Securing and managing agency mobile apps.
WEBINAR, THU 11/10, Complimentary, CPEs
This important video webinar will explore how mobile apps
rapidly expand in agency networks and how agency experts
limit security risks while they manage mobile Web devices
to drive agency productivity and mission achievement.
REGISTRATION AND INFO
ALTERNATE REGISTRATION LINK: http://www.FedInsider.com
The Framework for Mobile Security in Government
DATE: THU 11/10
TIME: 2:00 PM ET / 11:00 AM PT
DURATION: 1 hour
CPE: 1 CPE from the George Washington University,
Center for Excellence in Public Leadership
– JON JOHNSON, Enterprise Mobility Team Manager, GSA
– VINCENT SRITAPAN, Program Manager, Cyber Security
Division, DHS Science and Technology (S&T) Directorate
– JOSHUA FRANKLIN, Information Security Engineer, NIST
– JOHNNY OVERCAST, Director of Government Sales, Samsung
– TOM TEMIN, Host and Managing Editor, The Federal Drive,
Federal News Radio 1500 AM
PRESENTED BY: WTOP, Federal News Radio, FedInsider News,
and The George Washington University Center for
Excellence in Public Leadership
*** OTHER GOVT-INDUSTRY CPE CREDIT EVENTS IN THE SERIES ***
CART services provided for captioning for all webinars.
Looking forward to meeting you online!
Peg Hosky, President
Assurance, Assurance/DIACAP, Assurance/DITSCAP, Assurance/Netcentric, Assurance/SSAA, C&A, Computer Security, DIARMF, DoD Risk Management Framework, DoD RMF, EITDR, FISMA, Main Digg, nist, Risk Management Framework, security, Security Awareness, Security Awareness/ISSA
3811 Massachusetts Avenue NW
Washington DC 20016
Who Creates and/or Manages the NIST 800?
This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too. It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005, Information Security Management System (ISMS).
NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities. This working group reviews and updates the following documents
- NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
- NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001. The JTFTI is made up of ODNI, DoD, CNSS. This document is also publicly vetted.
Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004. This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.
Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines. It is the most powerful military organization in recorded history.
Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.
Public (review and vetting) – the draft is posted online on NIST.gov
Scadahacker – mappings NIST to International
Assurance, Assurance/DIACAP, Assurance/DITSCAP, Assurance/Netcentric, C&A, DIARMF, DoD Risk Management Framework, DoD RMF, FISMA, information assurance, ISSEP, Main Digg, nist, Risk Management Framework, System security engineering
DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework. Most of the new Risk Manager Framework is in the NIST Special Publication 800-37. The old NIST SP 800-37 was also based on Certification and Accreditation. After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The changes included:
- Revised process emphasizes
- Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
- Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
- Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Information Assurance is based on obtaining a high level of confidence on information’s confidentiality, integrity, and availability. Some organizations that deal with “critical information”. Critical information included things like banking transactions, classified data, information that is evidence in an ongoing investigation. Companies, unions and government that handle this kind of information usually have a lot of exposure because they are handling public data, share holder data, employee data and are doing a lot of translation across the un-trusted networks such as the Internet. With critical information and high exposure these organizations MUST have “approved processes” for vetting, testing and validating “approved software” and “approved systems”.
For example, in the Department of Defense there are many lists that have approved software. These lists are per command within larger organizations. One over arching process/list is the Common Criteria:
Common Criteria is an international standard for validating technical security built in to security feature of information systems. The international standard is known as ISO/IEC 15408.
This standard is used by many large organizations all over the world that serve the public:
Each organization has there own specific security needs so most of the time they have many levels of application approval and process:
NSA / DOD / US Gov – www.niap-ccevs.org – National Information Assurance Partnership (NIAP) uses Common Criteria Evaluation and Validation Scheme (CCEVS) to ensure that only approved Information Assurance (IA) and IA-Enabled Information Technology (IT) products are used
Canadian Trusted Computer Product Evaluation Criteria
UK – http://www.cesg.gov.uk/servicecatalogue/ccitsec
Commercial organizations that want their products used by organization processing and storing critical information must submit to common criteria as well:
Apple – https://ssl.apple.com/support/security/commoncriteria/
Microsoft – http://www.microsoft.com/en-us/sqlserver/common-criteria.aspx
xerox – Common Criteria
Citrix – http://www.citrix.com/support/security-compliance/common-criteria.html
Cisco – Cisco Common Criteria
Emc – EMC – Common Criteria
Organizational units also have their own criteria for approved applications and systems:
US Army – Army Chess
US Air Force – AF E/APL – Certified Air Force Evaluated Approved Product List
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.
The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.
At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.
“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.
CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.
A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.
It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.
C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.
“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.
FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.
“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.
That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.
Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.
The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.
“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”