Scribd Logo
Upload

Welcome to Scribd!

  • Complying With The Federal Information Security Act (Fisma)

    Uploaded by

    sresearcher7
    57 views19 pages
    FISMA PPT

    Original Title

    FISMA Presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    FISMA PPT

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    57 views19 pages

    Complying With The Federal Information Security Act (Fisma)

    Uploaded by

    sresearcher7
    FISMA PPT

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Complying With The Federal

    Information Security Act


    (FISMA)

    What is FISMA?
    FISMA
    Congress included the FISMA as part of the EGovernment Act of 2002
    http://thomas.loc.gov/bss/d107/d107laws.html

    FISMA is the primary legislation that governs required


    security activities associated with the Certification and
    Accreditation Process. It sets forth specific
    requirements for security programs as well as an
    annual reporting requirement. As a DAA you will be
    responsible for executive oversight on meeting
    program and reporting requirements as outlined on
    the following slides.

    Purpose of FISMA
    Bringing Standardization to security control selection

    and assessment through:


    Providing a consistent framework for protecting

    information at the federal level.


    Providing effective management of risks to information
    security.
    Providing for the development of adequate controls to
    protect information and systems.
    Providing a mechanism for effective oversight of
    federal security programs.

    FISMA Requirements
    Federal agencies are required to establish an integrated,

    risk-based information security program that adheres to


    high-level requirements governing how information
    security is conducted within their agency.
    Agencies are required to:
    assess the current level of risk associated with their information

    and information systems


    define controls to protect those systems
    implement policies and procedures to cost-effectively reduce risk
    periodically test and evaluate those controls
    train personnel on information security policies and procedures
    and manage incidents (incident response plan/process).

    FISMA Dictates

    Responsibilities of chief security officers.


    Actions required to assess risk.
    Actions required to mitigate risk.
    Security awareness training.
    Testing of security practices and controls.
    Procedures for responding to security issues.
    Procedures for business continuity.

    FISMA and NIST


    NIST provides guidance on FISMA that is detailed

    and in-depth
    NIST guidance includes:
    Standards for categorizing information and information systems

    by mission impact.
    Standards for minimum security requirements for information and
    information systems.
    Guidance for selecting appropriate security controls for
    information systems.
    Guidance for assessing security controls in information systems
    and determining security control effectiveness.
    Guidance for certifying and accrediting information systems.

    NIST FISMA Related


    Publications
    FIPS Publication 199 (Security Categorization)
    FIPS Publication 200 (Minimum Security Requirements)
    NIST Special Publication 800-18, Rev 1 (Security Planning)
    NIST Special Publication 800-30, Rev 1 (Risk Management)
    NIST Special Publication 800-37 (Certification & Accreditation)
    NIST Special Publication 800-53 Rev 3 (Recommended

    Security Controls)
    NIST Special Publication 800-53A Rev 1(Security Control
    Assessment)
    NIST Special Publication 800-60 (Security Category Mapping)

    FIPS 199, Standards for the


    Security Categorization of Federal
    Information and Information
    Systems
    The standard used by federal agencies to categorize

    information and information systems based on the


    objectives of providing appropriate levels of information
    security according to a range of risk levels
    Information systems are categorized as either Low,
    Moderate, or High Risk Systems based on the
    Confidentiality, Integrity, and Availability security
    requirements necessary to protect the data/information
    processed, stored, or transmitted by the information
    system.

    FIPS 200, Minimum Security


    Requirements for Federal
    Information and Information
    Systems
    Provides minimum information security requirements

    for information and information systems in each


    security category defined in FIPS 199
    Dictates the requirements to utilize NIST SP 800-53
    for the baseline security control requirements.

    NIST SP 800-37 Rev 1, Guide to


    Apply the Risk Management
    Framework to Federal Information
    Systems
    Establishes a six-step Risk Management Framework for

    Federal Information Systems:


    Categorize the Information System
    Select Security Controls
    Implement Security Controls
    Assess Security Controls
    Authorize the Information System
    Monitor the Security Controls

    Applicable to non-national security information systems


    as defined in the Federal Information Security
    Management Act of 2002

    NIST SP 800-18 Rev 1, Guide for Developing


    Security Plans for Federal Information Systems
    Defines the format and content for Security Plans, as
    required by OMB Circular No. A-130.
    The Security Plan main functions include:
    Overviewing the systems security requirements
    Describing the controls in place or planned for meeting those

    requirements
    Delineating responsibilities and expected behavior of all
    individuals who access the system
    Documenting the structured process of planning adequate, costeffective security protection for the system

    NIST SP 800-30 Rev 1, Risk Management


    Guide for Information Technology Systems
    Definitional and Practical Guidance regarding concept

    and practice of managing IT-related risks


    Risk Management provides balance between operational
    objectives and economic costs of protective measures
    better securing of IT systems that store, process, or transmit

    organizational information;
    enabling management to make well-informed risk management
    decisions to justify the expenditures
    assisting management in authorizing (or accrediting) the IT
    systems

    NIST SP 800-34 Rev 1, Contingency Planning


    Guide For Federal Information Systems
    Provides instructions, recommendations, and

    considerations for government IT contingency planning.


    Provides specific contingency planning
    recommendations for seven IT platforms
    Strategies and techniques common to all systems

    NIST SP 800-53 Rev 3,


    Recommended Security Controls
    for Federal Information Systems
    and Organizations
    The purpose of NIST Special Publication 800-53, rev 3

    is to provide guidelines for selecting and specifying


    security controls for information systems
    Applicable to all Federal information systems other
    than those systems designated as national security
    systems as defined in 44 U.S.C., Section 3542
    Broadly developed from a technical perspective to
    complement similar guidelines issued by agencies and
    offices operating or exercising control over national
    security systems
    Provides guidance to Federal agencies until the
    publication of FIPS Publication 200, Minimum Security
    Controls for Federal Information Systems

    NIST SP 800-53a Rev 1, Guide for


    Assessing the Security Controls In
    Federal Information Systems
    Provides standardized techniques and procedures to

    verify the effectiveness of security controls


    Provides a single baseline verification procedure for each
    security control in SP 800-53 , rev 3
    Allows additional verification techniques and procedures
    to be applied at the discretion of the agency

    NIST SP 800-60 Vol I and Vol II,


    Guide for Mapping Types of
    Information and Information
    Systems to Security Categories
    Provides guidelines recommending the types of

    information and information systems to be included in


    each category of potential security impact.
    Assists agencies to map security impact levels in a
    consistent manner to types of: (i) information (e.g.,
    privacy, medical, proprietary, financial, contractor
    sensitive, trade secret, investigation); and (ii)
    information systems (e.g., mission critical, mission
    support, administrative).

    SUMMARY
    Key activities in managing enterprise-level riskrisk

    resulting from the operation of an information system:


    Categorize the information system
    Select set of minimum (baseline) security controls
    Refine the security control set based on risk assessment
    Document security controls in system security plan
    Implement the security controls in the information system
    Assess the security controls
    Determine agency-level risk and risk acceptability
    Authorize information system operation
    Monitor security controls on a continuous basis

    QUESTIONS?

    LARRY CHMIEL

    Security and Privacy Consulting, LLC


    larry@securityandprivacyconsulting.com
    813-838-2689

    You might also like