From: InfoSec News (alertsinfosecnews.org)
Date: Fri Feb 02 2007 - 00:16:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>

ITL BULLETIN FOR JANUARY 2007

SECURITY CONTROLS FOR INFORMATION SYSTEMS:
REVISED GUIDELINES ISSUED BY NIST

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

The National Institute of Standards and Technology (NIST) Information
Technology Laboratory recently updated its guidance to federal agencies
for selecting and specifying security controls for their information
systems. Security controls are the management, operational, and
technical safeguards or countermeasures that protect the
confidentiality, integrity, and availability of an information system
and its information.

The revised NIST guidance assists federal agencies in selecting an
appropriate set of security controls for their information systems, in
accordance with standards and requirements specified by the Federal
Information Security Management Act (FISMA) of 2002. Using the tailoring
guidance provided in the revised publication, agencies will have
flexibility in selecting and adjusting the security controls that they
specify in order to meet their specific mission requirements and their
operational needs in a cost-effective manner.

NIST Special Publication (SP) 800-53, Revision 1, Recommended Security
Controls for Federal Information Systems

NIST SP 800-53, Revision 1, Recommended Security Controls for Federal
Information Systems, was written by Ron Ross, Stu Katzke, Arnold
Johnson, Marianne Swanson, Gary Stoneburner, and George Rogers, and
published by NIST in December 2006. The publication, when used with
other standards and guidelines, assists federal agencies in protecting
the information systems that support federal government operations and
assets.

NIST SP 800-53 presents the fundamental concepts concerning the
selection and specification of security controls. The topics discussed
include the structural components of security controls and how the
controls are organized into families of controls; the baseline, or
minimum, controls that can be selected; the common controls that can be
applied in more than one organizational information system; the controls
needed to protect systems in exchanges with external information
systems; implementation of controls within an information system with
assurance that the controls are effective; and NIST's plans for periodic
review of the controls and maintenance of a catalog of effective
controls.

The guide describes the recommended comprehensive process that
organizations should follow for selecting and specifying security
controls for an information system. Topics covered include the steps
that an organization should take to manage risks; the requirement for
federal agencies to categorize their information systems as low-impact,
moderate-impact, or high-impact for the security objectives of
confidentiality, integrity, and availability; how to select and tailor
an initial set of minimum, or baseline, controls; how to supplement the
tailored baseline controls to achieve needed security protections; and
how to update controls through regular reviews as part of a risk
management process.

The appendices to NIST SP 800-53 provide extensive information about the
selection and specification of security controls. Included are a list of
references, a glossary of terms used in the publication, and a list of
acronyms. One table lists the catalog of minimum security controls in
summarized form and indicates the appropriate control and any applicable
control enhancements that would be needed to protect low-impact,
moderate-impact, and high-impact information systems.

Another part of the appendix explains the minimum assurance requirements
for the security controls listed in the catalog, and provides
supplemental guidance concerning how the minimum requirements are to be
applied. One large section of the appendix provides a catalog of
security controls organized into families with supplemental guidance and
with information associated with each control to allow for the
enhancement of the control. Mappings of the relationships of security
controls to government and voluntary industry standards and to other
control sets, mappings of the relationships of security controls to NIST
standards and guidelines, and guidance on the application of controls to
industrial control systems complete the appendices.

The security controls guide is available on NIST's web pages at:

http://csrc.nist.gov/publications/nistpubs/index.html.

Supplemental Publications

In addition to the final version of NIST SP 800-53 available on the
above web page, you will also find supplemental publications to assist
in the selection and specification of security controls. NIST SP 800-53
introduces the concept of baseline controls, which are the initial
security controls recommended for an information system, based on the
system's security categorization. (See section on FISMA below.)
Tailoring guidance in NIST SP 800-53 can be applied to the initial
control set to produce a tailored baseline. This tailored security
control baseline is the starting point for organizations to determine
the appropriate safeguards and countermeasures necessary to protect
their information systems. Supplements to the tailored baseline may be
needed based on the organization's operational needs and its assessment
of risk.

Annex 1 to NIST SP 800-53 provides a summary of baseline security
controls for low-impact information systems. It also provides control
enhancements, full descriptions of the controls and enhancements, and
the minimum assurance requirements for low-impact information systems.
Annex 2 contains similar information for moderate-impact systems, and
Annex 3 covers high-impact systems.

Other available documents are marked-up versions of NIST SP 800-53 that
indicate changes made to initial public drafts including a document that
summarizes all of the changes that were made to the February 2005
version of the guide in the development of the December 2006 version.

Establishing an Integrated Information Security Program

Security controls should be selected and used as part of a well-defined
and documented information security program. To be effective, an
information security program should provide for:

* Periodic assessments of risk to evaluate the magnitude of harm that
  could result from the unauthorized access, use, disclosure,
  disruption, modification, or destruction of information and
  information systems.

* Development of policies and procedures that are based on assessments
  of risk and that reduce the risks to an acceptable level and address
  information security throughout the life cycle of each information
  system.

* Plans to provide adequate information security for networks,
  facilities, information systems, or groups of systems.

* Security awareness training for personnel, including contractors and
  other users of information systems, about the risks associated with
  their activities and their responsibilities for implementing policies
  and procedures for information security.

* A process for planning, implementing, evaluating, and documenting
  remedial actions to address information security deficiencies.

* Procedures for detecting, reporting, and responding to security
  incidents; and

* Plans and procedures for continuity of operations.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) requires that
all federal agencies develop, document, and implement agency-wide
information security programs and provide information security for the
information and information systems that support the operations and
assets of the agency, including those systems provided or managed by
another agency, contractor, or other source. To help agencies carry out
these policies, FISMA designated NIST to develop federal standards for
the security categorization of federal information and information
systems according to risk levels, and minimum security requirements for
information and information systems in each security category.

FIPS 199, Standards for the Security Categorization of Federal
Information and Information Systems, issued in February 2004, was the
first standard that NIST developed to meet FISMA requirements. FIPS 199
requires agencies to categorize their information systems as low-impact,
moderate-impact, or high-impact for the security objectives of
confidentiality, integrity, and availability.

FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems, which was approved on March 9, 2006, is the second
standard that was specified by FISMA. After agencies have categorized
their systems in accordance with FIPS 199, they are required to
determine minimum security requirements for seventeen security-related
areas, and to select an appropriate set of security controls to satisfy
the minimum requirements. Security controls, which are specified in NIST
SP 800-53, are organized to match the seventeen security-related areas
that are identified in FIPS 200. The application of controls is an
essential component of a broad-based, balanced information security
program.

For more information about activities that support the FISMA
Implementation Project, see NIST's web page at
http://csrc.nist.gov/sec-cert/index.html.

Using NIST SP 800-53, Revision 1, in the Risk Management Process

Risk management is an essential part of an organization's information
security program, providing an effective framework for the selection of
appropriate security controls. The risk-based approach enables
organizations to protect the information systems that store, process,
and transmit organizational information, to make well-informed risk
management decisions, and to apply system authorization and
accreditation processes.

The risk management process includes the following steps:

* Categorize the information system and its information in accordance
  with FIPS 199.

* Select an initial set of baseline, or minimum, controls from NIST SP
  800-53, based on the categorization and the minimum security
  requirements defined in FIPS 200. Apply the tailoring guidance from
  NIST SP 800-53 to identify the starting point controls.

* Supplement the initial set of tailored security controls based on the
  assessment of risk and the organization's specific requirements.

* Document the security controls, including refinements and adjustments
  to the initial set of controls, in the system security plan.

* Implement the security controls in the information system, and apply
  security configuration settings.

* Assess the security controls to determine if implemented correctly,
  operating properly, and meeting security requirements.

* Authorize information system operation, using security certification
  and accreditation procedures. Security accreditation is the decision
  to authorize operation of an information system and to accept the risk
  to agency operations, agency assets, or individuals based on the
  implementation of an agreed-upon set of security controls. Security
  certification is a comprehensive assessment of the system’s security
  controls to determine the extent to which the controls are implemented
  correctly, operating as intended, and meeting the security
  requirements of the system.

* Monitor and assess selected security controls to track changes to the
  information system on a continuous basis, and reassess the
  effectiveness of controls.

NIST standards and guides that assist organizations in using the risk
management process to select security controls are listed in the More
Information section below.

Changes to Controls Selection Process in NIST SP 800-53, Revision 1

NIST SP 800-53, Revision 1, used in conjunction with FIPS 200, provides
federal organizations with options for significant flexibility in their
selection and specification of security controls. The tailoring guidance
introduced in the guide will enable federal agencies to eliminate
unnecessary controls, to incorporate compensating controls when needed,
and to specify agency specific conditions. This approach gives agencies
flexibility to respond to known threats and to take action on
agency-identified risks. The guide reinforces requirements for agencies
to consider the potential organizational and national-level impacts when
they categorize their information systems as low-impact,
moderate-impact, or high-impact systems.

Organizations are advised to select common controls for information
systems whenever possible. The advantages of common controls are
cost-effectiveness and consistency of implementation. Common controls
should be developed, implemented, and continuously monitored by a
central management team, and the results of security assessments should
be shared with all information system owners. Within the common control
structure, controls may be tailored to be system-specific and be
described in system security plans.

Other changes relate to instituting controls that are appropriate for
the use of information services obtained from external service
providers. Agencies should establish trust relationships with the
providers to assure that the external information systems have
implemented necessary and effective security controls. Also changes were
made to the security certification, security accreditation, user
identification and authentication, media labeling, media storage, and
media transport security controls. All of these changes are identified
in the document available on the NIST web page, summarizing the changes
that were made in Revision 1 of NIST SP 800-53.

More Information

NIST publications that support the risk management process and the
selection, implementation, and assessment of security controls include:

FIPS 199, Standards for Security Categorization of Federal Information
and Information Systems, requires agencies to categorize their
information systems as low-impact, moderate-impact, or high-impact for
the security objectives of confidentiality, integrity, and availability.

FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems, specifies minimum security requirements for federal
information and information systems in seventeen security-related areas
that represent a broad-based, balanced information security program.

NIST SP 800-18, Guide for Developing Security Plans for Federal
Information Systems, assists organizations in developing security plans
that summarize the security requirements for each information system,
and identify the security controls in place or planned for meeting the
requirements.

NIST SP 800-30, Risk Management Guide for Information Technology
Systems, provides guidance to organizations in identifying the risks to
their missions brought about by the use of information systems,
assessing the risks, and taking steps to reduce the risks to an
acceptable level.

NIST SP 800-37, Guide for the Security Certification and Accreditation
of Federal Information Systems, provides guidance for the security
certification and accreditation of information systems in support of the
risk management process.

NIST SP 800-53, Recommended Security Controls for Federal Information
Systems, provides guidance in selecting, specifying, and tailoring
security controls that will provide an appropriate level of security,
based on the organization’s assessment of mission risk.

NIST SP 800-53A, Guide for Assessing the Security Controls in Federal
Information Systems, will enable organizations to develop an effective
assessment plan. The guide, which is currently available in draft form,
is expected to be completed in mid-2007.

NIST SP 800-59, Guideline for Identifying an Information System as a
National Security System, provides a checklist that enables
organizations to determine if their systems should be designated
national security systems in accordance with FISMA.

NIST SP 800-60, Guide for Mapping Types of Information and Information
Systems to Security Categories, assists organizations in identifying
information types and impact levels, and assigning impact levels for
confidentiality, integrity, and availability. The impact levels are
based on the security categorization definitions in FIPS 199.

NIST SP 800-70, Security Configuration Checklists Program for IT
Products - Guidance for Checklists Users and Developers, describes
NIST's program to facilitate the development and use of security
configuration checklists.

NIST publications assist organizations in planning and implementing a
comprehensive approach to information security. For information about
NIST standards and guidelines that are listed above, as well as other
security-related publications that support the goals of FISMA, see
NIST's web page:

http://csrc.nist.gov/publications/index.html.

Disclaimer
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.

Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]