Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov> ITL BULLETIN FOR JANUARY 2007 SECURITY CONTROLS FOR INFORMATION SYSTEMS: REVISED GUIDELINES ISSUED BY NIST Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The National Institute of Standards and Technology (NIST) Information Technology Laboratory recently updated its guidance to federal agencies for selecting and specifying security controls for their information systems. Security controls are the management, operational, and technical safeguards or countermeasures that protect the confidentiality, integrity, and availability of an information system and its information. The revised NIST guidance assists federal agencies in selecting an appropriate set of security controls for their information systems, in accordance with standards and requirements specified by the Federal Information Security Management Act (FISMA) of 2002. Using the tailoring guidance provided in the revised publication, agencies will have flexibility in selecting and adjusting the security controls that they specify in order to meet their specific mission requirements and their operational needs in a cost-effective manner. NIST Special Publication (SP) 800-53, Revision 1, Recommended Security Controls for Federal Information Systems NIST SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems, was written by Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, and George Rogers, and published by NIST in December 2006. The publication, when used with other standards and guidelines, assists federal agencies in protecting the information systems that support federal government operations and assets. NIST SP 800-53 presents the fundamental concepts concerning the selection and specification of security controls. The topics discussed include the structural components of security controls and how the controls are organized into families of controls; the baseline, or minimum, controls that can be selected; the common controls that can be applied in more than one organizational information system; the controls needed to protect systems in exchanges with external information systems; implementation of controls within an information system with assurance that the controls are effective; and NIST's plans for periodic review of the controls and maintenance of a catalog of effective controls. The guide describes the recommended comprehensive process that organizations should follow for selecting and specifying security controls for an information system. Topics covered include the steps that an organization should take to manage risks; the requirement for federal agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability; how to select and tailor an initial set of minimum, or baseline, controls; how to supplement the tailored baseline controls to achieve needed security protections; and how to update controls through regular reviews as part of a risk management process. The appendices to NIST SP 800-53 provide extensive information about the selection and specification of security controls. Included are a list of references, a glossary of terms used in the publication, and a list of acronyms. One table lists the catalog of minimum security controls in summarized form and indicates the appropriate control and any applicable control enhancements that would be needed to protect low-impact, moderate-impact, and high-impact information systems. Another part of the appendix explains the minimum assurance requirements for the security controls listed in the catalog, and provides supplemental guidance concerning how the minimum requirements are to be applied. One large section of the appendix provides a catalog of security controls organized into families with supplemental guidance and with information associated with each control to allow for the enhancement of the control. Mappings of the relationships of security controls to government and voluntary industry standards and to other control sets, mappings of the relationships of security controls to NIST standards and guidelines, and guidance on the application of controls to industrial control systems complete the appendices. The security controls guide is available on NIST's web pages at: http://csrc.nist.gov/publications/nistpubs/index.html. Supplemental Publications In addition to the final version of NIST SP 800-53 available on the above web page, you will also find supplemental publications to assist in the selection and specification of security controls. NIST SP 800-53 introduces the concept of baseline controls, which are the initial security controls recommended for an information system, based on the system's security categorization. (See section on FISMA below.) Tailoring guidance in NIST SP 800-53 can be applied to the initial control set to produce a tailored baseline. This tailored security control baseline is the starting point for organizations to determine the appropriate safeguards and countermeasures necessary to protect their information systems. Supplements to the tailored baseline may be needed based on the organization's operational needs and its assessment of risk. Annex 1 to NIST SP 800-53 provides a summary of baseline security controls for low-impact information systems. It also provides control enhancements, full descriptions of the controls and enhancements, and the minimum assurance requirements for low-impact information systems. Annex 2 contains similar information for moderate-impact systems, and Annex 3 covers high-impact systems. Other available documents are marked-up versions of NIST SP 800-53 that indicate changes made to initial public drafts including a document that summarizes all of the changes that were made to the February 2005 version of the guide in the development of the December 2006 version. Establishing an Integrated Information Security Program Security controls should be selected and used as part of a well-defined and documented information security program. To be effective, an information security program should provide for: * Periodic assessments of risk to evaluate the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. * Development of policies and procedures that are based on assessments of risk and that reduce the risks to an acceptable level and address information security throughout the life cycle of each information system. * Plans to provide adequate information security for networks, facilities, information systems, or groups of systems. * Security awareness training for personnel, including contractors and other users of information systems, about the risks associated with their activities and their responsibilities for implementing policies and procedures for information security. * A process for planning, implementing, evaluating, and documenting remedial actions to address information security deficiencies. * Procedures for detecting, reporting, and responding to security incidents; and * Plans and procedures for continuity of operations. Federal Information Security Management Act (FISMA) The Federal Information Security Management Act (FISMA) requires that all federal agencies develop, document, and implement agency-wide information security programs and provide information security for the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. To help agencies carry out these policies, FISMA designated NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and minimum security requirements for information and information systems in each security category. FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems, issued in February 2004, was the first standard that NIST developed to meet FISMA requirements. FIPS 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, which was approved on March 9, 2006, is the second standard that was specified by FISMA. After agencies have categorized their systems in accordance with FIPS 199, they are required to determine minimum security requirements for seventeen security-related areas, and to select an appropriate set of security controls to satisfy the minimum requirements. Security controls, which are specified in NIST SP 800-53, are organized to match the seventeen security-related areas that are identified in FIPS 200. The application of controls is an essential component of a broad-based, balanced information security program. For more information about activities that support the FISMA Implementation Project, see NIST's web page at http://csrc.nist.gov/sec-cert/index.html. Using NIST SP 800-53, Revision 1, in the Risk Management Process Risk management is an essential part of an organization's information security program, providing an effective framework for the selection of appropriate security controls. The risk-based approach enables organizations to protect the information systems that store, process, and transmit organizational information, to make well-informed risk management decisions, and to apply system authorization and accreditation processes. The risk management process includes the following steps: * Categorize the information system and its information in accordance with FIPS 199. * Select an initial set of baseline, or minimum, controls from NIST SP 800-53, based on the categorization and the minimum security requirements defined in FIPS 200. Apply the tailoring guidance from NIST SP 800-53 to identify the starting point controls. * Supplement the initial set of tailored security controls based on the assessment of risk and the organization's specific requirements. * Document the security controls, including refinements and adjustments to the initial set of controls, in the system security plan. * Implement the security controls in the information system, and apply security configuration settings. * Assess the security controls to determine if implemented correctly, operating properly, and meeting security requirements. * Authorize information system operation, using security certification and accreditation procedures. Security accreditation is the decision to authorize operation of an information system and to accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Security certification is a comprehensive assessment of the systems security controls to determine the extent to which the controls are implemented correctly, operating as intended, and meeting the security requirements of the system. * Monitor and assess selected security controls to track changes to the information system on a continuous basis, and reassess the effectiveness of controls. NIST standards and guides that assist organizations in using the risk management process to select security controls are listed in the More Information section below. Changes to Controls Selection Process in NIST SP 800-53, Revision 1 NIST SP 800-53, Revision 1, used in conjunction with FIPS 200, provides federal organizations with options for significant flexibility in their selection and specification of security controls. The tailoring guidance introduced in the guide will enable federal agencies to eliminate unnecessary controls, to incorporate compensating controls when needed, and to specify agency specific conditions. This approach gives agencies flexibility to respond to known threats and to take action on agency-identified risks. The guide reinforces requirements for agencies to consider the potential organizational and national-level impacts when they categorize their information systems as low-impact, moderate-impact, or high-impact systems. Organizations are advised to select common controls for information systems whenever possible. The advantages of common controls are cost-effectiveness and consistency of implementation. Common controls should be developed, implemented, and continuously monitored by a central management team, and the results of security assessments should be shared with all information system owners. Within the common control structure, controls may be tailored to be system-specific and be described in system security plans. Other changes relate to instituting controls that are appropriate for the use of information services obtained from external service providers. Agencies should establish trust relationships with the providers to assure that the external information systems have implemented necessary and effective security controls. Also changes were made to the security certification, security accreditation, user identification and authentication, media labeling, media storage, and media transport security controls. All of these changes are identified in the document available on the NIST web page, summarizing the changes that were made in Revision 1 of NIST SP 800-53. More Information NIST publications that support the risk management process and the selection, implementation, and assessment of security controls include: FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, specifies minimum security requirements for federal information and information systems in seventeen security-related areas that represent a broad-based, balanced information security program. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, assists organizations in developing security plans that summarize the security requirements for each information system, and identify the security controls in place or planned for meeting the requirements. NIST SP 800-30, Risk Management Guide for Information Technology Systems, provides guidance to organizations in identifying the risks to their missions brought about by the use of information systems, assessing the risks, and taking steps to reduce the risks to an acceptable level. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, provides guidance for the security certification and accreditation of information systems in support of the risk management process. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides guidance in selecting, specifying, and tailoring security controls that will provide an appropriate level of security, based on the organizations assessment of mission risk. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, will enable organizations to develop an effective assessment plan. The guide, which is currently available in draft form, is expected to be completed in mid-2007. NIST SP 800-59, Guideline for Identifying an Information System as a National Security System, provides a checklist that enables organizations to determine if their systems should be designated national security systems in accordance with FISMA. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, assists organizations in identifying information types and impact levels, and assigning impact levels for confidentiality, integrity, and availability. The impact levels are based on the security categorization definitions in FIPS 199. NIST SP 800-70, Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers, describes NIST's program to facilitate the development and use of security configuration checklists. NIST publications assist organizations in planning and implementing a comprehensive approach to information security. For information about NIST standards and guidelines that are listed above, as well as other security-related publications that support the goals of FISMA, see NIST's web page: http://csrc.nist.gov/publications/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 22:31:11 PST