Forwarded from: Elizabeth Lennon <elizabeth.lennon@private> ITL Bulletin for May 2004 GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF FEDERAL INFORMATION SYSTEMS Elizabeth B. Lennon, Editor Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Introduction In response to the requirements of the E-Government Act (Public Law 107-347), Title III, Federal Information Security Management Act (FISMA) of December 2002, ITL recently published NIST Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Developed through an extensive public review process, the document represents a significant contribution to federal agency security management by providing specific recommendations on how to certify and accredit information systems. State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate. This ITL Bulletin summarizes the document, which is available at http://csrc.nist.gov/sec-cert/. NIST SP 800-37 provides guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. The guidelines have been developed to help achieve more secure information systems within the federal government by: * Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems; * Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and * Creating more complete, reliable, and trustworthy information for authorizing officials-to facilitate more informed security accreditation decisions. Security Certification and Accreditation Security certification and accreditation are important activities that support a risk management process and an integral part of an agency's information security program. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is often developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision. Roles and Responsibilities NIST SP 800-37 describes the roles and responsibilities of key participants, summarized below, involved in an agency's security certification and accreditation process: * The Chief Information Officer is the agency official responsible for: (i) designating a senior agency information security officer; (ii) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; (iii) training and overseeing personnel with significant responsibilities for information security; (iv) assisting senior agency officials concerning their security responsibilities; and (v) in coordination with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. * The authorizing official (or designated approving/accrediting authority as referred to by some agencies) is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals. * The authorizing official's designated representative is an individual acting on the authorizing official's behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system. * The senior agency information security officer is the agency official responsible for: (i) carrying out the Chief Information Officer responsibilities under FISMA; (ii) possessing professional qualifications, including training and experience, required to administer the information security program functions; (iii) having information security duties as that official's primary duty; and (iv) heading an office with the mission and resources to assist in ensuring agency compliance with FISMA. * The information system owner is an agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. * The information owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. * The information system security officer is the individual responsible to the authorizing official, information system owner, or the senior agency information security officer for ensuring the appropriate operational security posture is maintained for an information system or program. * The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. * User representatives are individuals that represent the operational interests of the user community and serve as liaisons for that community throughout the system development life cycle of the information system. At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated, and if so, appropriately documented. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles. The Process The security certification and accreditation process consists of four distinct phases: * Initiation Phase; * Security Certification Phase; * Security Accreditation Phase; and * Continuous Monitoring Phase. Each phase in the security certification and accreditation process consists of a set of well-defined tasks and subtasks that are to be carried out, as indicated, by responsible individuals (e.g., the Chief Information Officer, authorizing official, authorizing official's designated representative, senior agency information security officer, information system owner, information owner, information system security officer, certification agent, and user representatives). The Initiation Phase consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan review, analysis, and acceptance. The purpose of this phase is to ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan before the certification agent begins the assessment of the security controls in the information system. The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the authorizing official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals, and thus will be able to render an appropriate security accreditation decision for the information system. The Security Accreditation Phase consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation. The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the information system owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system. The Continuous Monitoring Phase consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system. Accreditation Decisions The security accreditation package documents the results of the security certification and provides the authorizing official with the essential information needed to make a credible, risk-based decision on whether to authorize operation of the information system. Security accreditation decisions resulting from security certification and accreditation processes should be conveyed to information system owners. To ensure the agency's business and operational needs are fully considered, the authorizing official should meet with the information system owner prior to issuing the security accreditation decision to discuss the security certification findings and the terms and conditions of the authorization. There are three types of accreditation decisions that can be rendered by authorizing officials: * Authorization to operate; * Interim authorization to operate; or * Denial of authorization to operate. Examples of security accreditation decision letters appear in Appendix E. Continuous Monitoring A critical aspect of the security certification and accreditation process is the post-accreditation period involving the continuous monitoring of security controls in the information system over time. An effective continuous monitoring program requires: * Configuration management and configuration control processes; * Security impact analyses on changes to the information system; and * Assessment of selected security controls in the information system and security status reporting to appropriate agency officials. Conclusion Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that re-accreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Fri May 21 2004 - 10:28:24 PDT