Transcription
Impact Levels and Security ControlsUnderstanding FIPS 199, FIPS 200 and SP 800-53NIST Cryptographic Key Management WorkshopMarch 5, 2014Dr. Ron RossComputer Security DivisionInformation Technology LaboratoryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY1
STRATEGIC (EXECUTIVE) RISK FOCUSCommunicating and sharingrisk-related information fromthe strategic to tactical level,that is from the executives tothe operators.TIER 1Organization(Governance)Communicating and sharingrisk-related information fromthe tactical to strategic level,that is from the operators tothe executives.TIER 2Mission / Business Process(Information and Information Flows)TIER 3Information System(Environment of Operation)TACTICAL (OPERATIONAL) RISK FOCUSNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY2
Risk Management FrameworkStarting PointCATEGORIZEInformation SystemMONITORSecurity ControlsContinuously track changes to theinformation system that may affectsecurity controls and reassesscontrol effectiveness.Define criticality/sensitivity ofinformation system according topotential worst-case, adverseimpact to mission/business.Security Life CycleSELECTSecurity ControlsSelect baseline security controls;apply tailoring guidance andsupplement controls as neededbased on risk assessment.AUTHORIZEIMPLEMENTInformation SystemSecurity ControlsDetermine risk to organizationaloperations and assets, individuals,other organizations, and the Nation;if acceptable, authorize operation.Implement security controls withinenterprise architecture using soundsystems engineering practices; applysecurity configuration settings.ASSESSSecurity ControlsDetermine security control effectiveness(i.e., controls implemented correctly,operating as intended, meeting securityrequirements for information system).NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY3
FIPS 199 Security Objectives CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure,including means for protecting personal privacy and proprietary information ” A loss of confidentiality is the unauthorized disclosure of information INTEGRITY “Guarding against improper information modification or destruction, andincludes ensuring information non-repudiation and authenticity ” A loss of integrity is the unauthorized modification or destruction of information AVAILABILITY “Ensuring timely and reliable access to and use of information ” A loss of availability is the disruption of access to or use of information or aninformation systemNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY4
Security CategorizationGuidance forMappingTypes ofInformationandInformationSystems toFIPS 199SecurityCategoriesSP 800-60FIPS 199LOWMODERATEHIGHConfidentialityThe loss of confidentialitycould be expected to havea limited adverse effecton organizationaloperations, organizationalassets, or individuals.The loss of confidentialitycould be expected to havea serious adverse effecton organizationaloperations, organizationalassets, or individuals.The loss of confidentialitycould be expected to havea severe or catastrophicadverse effect onorganizational operations,organizational assets, orindividuals.IntegrityThe loss of integrity couldbe expected to have alimited adverse effect onorganizational operations,organizational assets, orindividuals.The loss of integrity couldbe expected to have aserious adverse effect onorganizational operations,organizational assets, orindividuals.The loss of integrity couldbe expected to have asevere or catastrophicadverse effect onorganizational operations,organizational assets, orindividuals.AvailabilityThe loss of availabilitycould be expected to havea limited adverse effecton organizationaloperations, organizationalassets, or individuals.The loss of availabilitycould be expected to havea serious adverse effecton organizationaloperations, organizationalassets, or individuals.The loss of availabilitycould be expected to havea severe or catastrophicadverse effect onorganizational operations,organizational assets, orindividuals.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYBaseline SecurityControls for HighImpact Systems5
Security ControlsThe safeguards or countermeasures prescribed for aninformation system to protect the confidentiality, integrity,and availability of the system and its information.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY6
Security ControlsProvide functionality and assurance.FUNCTIONALITYWhat is observable behind the wall.ASSURANCEWhat is observable in front of the wall.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY7
Assurance and TrustworthinessTRUSTWORTHINESSFacilitates risk response to a variety of threats, includinghostile cyber attacks, natural disasters, structural failures,and human errors, both intentional and unintentional.(Systems and Components)EnablesSecurity RequirementsDerived from Laws, E.O., Policies, Directives,Instructions, Mission/Business Needs, StandardsSatisfiesPromotes Traceabilityfrom Requirements toCapability to Functionalitywith Degree of AssuranceSecurity CapabilityMutually Reinforcing Security Controls(Technical, Physical, Procedural Means)ProducesSecurity AssuranceProvidesConfidenceInSecurity FunctionalityFeatures, Functions, Services,Mechanisms, Processes, Procedures(Functionality-Related Controls)NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYDevelopmental/Operational Actions(Assurance-Related Controls)GeneratesSecurity EvidenceDevelopment Artifacts, Flaw Reports,Assessment Results, Scan Results,Integrity Checks, Configuration Settings8
NIST SP 800-53 Security Control LYAccess ControlAwareness and TrainingAudit and AccountabilitySecurity Assessment and AuthorizationConfiguration ManagementContingency PlanningIdentification and AuthenticationIncident ResponseMaintenanceMedia ProtectionPhysical and Environmental ProtectionPlanningPersonnel SecurityRisk AssessmentSystem and Services AcquisitionSystem and Communications ProtectionSystem and Information IntegrityProgram ManagementNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY9
Control Naming ConventionAC-9 PREVIOUS LOGON (ACCESS) NOTIFICATIONControl: The information system notifies the user, upon successfulinteractive logon (access) to the system, of the date and time of the lastlogon (access).Supplemental Guidance: This control is intended to cover both traditionallogons to information systems and accesses to systems that occur in othertypes of architectural configurations (e.g., service oriented architectures).Related controls: AC-7, PL-4.Control Enhancements:(1)PREVIOUS LOGON NOTIFICATION UNSUCCESSFUL LOGONsThe information system notifies the user, upon successful logon/access, ofthe number of unsuccessful logon/access attempts since the last successfullogon/access.(2)PREVIOUS LOGON NOTIFICATION SUCCESSFUL/UNSUCCESSFUL LOGONSThe information system notifies the user of the number of [Selection:successful logons/accesses; unsuccessful logon/access attempts; both]during [Assignment: organization-defined time period].NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY10
Security Control Baselines Starting point for the security control selection process. Chosen based on the security category and associatedimpact level of the information system determined inaccordance with FIPS 199 and FIPS 200, respectively. Three sets of baseline controls have been identifiedcorresponding to low-impact, moderate-impact, andhigh-impact information system levels. Appendix D provides a listing of baseline securitycontrols.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY11
Security Control Baselines Baselines are determined by: Information and system categorization (L, M, H) Organizational risk assessment and risk tolerance System level risk assessment Baselines can be tailored: Instantiate parameters in controls Implement scoping considerations and compensating controls Supplement by with additional controls/enhancements.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY12
Clarification of Term BaselineThe use of the term baseline is intentional. Thesecurity controls and control enhancements listedin the initial baselines are not a minimum—but rather a proposed starting point from whichcontrols and controls enhancements may beremoved or added based on the tailoring guidancein Section 3.2.Specialization of security plans is the objective NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY13
Tailoring Security ControlsScoping, Parameterization, and Compensating ControlsBaseline Security ControlsBaseline Security ControlsBaseline Security ControlsLow ImpactInformation SystemsModerate ImpactInformation SystemsHigh ImpactInformation SystemsLowBaselineTailored BaselineModerateBaselineTailored BaselineHighBaselineTailored BaselineA cost effective, risk-based approach to achievingadequate information security NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY14
Expanded Tailoring Guidance(1 of 2) Identifying and designating common controls in initialsecurity control baselines. Applying scoping considerations to the remainingbaseline security controls. Selecting compensating security controls, if needed. Assigning specific values to organization-definedsecurity control parameters via explicit assignment andselection statements.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY15
Expanded Tailoring Guidance(2 of 2) Supplementing baselines with additional securitycontrols and control enhancements, if needed. Providing additional specification information forcontrol implementation.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY16
Tailoring the BaselineTailoring GuidanceINITIALSECURITYCONTROLBASELINE(Low, Mod, High) Identifying and Designating Common ControlsApplying Scoping ConsiderationsSelecting Compensating ControlsAssigning Security Control Parameter ValuesSupplementing Baseline Security ControlsProviding Additional Specification Informationfor ImplementationBefore TailoringTAILOREDSECURITYCONTROLBASELINE(Low, Mod, High)After TailoringAssessment of Organizational RiskDOCUMENT SECURITY CONTROL DECISIONSRationale that the agreed-upon set of security controls for the information system provide adequateprotection of organizational operations and assets, individuals, other organizations, and the Nation.Document risk management decisions made during the tailoringprocess to provide information necessary for authorizing officialsto make risk-based authorization decisions.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY17
CONTROL NAMEControl Enhancement NameASSURANCECNTLNO.WITHDRAWNTables in SP 800-53 Appendix DCONTROL BASELINESLOWMODHIGHPL-1Security Planning Policy and ProceduresAxxxPL-2System Security PlanAxxxPL-2 (1)SYSTEM SECURITY PLAN CONCEPT OF OPERATIONSWIncorporated into PL-7.PL-2 (2)SYSTEM SECURITY PLAN FUNCTIONAL ARCHITECTUREWIncorporated into PL-8.PL-2 (3)SYSTEM SECURITY PLAN PLAN / COORDINATE WITH OTHERORGANIZATIONAL ENTITIESWPL-3System Security Plan UpdatePL-4Rules of BehaviorARULES OF BEHAVIOR SOCIAL MEDIA AND NETWORKINGRESTRICTIONSAPL-4 (1)xAxIncorporated into PL-2.xxxxxPL-5Privacy Impact AssessmentWIncorporated into Appendix J, AR-2.PL-6Security-Related Activity PlanningWIncorporated into PL-2.PL-7Security Concept of OperationsPL-8Security ArchitectureNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY18
Contact Information100 Bureau Drive Mailstop 8930Gaithersburg, MD USA 20899-8930Project LeaderAdministrative SupportDr. Ron Ross(301) 975-5390ron.ross@nist.govPeggy Himes(301) 975-2489peggy.himes@nist.govSenior Information Security Researchers and Technical SupportKelley Dempsey(301) 975-2827kelley.dempsey@nist.govArnold Johnson(301) 975-3247arnold.johnson@nist.govPat Toth(301) 975-5140patricia.toth@nist.govWeb: csrc.nist.gov/sec-certNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYComments: sec-cert@nist.gov19
Cryptographic Key Management Workshop - March 2014 Author: NIST - Computer Security Division Subject: Cryptographic Key Management Workshop - March 2014 Keywords: cryptographic; key management; measures; security controls; data sensitivity; NIST SP 800-152; Federal CKMS Created Date: 3/6/2014 8:37:49 AM
