System Security Certification and Accreditation Framework

1
System Security Certification and Accreditation
Framework

• Stuart Katzke, Ph.D.Senior Research
  ScientistNational Institute of Standards
  Technology100 Bureau Drive Stop
  8930Gaithersburg, MD 20899(301)
  975-4768skatzke_at_nist.govfax (301) 975-4964

2
Security Certification (of an IT system)

• The comprehensive evaluation of the management,
  operational, and technical security controls in
  an information system
• Evaluation supports the security accreditation
  process
• Evaluation performed by security expert (may be
  contractor)
• Assesses the effectiveness of the implemented
  security controls in a particular environment of
  operation
• Are the controls an acceptable set?
• Are the controls operating as intended?
• Determines remaining vulnerabilities in the
  information system based on the assessment.

3
Security Accreditation (of an IT system)

• The official management decision to authorize
  operation of an IT system
• Residual risk is one factor in decision
• Authorization
• Is given by a senior agency official
• Is applicable to a particular environment of
  operation of the IT system
• Explicitly accepts the level of residual risk to
  agency
• Operations (including mission, functions, image
  or reputation),
• Assets,
• Individuals
• that remain after the implementation of an agree
  upon set of security controls in the IT system.

4
Terminology

• Certification Accreditation are loaded terms
• Their use is confusing outside of US government
• Security certification Assessing/verifying
  effectiveness of implemented security controls
• Security accreditation Approval/authorization to
  operate IT system
• Above definitions more accurately reflect
  concepts

5
C Assess residual vulnerabilities A Assess
residual risk
C Certification A Accreditation
Initiation
Development/Acquisition

• Security Planning
• Determine Security Requirements
• Select Security Controls

Categorize System
Disposal
Risk Assessment
Development/Acquisition
Configuration Management and control
Information Security Activities
Security Control Development
Continuous Monitoring of Security Control
Effectiveness
Operation/ Maintenance

• Developmental Security Test Evaluation
• Develop Security Test Plan
• Test Evaluate Security Controls

Security Control Integration
Security Accreditation
Implementation
C Determine control effectiveness Determine
document residual vulnerabilities
A Assess residual risk Make accreditation
determination
System Security Activities (Inside) within the
System Development Life Cycle (Outside)
6
FISMA-Related Guidance
In Progress (FISMA Requirement for NIST)
Completed
In Progress (OMB/FISMA general requirement)
SP 800-53 (Interim)
FIPS 199 SP 800-60

Security Control Selection and Implementation
FIPS 200
Categorization Mapping of Information and
Information System
Minimum management, operational, and
technical controls (i.e., safeguards and
countermeasures) planned or in place to protect
information and information systems
Defines categories of information and information
systems according to levels of risk for
confidentiality, integrity, and availability
maps information types to security categories
AGENCY INFORMATION AND INFORMATION SYSTEM
SP 800-30
SP 800-37
Risk Assessment
System Authorization (Accreditation)
Analyzes the threats to and vulnerabilities of
information systems and the potential impact or
magnitude of harm that the loss of
confidentiality, integrity, or availability would
have on an agencys operations and assets
SP 800-37 SP 800-53A
The authorization of information systems to
process, store, or transmit information, granted
by a senior agency official, based on the
effectiveness of security controls and residual
risk
Verification of Security Control Effectiveness
(Certification)
SP 800-18
Security Planning
Documents the security requirements and security
controls planned or in place for the protection
of information and information systems
Measures the effectiveness of the security
controls associated with information systems
through security testing and evaluation
7
Assurance in Information Systems (IS)

• Building more secure systems requires
• Well defined system-level security requirements
  and security specifications
• Well designed component products
• Sound systems security engineering practices
• Competent systems security engineers
• Appropriate metrics for product/system testing,
  evaluation, and assessment
• Comprehensive system security planning and life
  cycle management

8
Supporting Tools and Programs

• Building more secure systems is enhanced by
• Standardized Security Requirements and
  Specifications
• U.S. Common Criteria protection profile
  development project
• Private sector protection profile contributions
• BITS functional packages
• Smart Card Security Users Group (SCSUG)
• Process Control Security Requirements Forum
  (PCSRF)
• IT Component-level Product Testing and Evaluation
  Programs
• Common Criteria Evaluation and Validation
  Schemes (CCRA)
• Cryptographic Module Validation Program (U.S.
  NIST/Canada CSE)
• Security Implementation Guidance
• Security Technical Implementation Guides
• Security Reference Guides
• System Certification and Accreditation

9
Supporting Tools and Programs
Operational Environment
Laboratory Environment
Accreditation Authority
Real World Threats and Vulnerabilities
Implementation Guidance

• Risk Management
• Security Policies
• System Security Plan

• Personnel Security
• Procedural Security
• Physical Security

• Standards
• Guidelines

• Certification
• Accreditation

10
Significance of NISTs activities to the
commercial sector (1)

• CA process applicable to both government and
  commercial sector organizations
• NIST working with IEEE to establish industry
  standards/guidelines based on NIST
  standards/guidelines
• Minimum control sets/baselines incorporate
  security controls from many public and private
  sector sources
• CC Part 2
• ISO/IEC 17799
• COBIT
• GAO FISCAM
• NIST SP 800-26 Self Assessment Questionnaire
• CMS (healthcare)
• D/CID 6-3 Requirements
• DoD Policy 8500
• BITS functional packages

11
Significance of NISTs activities to the
commercial sector (2)

• Control sets mapped to threat coverage
• Can be adjusted to widen/reduce threat coverage
• Can be adjusted based on risk analytic process
• Unique, ambitious attempt by NIST to do control
  mapping
• Control sets adaptable and adoptable by other
  communities
• Control catalogue provides a rich set of controls
  to meet many needs
• Communities can tailor control sets/baselines
  according to their needs
• Healthcare (to demonstrate HIPPA compliance)
• Other communities

12
Significance of NISTs activities to the
commercial sector (3)

• Based on expectations of wide adoption by US
  government agencies, NIST standards/guidelines
  may become de facto due diligence for
  commercial sector
• Will result in accredited individuals/organization
  s competent to perform system security
  evaluations
• NIST invites industry review and comment on
  applicability of NIST standards/guidelines to
  commercial sector systems
• NIST and IEEE invite participation in security
  standardization activities

13
Contact Information

• 100 Bureau Drive Mailstop 8930
• Gaithersburg, MD USA 20899-8930
• Project Manager Assessment Scheme
• Dr. Ron Ross Arnold Johnson
• (301) 975-5390 (301) 975-3247
• rross_at_nist.gov arnold.johnson_at_nist.gov
• Special Publications Organization
  Accreditations
• Marianne Swanson Patricia Toth
• (301) 975-3293 (301) 975-5140
• marianne.swanson_at_nist.gov patricia.toth_at_nist.gov
  
• Govt and Industry Outreach Technical Advisor
• Dr. Stu Katzke Gary Stoneburner
• (301) 975-4768 (301) 975-5394
• skatzke_at_nist.gov gary.stoneburner_at_nist.gov
• Comments to sec-cert_at_nist.gov
• World Wide Web http//csrc.nist.gov/sec-cert

14
Contact InformationStuart Katzke, Ph.D.Senior
Research ScientistNational Institute of
Standards Technology100 Bureau Drive Stop
8930Gaithersburg, MD 20899(301)
975-4768skatzke_at_nist.govfax (301) 975-4964