accreditation decision for the information
    system.
    
    The Security Accreditation Phase consists of two tasks: (i)  security
    accreditation decision; and (ii) security accreditation documentation.
    The purpose of this phase is to determine if the remaining known
    vulnerabilities in the information system (after the implementation of
    an agreed-upon set of security controls) pose an acceptable level of
    risk to agency operations, agency assets, or individuals. Upon
    successful completion of this phase, the information system owner will
    have: (i) authorization to operate the information system; (ii) an
    interim authorization to operate the information system under specific
    terms and conditions; or (iii) denial of authorization to operate the
    information system.
    
    The Continuous Monitoring Phase consists of three tasks:  (i)
    configuration management and control; (ii) security control
    monitoring; and (iii) status reporting and documentation. The purpose
    of this phase is to provide oversight and monitoring of the security
    controls in the information system on an ongoing basis and to inform
    the authorizing official when changes occur that may impact on the
    security of the system. The activities in this phase are performed
    continuously throughout the life cycle of the information system.
    
    Accreditation Decisions
    
    The security accreditation package documents the results of the
    security certification and provides the authorizing official with the
    essential information needed to make a credible, risk-based decision
    on whether to authorize operation of the information system.  
    Security accreditation decisions resulting from security certification
    and accreditation processes should be conveyed to information system
    owners. To ensure the agency's business and operational needs are
    fully considered, the authorizing official should meet with the
    information system owner prior to issuing the security accreditation
    decision to discuss the security certification findings and the terms
    and conditions of the authorization. There are three types of
    accreditation decisions that can be rendered by authorizing officials:
    * Authorization to operate; * Interim authorization to operate; or *
    Denial of authorization to operate.
    
    Examples of security accreditation decision letters appear in Appendix E.
    
    Continuous Monitoring
    
    A critical aspect of the security certification and accreditation
    process is the post-accreditation period involving the continuous
    monitoring of security controls in the information system over time.
    An effective continuous monitoring program requires:
    
    * Configuration management and configuration control processes;
    
    * Security impact analyses on changes to the information 
      system; and
    
    * Assessment of selected security controls in the information system
      and security status reporting to appropriate agency officials.
    
    Conclusion
    
    Completing a security accreditation ensures that an information system
    will be operated with appropriate management review, that there is
    ongoing monitoring of security controls, and that re-accreditation
    occurs periodically in accordance with federal or agency policy and
    whenever there is a significant change to the system or its
    operational environment.
    
    Disclaimer: Any mention of commercial products or reference to
    commercial organizations is for information only; it does not imply
    recommendation or endorsement by the National Institute of Standards
    and Technology nor does it imply that the products mentioned are
    necessarily the best available for the purpose.
    
    
    Elizabeth B. Lennon
    Writer/Editor
    Information Technology Laboratory
    National Institute of Standards and Technology
    100 Bureau Drive, Stop 8900
    Gaithersburg, MD 20899-8900
    Telephone (301) 975-2832
    Fax (301) 840-1357
    
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri May 21 2004 - 10:28:24 PDT