Security Control Families

Management Class

Security Controls OverviewID Class Family # of R4(!p0)CA Management Security Assessment and Authorization 6 6PL Management Planning 5 3 (sig

changes)PM Management Program Management 11 16RA Management Risk Assessment 4 4SA Management System and Services Acquisition 14/40 14AT Operational Awareness and Training 5 5CM Operational Configuration Management 9 11 (2 from SA)CP Operational Contingency Planning 10 10IR Operational Incident Response 8 8MA Operational Maintenance 6 6MP Operational Media Protection 6 7PE Operational Physical and Environmental Protection 19 17PS Operational Personnel Security 8 8SI Operational System and Information Integrity 13/84 12AC Technical Access Control 19 16AU Technical Audit and Accountability 14 12IA Technical Identification and Authentication 8 8SC Technical System and Communications Protection 34/75 24

NIST Doc Review Strategy

Bulleted Summaries Executive Summaries,

Overviews, Introductions

Table Summaries

Graphic Summaries

8

(PM) Program ManagementPM-2 Senior Information Security Officer FISMA

PM-3 Information Security Resources

Clinger-Cohen, M-00-07, M-02-01, Circular A-11 SP 800-65

PM-4 Plan of Action and Milestones Process M-02-01 SP 800-37r1PM-5 Information System Inventory FISMA

PM-6Information Security Measures of Performance

SP 800-55, SP 800-137

PM-7 Enterprise Architecture Clinger-Cohen, OMB FEA, SP 800-39

PM-8 Critical Infrastructure Plan HSPD 7SP 800-53r3 Appendix I

PM-9 Risk Management StrategySP 800-39, SP 800-30

PM-10 Security Authorization Process A-130 III

SP 800-39, SP 800-37r1 Appendix F

PM-11 Mission/Business Process Definition FIPS 199 SP 800-60

(PM) Program Management (Cont.)PM-12 Insider Threat Program Executive Order 13587PM-13 Information Security Workforce

PM-14 Testing, Training, and Monitoring

800-16800-37800-53A800-137

PM-15Contacts with Security Groups and Associations

PM-16 Threat Awareness Program

XX-1 Policy & Procedures

SP 800-12The Handbook

SP 800-100Manager’s Handbook

AC-1 Access Control AT-1 Security Awareness and TrainingAU-1 Audit and AccountabilityCA-1 Security Assessment and AuthorizationCM-1 Configuration ManagementCP-1 Contingency Planning IA-1 Identification and Authentication IR-1 Incident Response MA-1 System Maintenance MP-1 Media Protection PE-1 Physical and Environmental Protection PL-1 Security Planning PM-1 Information Security Program PlanPS-1 Personnel Security RA-1 Risk Assessment SA-1 System and Services Acquisition SC-1 System and Communications Protection SI-1 System and Information Integrity

(CA) Security Assessment & Authorization

CA-2 Security AssessmentsSP 800-53a, SP 800-115

CA-3 Information System Connections SP 800-47CA-5 Plan of Action and Milestones OMB M-02-01 SP 800-37r1

CA-6 Security AuthorizationOMB A-130 Appendix III

SP 800-37r1 Appendix F

CA-7 Continuous Monitoring SP 800-137

* This control family is the RMF

(PL) Planning Family & Family Plans

PL-2 System Security Plan OMB A-130 SP 800-18r1PL-4 Rules of Behavior OMB A-130 SP 800-18r1

PL-5 Privacy Impact AssessmentE-gov Sec. 208 OMB M-03-22

PL-6 Security-Related Activity PlanningPL-8 Information Security Hardware

(PL) Planning Family & Family Plans (Cont.)

CA-5 Plan of Action and Milestones OMB M-02-01 SP 800-37CA-9 Internal Systems Connections SP 800-53CP-2 Contingency Plan FCD-1 SP 800-34CM-9 Configuration Management Plan SP 800-128IR-8 Incident Response Plan SP 800-61

PM-1Information Security Program Plan SP 800-18r1

PM-8 Critical Infrastructure Plan HSPD 7

RMF- 4.1 Security Assessment Plan SP 800-53a

Privacy Controls OverviewID Class FamilyAP Privacy Authority and PurposeAR Privacy Accountability, Audit, and Risk ManagementDI Privacy Data Quality and IntegrityDM Privacy Data Minimization and RetentionIP Privacy Individual Participation and RedressSE Privacy SecurityTR Privacy TransparencyUL Privacy Use Limitation

Appendix J, Privacy Control Catalog, is a new addition to NIST Special Publication 800-53. It is intended to address the privacy needs of federal agencies.

There is a strong similarity in the structure of the privacy controls in Appendix J and the security controls in Appendices F and G.

Privacy Controls Family Overview

AP-1 Authority to Collect OMB A-130

AP-2 Purpose Specification

AR-1 Governance Privacy Program OMB A-130

AR-2 Privacy Impact and Risk Assessment FISMA

AR-3 Privacy Requirements for Contractors and Service Providers OMB A-130

AR-4 Privacy Monitoring and Auditing OMB A-130

AR-5 Privacy Awareness and Training

AR-6 Privacy Reporting OMB A-130, FISMA

AR-7 Privacy-Enhanced System Design and Development

AR-8 Accounting of Disclosures

DI-1 Data Quality

DI-2 Data Integrity and Data Integrity Board OMB A-130

DM-1 Minimization of Personally Identifiable Information

DM-2 Data Retention and Disposal OMB A-130 800-88

DM-3 Minimization of PII Used in Testing, Training, and Research 800-122

Privacy Controls Family Overview

IP-1 Consent OMB

IP-2 Individual Access OMB A-130

IP-3 Redress OMB A-130

IP-4 Complaint Management OMB A-130

SE-1 Inventory of Personally Identifiable Information FIPS 199, OMB A-130800-37800-122

SE-2 Privacy Incident Response FISMA 800-37

TR-1 Privacy Notice

TR-2System of Records Notices and Privacy Act Statements OMB A-130

TR-3 Dissemination of Privacy Program Information

UL-1 Internal Use

UL-2 Information Sharing with Third Parties

(RA) Risk Assessment

RA-2 Security Categorization FIPS 199 SP 800-60, DHS EBK

RA-3 Risk Assessment SP 800-30, SP 800-39

RA-5 Vulnerability Scanning SP 800-40

(SA) System & Services Acquisition

SA-2 Allocation of ResourcesM-00-07, Circular A-11 SP 800-65

SA-3 Life Cycle SupportM-00-07, Circular A-11 SP 800-64

SA-4 AcquisitionsSP 800-23, 800-35, 800-36

SA-5 Information System DocumentationSA-6 Software Usage RestrictionsSA-7 User-Installed SoftwareSA-8 Security Engineering Principles SP 800-27SA-9 External Information System Services FedRAMP SP 800-35SA-10 Developer Configuration Management EBK Application

SecuritySA-11 Developer Security TestingSA-12 Supply Chain ProtectionSA-13 Trustworthiness

(PM) PROGRAM MANAGEMENT

Program Management Guidance

FISMA Information Security Act Clinger-Cohen Act HSPD 7 Critical Infrastructure OMB A-130 III M-00-07 IT Security Funding M-02-01 POAM 800-65 Capital Planning Investment Control 800-37r1 RMF 800-39 Risk Management 800-30 Risk Assessment 800-55 Performance Measurement 800-137 Continuous Monitoring

Knowledge Check

How well do you know your planning (PL) and program management (PM) controls? Take 5 minutes to fill in as many of the following controls as you can.

As review questions are presented, ask yourself two, building-block questions:

1. What is the security control related to this question?

2. What are the mandates, standards, and guidance for the related security control?

Information Security Program Plan

Defines Security Program Requirements Documents Management and Common Controls Defines Roles, Responsibilities, Management

Commitment and Coordination Approved by Senior Official (AO) Appoint Senior Information Security Officer

Critical Infrastructure Plan

HSPD-7 Critical Infrastructure Essential Services That Underpin American Society Industrial Control Systems Characteristics

– Pervasive Throughout Critical Infrastructure– Need for Real-time Response– Extremely High Availability, Predictability, and Reliability

Meet Several and Often Conflicting Requirements– Minimizing Risk to the Safety of the Public– Preventing Serious Damage to Environment– Preventing Serious Production Stoppages or Slowdowns– Protecting Critical Infrastructure from Cyber Attacks and Human Error– Safeguarding Against Compromise of Proprietary Information

Capital Planning & Investment Control

CPIC Defined by– Exhibit 300 Major Investments– Exhibit 53 Major IT Investments– Enterprise Architecture Program

M-00-07 Incorporating and Funding Security in Information Systems Investments

M-02-01 Preparing and Submitting POAMs - Must Be Cross Referenced With Exhibits 300 and 53

Knowledge Check

If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?

Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?

This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?

Metrics Development Process

Federal Enterprise Architecture

Performance

Data

Business Service

Technical

Information Type (SP 800-60)

Core Principles of the FEA

Business-driven Proactive and collaborative across the Federal

government Architecture improves the effectiveness and efficiency of

government information resources

Defining Mission/Business Processes

Defines mission/business processes with consideration for information security and the resulting risk to the organization;

Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

(RA) RISK ASSESSMENT

Risk Assessment Guidance

FIPS 199 Categorization Standard EBK Data Security (Security Objectives: CIA) 800-60 Mapping Information Types 800-39 Risk Management 800-30 Risk Assessment 800-40 Patch & Vulnerability Management

Knowledge Check

How well do you know your risk assessment (RA) and security assessment and authorization (CA) controls? Take 2 minutes to fill in as many as you can.

Changing Guidance on Risk Assessment

The Original SP 800-30: Risk Management for IT Systems– Risk Assessment– Risk Mitigation– Risk Evaluation

SP 800-39: Managing Information Security Risk, Organization, Mission, and Information System View

SP 800-30 Rev 1: Guide for Conducting Risk Assessments

Patch and Vulnerability Management Program

Create a System Inventory Monitor for Vulnerabilities, Remediations, and Threats Prioritize Vulnerability Remediation Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations Deploy Vulnerability Remediations Distribute Vulnerability and Remediation Information to Local

Administrators Perform Automated Deployment of Patches Configure Automatic Update of Applications Whenever Possible and

Appropriate. Verify Vulnerability Remediation Through Network and Host

Vulnerability Scanning Vulnerability Remediation Training

Knowledge Check

In which NIST special publication might you find guidance for the performance measurement of information systems?

Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework?

What is the name of the security control, represented by the control ID RA-3, which must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework?

Where can information about vulnerabilities be found? How well do you know your Systems & Services Acquisition

(SA) controls? [5 minutes… go!]

(SA) SYSTEM & SERVICES ACQUISITION

System & Services Acquisition Guidance

M-00-07 Incorporating and Funding Security in Information Systems Investments

Circular A-11 The Budget– Exhibit 300: Planning, Budgeting, Acquisition, and Management of Information

Technology Capital Assets• 300A Detailed Justifications of Major "IT Investments“• 300B Project Life Cycle Management

– Enterprise Architecture– IT Capital Planning and Control Process (800-65 CPIC)

Development– 800-14 Generally Accepted Principles and Practices for Securing Information

Technology Systems– 800-27 Engineering Principles– 800-64 SDLC

Acquisition– 800-23 Acquisition of Evaluated IT Products– 800-36 Selecting Security Products– 800-35 Selecting Security Services

IT Security Principles

Security Foundation– Establish a sound security policy as the “foundation” for design– Treat security as an integral part of the overall system design– Clearly delineate the physical and logical security boundaries governed by

associated security policies– Ensure that developers are trained in how to develop secure software

Risk Based– Reduce risk to an acceptable level – Assume that external systems are insecure– Identify potential trade-offs between reducing risk and increased costs and

decrease in other aspects of operational effectiveness – Implement tailored system security measures to meet organizational security

goals. – Protect information while being processed, in transit, and in storage. – Consider custom products to achieve adequate security – Protect against all likely classes of “attacks.”

Considerations for Acquiring Information Security Products

Security Product Testing Security Checklists for IT Products

Security Product Testing

Identification and Authentication Access Control Intrusion Detection Firewall Public Key Infrastructure Malicious Code Protection Vulnerability Scanners Forensics Media Sanitizing

1. Common Criteria Evaluation and Validation Scheme

2. NIST Cryptographic Module Validation Program

National Checklists Program

Management Security Controls Key Concepts & Vocabulary

XX-1 Policy & Procedures CA - Security Assessment and Authorization PL – Planning Family & Family Plans

– Information Security Program Plan (PM)– Critical Infrastructure Plan (HSPD 7)

PM - Program Management– Capital Planning and Investment Control (SP 800-65)– Measures of Performance (SP 800-55)– Enterprise Architecture (FEA BRM)

RA - Risk Assessment– Security Categorization– Risk & Vulnerability Assessments

SA - System and Services Acquisition

Questions?