CyberSecurity

Tag: fisma 2013

  • diacap to diarmf: C&A vs RMF

    DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

    diacap-to-diarmf-ca-vs-rmf
    diacap-to-diarmf-ca-vs-rmf

    NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

    1. Revised process emphasizes
    2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
    3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
    4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems

  • diacap to diarmf: FISMA 2013

    The Federal Information Security Amendments Act, H.R. 1163, Amends the Federal Information Security Management Act of 2002 (FISMA).

    Main Points of FISMA 2002:

    • Cost-effectively reduce information technology security risks
    • Vulnerability Database  System
    • Maintain an inventory of major information systems
    • Security Categorization of Federal IS by risk levels
    • Minimum security requirements
    • System Security planning process
    • Annual review of assigned IS compliance
    • Risk Management

     

    The amendment has a few big changes to the previous 2002 version that will affect federal agencies.  But two main ones the stood out for me is the emphasis on automation and the CISO position.

    The FISMA Amendment was passed by the House of Representatives (4 April 2013) but must still pass the Senate and be signed into law by the President.

     

    1 – Continuous monitoring / automation of Everything -FISMA 2013, requires continuous monitoring (automation) and regular cyberthreat assessments for better oversight to federal organizations.

    Security Incidents -  Security incidents are automatically detected with tools like McAfee Network Security Platform (IPS), Source Fire SNORT (IDS), McAfee ePO and Cisco IDS.  With the right people to manage the signatures and the configuration, theses are great products.  Once they are detected you can then do incident handling with something like Remedy.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology”

    Information Systems Security – Vulnerability scanners such as Retina and Tenable’s Nessuss are great with automatically detecting security controls and policies within an agency.  Change Auditor and other tools can detect changes the GPO’s within a domain.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for testing and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including…” Security controls

    Risk Level & Impact of Harm – McAfee ESM and ArcSight are good and pulling in the data from security tools that detect security events, evaluating the risk level and giving an measurement of the possible harm of and asset.  FISMA 2013: “automated and continuous monitoring, when possible, of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency;

    Detection/Correlation – this one could be grouped in with Security Incident, but Security Incident gets more into incident handling.  Also, ArcSight, McAfee, LogRythm, LogLogic, AlienVault and other Security Incident Event Managers do Correlation automatically.  FISMA 2013: “efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.”

    2 – CISO positions and responsibilities backed by Law – The amendment requires each department head to be held accountable for IT.  In DoD Information Assurance Risk Management Framework (DIARMF) this department director is known as the Authorizing Official (aka Designated Authorizing Authority in DIACAP).  FISMA 2013 require the AO to have an Chief Information Security Officer.  This is a position that is already assigned under Risk Management Framework.  The DoD has referred to this position as Senior Information Assurance Officer in DIACAP.  Under FISMA 2013, CISO/SIAO must have must have qualifications to implement agency-wide security programs for which they are responsible
    and report directly to the AO.

    The CISCO/SIAO will also have responsibility of Automated Security systems.  The CISO will be responsible for development, maintaining and overseeing these automated systems.

    FISMA 2013 is targeted to minimize the risk of cyberattacks by conducting pentesting.

    Overall, they made automation a requirement, which is the direction the field of information security has already been following and put some more emphasis on the CISO.  The amendments highlight the changes from DIACAP to DIARMF as many of the changes are already in the NIST 800 series that DIARMF is based on.

    source:
    http://beta.congress.gov/bill/113th/house-bill/1163/text