[ISN] ITL Bulletin for May 2004
InfoSec News
isn at c4i.org
Fri May 21 10:54:31 EDT 2004
Forwarded from: Elizabeth Lennon <elizabeth.lennon at nist.gov>
ITL Bulletin for May 2004
GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF
FEDERAL INFORMATION SYSTEMS
Elizabeth B. Lennon, Editor
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce
Introduction
In response to the requirements of the E-Government Act (Public Law
107-347), Title III, Federal Information Security Management Act
(FISMA) of December 2002, ITL recently published NIST Special
Publication (SP) 800-37, Guide for the Security Certification and
Accreditation of Federal Information Systems. Developed through an
extensive public review process, the document represents a significant
contribution to federal agency security management by providing
specific recommendations on how to certify and accredit information
systems. State, local, and tribal governments, as well as private
sector organizations, are encouraged to use the guidelines, as
appropriate. This ITL Bulletin summarizes the document, which is
available at http://csrc.nist.gov/sec-cert/.
NIST SP 800-37 provides guidelines for the security certification and
accreditation of information systems supporting the executive agencies
of the federal government. The guidelines have been developed to help
achieve more secure information systems within the federal government
by:
* Enabling more consistent, comparable, and repeatable assessments of
security controls in federal information systems;
* Promoting a better understanding of agency-related mission risks
resulting from the operation of information systems; and
* Creating more complete, reliable, and trustworthy information for
authorizing officials-to facilitate more informed security
accreditation decisions.
Security Certification and Accreditation
Security certification and accreditation are important activities that
support a risk management process and an integral part of an agency's
information security program.
Security accreditation is the official management decision given by a
senior agency official to authorize operation of an information system
and to explicitly accept the risk to agency operations, agency assets,
or individuals based on the implementation of an agreed-upon set of
security controls. Required by OMB Circular A-130, Appendix III,
security accreditation provides a form of quality control and
challenges managers and technical staffs at all levels to implement
the most effective security controls possible in an information
system, given mission requirements, technical constraints, operational
constraints, and cost/schedule constraints. By accrediting an
information system, an agency official accepts responsibility for the
security of the system and is fully accountable for any adverse
impacts to the agency if a breach of security occurs. Thus,
responsibility and accountability are core principles that
characterize security accreditation.
It is essential that agency officials have the most complete,
accurate, and trustworthy information possible on the security status
of their information systems in order to make timely, credible,
risk-based decisions on whether to authorize operation of those
systems. The information and supporting evidence needed for security
accreditation is often developed during a detailed security review of
an information system, typically referred to as security
certification. Security certification is a comprehensive assessment of
the management, operational, and technical security controls in an
information system, made in support of security accreditation, to
determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect
to meeting the security requirements for the system. The results of a
security certification are used to reassess the risks and update the
system security plan, thus providing the factual basis for an
authorizing official to render a security accreditation decision.
Roles and Responsibilities
NIST SP 800-37 describes the roles and responsibilities of key
participants, summarized below, involved in an agency's security
certification and accreditation process:
* The Chief Information Officer is the agency official responsible
for: (i) designating a senior agency information security officer;
(ii) developing and maintaining information security policies,
procedures, and control techniques to address all applicable
requirements; (iii) training and overseeing personnel with
significant responsibilities for information security; (iv)
assisting senior agency officials concerning their security
responsibilities; and (v) in coordination with other senior agency
officials, reporting annually to the agency head on the effectiveness
of the agency information security program, including progress of
remedial actions.
* The authorizing official (or designated approving/accrediting
authority as referred to by some agencies) is a senior management
official or executive with the authority to formally assume
responsibility for operating an information system at an acceptable
level of risk to agency operations, agency assets, or individuals.
* The authorizing official's designated representative is an
individual acting on the authorizing official's behalf in
coordinating and carrying out the necessary activities required
during the security certification and accreditation of an
information system.
* The senior agency information security officer is the agency
official responsible for: (i) carrying out the Chief Information
Officer responsibilities under FISMA; (ii) possessing professional
qualifications, including training and experience, required to
administer the information security program functions; (iii) having
information security duties as that official's primary duty; and
(iv) heading an office with the mission and resources to assist in
ensuring agency compliance with FISMA.
* The information system owner is an agency official responsible for
the overall procurement, development, integration, modification, or
operation and maintenance of an information system.
* The information owner is an agency official with statutory or
operational authority for specified information and responsibility
for establishing the controls for its generation, collection,
processing, dissemination, and disposal.
* The information system security officer is the individual
responsible to the authorizing official, information system owner,
or the senior agency information security officer for ensuring the
appropriate operational security posture is maintained for an
information system or program.
* The certification agent is an individual, group, or organization
responsible for conducting a security certification, or
comprehensive assessment of the management, operational, and
technical security controls in an information system to determine
the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the system.
* User representatives are individuals that represent the operational
interests of the user community and serve as liaisons for that
community throughout the system development life cycle of the
information system. At the discretion of senior agency officials,
certain security certification and accreditation roles may be
delegated, and if so, appropriately documented. Individuals serving
in delegated roles are able to operate with the authority of agency
officials within the limits defined for the specific certification
and accreditation activities. Agency officials retain ultimate
responsibility, however, for the results of actions performed by
individuals serving in delegated roles.
The Process
The security certification and accreditation process consists of four
distinct phases:
* Initiation Phase;
* Security Certification Phase;
* Security Accreditation Phase; and
* Continuous Monitoring Phase.
Each phase in the security certification and accreditation process
consists of a set of well-defined tasks and subtasks that are to be
carried out, as indicated, by responsible individuals (e.g., the Chief
Information Officer, authorizing official, authorizing official's
designated representative, senior agency information security officer,
information system owner, information owner, information system
security officer, certification agent, and user representatives).
The Initiation Phase consists of three tasks: (i) preparation; (ii)
notification and resource identification; and (iii) system security
plan review, analysis, and acceptance. The purpose of this phase is to
ensure that the authorizing official and senior agency information
security officer are in agreement with the contents of the system
security plan before the certification agent begins the assessment of
the security controls in the information system.
The Security Certification Phase consists of two tasks: (i) security
control assessment; and (ii) security certification documentation. The
purpose of this phase is to determine the extent to which the security
controls in the information system are implemented correctly,
operating as intended, and producing the desired outcome with respect
to meeting the security requirements for the system. This phase also
addresses specific actions taken or planned to correct deficiencies in
the security controls and to reduce or eliminate known vulnerabilities
in the information system. Upon successful completion of this phase,
the authorizing official will have the information needed from the
security certification to determine the risk to agency operations,
agency assets, or individuals, and thus will be able to render an
appropriate security accreditation decision for the information
system.
The Security Accreditation Phase consists of two tasks: (i) security
accreditation decision; and (ii) security accreditation documentation.
The purpose of this phase is to determine if the remaining known
vulnerabilities in the information system (after the implementation of
an agreed-upon set of security controls) pose an acceptable level of
risk to agency operations, agency assets, or individuals. Upon
successful completion of this phase, the information system owner will
have: (i) authorization to operate the information system; (ii) an
interim authorization to operate the information system under specific
terms and conditions; or (iii) denial of authorization to operate the
information system.
The Continuous Monitoring Phase consists of three tasks: (i)
configuration management and control; (ii) security control
monitoring; and (iii) status reporting and documentation. The purpose
of this phase is to provide oversight and monitoring of the security
controls in the information system on an ongoing basis and to inform
the authorizing official when changes occur that may impact on the
security of the system. The activities in this phase are performed
continuously throughout the life cycle of the information system.
Accreditation Decisions
The security accreditation package documents the results of the
security certification and provides the authorizing official with the
essential information needed to make a credible, risk-based decision
on whether to authorize operation of the information system.
Security accreditation decisions resulting from security certification
and accreditation processes should be conveyed to information system
owners. To ensure the agency's business and operational needs are
fully considered, the authorizing official should meet with the
information system owner prior to issuing the security accreditation
decision to discuss the security certification findings and the terms
and conditions of the authorization. There are three types of
accreditation decisions that can be rendered by authorizing officials:
* Authorization to operate; * Interim authorization to operate; or *
Denial of authorization to operate.
Examples of security accreditation decision letters appear in Appendix E.
Continuous Monitoring
A critical aspect of the security certification and accreditation
process is the post-accreditation period involving the continuous
monitoring of security controls in the information system over time.
An effective continuous monitoring program requires:
* Configuration management and configuration control processes;
* Security impact analyses on changes to the information
system; and
* Assessment of selected security controls in the information system
and security status reporting to appropriate agency officials.
Conclusion
Completing a security accreditation ensures that an information system
will be operated with appropriate management review, that there is
ongoing monitoring of security controls, and that re-accreditation
occurs periodically in accordance with federal or agency policy and
whenever there is a significant change to the system or its
operational environment.
Disclaimer: Any mention of commercial products or reference to
commercial organizations is for information only; it does not imply
recommendation or endorsement by the National Institute of Standards
and Technology nor does it imply that the products mentioned are
necessarily the best available for the purpose.
Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357
More information about the ISN
mailing list