[ISN] ITL Bulletin for March 2004

InfoSec News isn at c4i.org
Thu Mar 25 05:44:27 EST 2004


Forwarded from: Elizabeth Lennon <elizabeth.lennon at nist.gov>

ITL Bulletin, March 2004

FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 199, 
STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL 
INFORMATION AND INFORMATION SYSTEMS

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

A new Federal Information Processing Standard (FIPS), recently
approved by the Secretary of Commerce, will help federal agencies
protect the information and information systems that support their
operations and assets. FIPS 199, Standards for Security Categorization
of Federal Information and Information Systems, is an important
component of a suite of standards and guidelines that NIST is
developing to improve the security in federal information systems,
including those systems that are part of the nation's critical
infrastructure. (See listing of these planned publications at the end
of this bulletin.)

FIPS 199 will enable agencies to meet the requirements of the Federal
Information Security Management Act (FISMA) and improve the security
of federal information systems. The security standard will also make
it possible for federal agencies to establish priorities for
protecting their information systems, ranging from very sensitive,
mission-critical operations to lower-priority systems performing less
critical operations.  Background information on NIST's efforts to
provide the security standards, guidelines, and technical tools for
implementing FISMA is available at:  
http://csrc.nist.gov/sec-cert/ca-background.html.

FIPS 199 was approved after an open public review and comment process
that included notices published in the Federal Register and posted on
the NIST website. Comments and recommendations were received from more
than thirty individuals and groups. The new FIPS 199 is available
electronically at: http://csrc.nist.gov/publications/fips.

Applicability of FIPS 199
FIPS 199 is effective immediately and applies to:

All information within the federal government other than that
information that has been determined pursuant to Executive Order
12958, as amended by Executive Order 13292, or any predecessor order,
or by the Atomic Energy Act of 1954, as amended, to require protection
against unauthorized disclosure and is marked to indicate its
classified status; and

All federal information systems other than those information systems
designated as national security systems as defined in 44 United States
Code Section 3542(b)(2).

Why Security Categorization Standards Are Needed

FISMA, Title III of the E-Government Act of 2002 (Public Law 107-347),
was passed by the one hundred and seventh Congress and signed into law
by the President in December 2002. This legislation recognizes the
importance of information security to the economic and national
security interests of the United States, and tasked NIST with
responsibilities for standards and guidelines, including the
development of:

* Standards to be used by all federal agencies to categorize all
information and information systems collected or maintained by or on
behalf of each agency based on the objectives of providing appropriate
levels of information security according to a range of risk levels;

* Guidelines recommending the types of information and information
systems to be included in each category; and

* Minimum information security requirements (i.e., management,
operational, and technical controls) for information and information
systems in each such category.

By providing a common framework and method for categorizing
information and information systems, FIPS 199 responds to the first
task assigned to NIST. Use of this standard will enable agencies to
identify and prioritize their most important information and
information systems by defining the maximum impact a breach in
confidentiality, integrity, or availability could have on the agency's
operations, assets, and/or individuals.

A FIPS 199 security categorization serves as the starting point for
the selection of security controls for an agency's information
system-controls that are commensurate with the importance of the
information and information system to the agency. Additional NIST
guidance will instruct agencies how to use FIPS 199 to select minimum
security controls for an information system and subsequently assess
the controls to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the
desired outcome with respect to meeting the security requirements of
the system. The standard also promotes more effective management,
oversight, and expenditure of agency information security resources
and more consistent reporting on the agency's security accomplishments
to the Office of Management and Budget (OMB) and to the Congress.
Future NIST standards and guidelines will focus on the second and
third tasks above.

A Risk-Based Approach

FISMA and earlier legislation, the Information Technology Management
Reform Act of 1996 (Clinger-Cohen Act), provide for a risk-based
approach to information security.  OMB provides guidance in its
Circular A-130, Appendix III, on carrying out the risk-based approach
and requires agencies to:

* Plan for adequate security of each information systems as 
  part of the agency management and planning processes,

* Ensure that appropriate officials are assigned 
  responsibilities for security,

* Periodically review the security controls in their 
  information systems, and

* Authorize system processing prior to operations, and 
  periodically thereafter.

The objective is to conduct agency operations and accomplish agency
missions with adequate security or security commensurate with risk,
considering threats, vulnerabilities, value of the information system
or application, and the effectiveness of current or proposed security
controls. The risk-based approach should be applied throughout the
System Development Life Cycle (SDLC).

Security Objectives, Impact Levels, and Security Categorization

FIPS 199 is predicated on a simple and well-established
concept-determining appropriate priorities for agency information
systems and subsequently applying appropriate measures to adequately
protect those systems. The security controls applied to a particular
information system should be commensurate with the system's
criticality and sensitivity. FIPS 199 assigns this level of
criticality and sensitivity, called security categorization, to
information and information systems based on potential impact on
agency operations (mission, functions, image, or reputation), agency
assets, or individuals should there be a breach in security due to the
loss of confidentiality (i.e., unauthorized disclosure of
information), integrity (i.e., unauthorized modification of
information), or availability (i.e., denial of service).

In FIPS 199, confidentiality, integrity, and availability are defined
as security objectives for information and information systems:

* Confidentiality: "Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information..."  A loss of confidentiality is the
unauthorized disclosure of information.

* Integrity:  "Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity..." A loss of integrity is the unauthorized modification
or destruction of information.

* Availability:  "Ensuring timely and reliable access to and use of
information..." A loss of availability is the disruption of access to
or use of information or an information system.

For each type of information that is processed, stored, or transmitted
by an information system and for the information system itself, FIPS
199 requires assigning a security category to the information and
information system. The security category consists of an impact level
for each of the three security objectives of confidentiality,
integrity, and availability. An impact level of low (L), moderate (M),
or high (H) represents the impact on agency operations (including
mission, functions, image, or reputation), agency assets, or
individuals should there be a breach in security in the respective
security objective areas (i.e., for each security objective area, the
impact level could be L, M, or H). The assignment of security
categories must take place within the context of each organization and
the overall national interest.

Impact levels are defined in FIPS 199 as follows:

The potential impact is low if the loss of confidentiality, integrity,
or availability could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals. A
limited adverse effect could mean that the loss of confidentiality,
integrity, or availability might:

* Cause a degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions, but
the effectiveness of the functions is noticeably reduced;

* Result in minor damage to organizational assets, minor financial
loss, or minor harm to individuals.

The potential impact is moderate if the loss of confidentiality,
integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or
individuals. A serious adverse effect could mean that the loss of
confidentiality, integrity, or availability might: * Cause a
significant degradation in mission capability to an extent and
duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is significantly
reduced; * Result in significant damage to organizational assets,
significant financial loss, or significant harm to individuals, but
not loss of life or serious life threatening injuries.

The potential impact is high if the loss of confidentiality,
integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations,
organizational assets, or individuals. A severe or catastrophic
adverse effect could mean that the loss of confidentiality, integrity,
or availability might:

* Cause a severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform one
or more of its primary functions;

* Result in major damage to organizational assets, major financial
loss, or severe or catastrophic harm to individuals involving loss of
life or serious life threatening injuries.

Security Categorization Applied to Information Types and Information
Systems

The security category of an information type that is processed,
stored, or transmitted by an information system can be associated with
both user information and system information, and can be applicable to
information in either electronic or non-electronic form. System
information such as network routing tables, password files, and
cryptographic key management information must always be protected at a
level that is appropriate for the most critical or sensitive user
information.

In establishing the appropriate security category of an information
type, organizations should determine the potential impact for each
security objective associated with the particular information type.
For example, an organization might determine that there is low
potential impact from a loss of confidentiality of its public
information, that there is a moderate potential impact from a loss of
integrity, and that there is a moderate potential impact from a loss
of availability. FIPS 199 provides examples of how to determine and to
express the security categories of information types.

In establishing the appropriate security category of an information
system, organizations should consider the security categories of all
information types that are processed, stored, or transmitted on the
information system. For a system, the potential impact values assigned
to the respective security objectives of confidentiality, integrity,
and availability should be the highest values from among those
security categories that have been determined for each type of
information processed. For example, an organization might determine
the security category for sensitive contract information in a system
used for acquisitions is moderate (for confidentiality), moderate (for
integrity), and low (for availability). The organization might also
determine that security category for routine administrative
information processed on the same system is low (for confidentiality),
low (for integrity), and low (for availability). The security category
for the information system should be expressed in terms of the maximum
potential impact values for each security objective from the various
information types resident on the acquisition system.  In this
example, the system's security category would be moderate (for
confidentiality), moderate (for integrity), and low (for
availability).

System Development Life Cycle and Future Standards and Guidelines

Employed within the System Development Life Cycle (SDLC), FIPS 199 can
be used as part of an agency's risk management program to help ensure
that appropriate security controls are applied to each information
system and that the controls are adequately assessed to determine the
extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting
the system security requirements. The following activities, consistent
with NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems, can be applied to both new and legacy
information systems within the SDLC-

* Categorize the information system (and the information resident
within that system) based on a FIPS 199 impact analysis (See NIST
Special Publication 800-60, Guide for Mapping Types of Information and
Information Systems to Security Categories, for guidance in assigning
security categories and refining the impact analysis).

* Select an initial set of security controls for the information
system (as a starting point) based on the FIPS 199 security
categorization (See NIST Special Publication 800-53, Recommended
Security Controls for Federal Information Systems, or FIPS 200,
Security Controls for Federal Information Systems, which will replace
NIST Special Publication 800-53 in December 2005 in fulfillment of the
FISMA legislative requirement for mandatory minimum security
requirements for federal information systems.)

* Refine the initial set of security controls selected for the
information system based on local conditions including agency-specific
security requirements, specific threat information, cost-benefit
analyses, the availability of compensating controls, or other special
circumstances.

* Document the agreed upon set of security controls in the security
plan for the information system including the agency's rationale and
justification for any refinements or adjustments to the initial set of
controls (See NIST Special Publication 800-18, Guide for Developing
Security Plans for Information Technology Systems).

* Implement the security controls in the information system. For
legacy systems, some or all of the security controls selected may
already be in place.

* Assess the security controls using appropriate assessment procedures
to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome
with respect to meeting the security requirements for the system. (See
NIST Special Publication 800-53A, Guide for Assessing the Security
Controls in Federal Information Systems, summer 2004).

* Determine the risk to agency operations (including mission,
functions, image, or reputation), agency assets, or individuals
resulting from the planned or continued operation of the information
system (See NIST Special Publication 800-37, Guide for the Security
Certification and Accreditation of Federal Information Systems).

* Authorize system processing (or for legacy systems, authorize
continued system processing) if the level of risk to the agency's
operations, assets, or individuals is acceptable to the authorizing
official (See NIST Special Publication 800-37, Guide for the Security
Certification and Accreditation of Federal Information Systems).

* Monitor selected security controls in the information system on an
continuous basis including documenting changes to the system,
conducting security impact analyses of the associated changes, and
reporting the security status of the system to appropriate agency
officials on a regular basis (See NIST Special Publication 800-37,
Guide for the Security Certification and Accreditation of Federal
Information Systems).

Since some of the documents referenced above are either in development
or planned at the time this bulletin was published, the reader should
consult:  http://www.csrc.nist.gov for up-to-the minute progress
reports on the FISMA program and related guidance documents.

Disclaimer

Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.





More information about the isn mailing list