Laws, Regulations, and Guidance

Abstract

This chapter focuses on the laws, regulations, and requirements imposed on developing and implementing information systems.

Table of Contents

Chapter Overview and Key Learning Points

Organizations are faced with a surprising number of requirements that must be followed when developing information systems. This chapter introduces a number of the organizations that produce legal and regulatory requirements that help ensure the system being developed is as secure as possible. Some requirements are required by law or regulation and others are considered best practices or are suggested settings that will improve organizational or system security.

The Case for Legal and Regulatory Requirements

In a perfect world, system developers, administrators, and users would inherently do the right thing when making decisions that impact the security posture of the systems they are developing, supporting, or using. Unfortunately, this is not the case. Misconfigurations and errors in system design, system use, and maintenance often lead to exposing critical security flaws in information systems. To address this problem, governments and organizations around the world have passed laws, imposed regulations, and created guidelines to help ensure that systems are developed, maintained, and operated in the most secure manner possible. While these requirements, whether law, policy, or guidance, do not secure systems merely by their existence, they do provide the detailed rule set needed to operate information systems in a secure manner. The goal of the risk management framework (RMF) is to reduce and manage risk by implementing best business and security practices and correctly applying the required security controls in a process that increases efficiency and effectiveness while reducing costs and redundancy. The framework supports compliance with a number of laws, policies, regulations, and guidance documents; in fact, many of the requirements imposed by US law have been built into the RMF process.

The United States federal government and supporting government agencies have developed a number of laws, regulations, policies, and guidance documents that strengthen information system security and manage risk. Implemented correctly, these requirements help to secure computers, information systems, and organizations by reducing misconfigurations and strengthening organizational policies and processes. The following pages summarize the most influential requirements supporting the RMF.

Also described are high-level details of various regulatory bodies and the requirements they have issued relating to ensuring the security and compliance of information and information systems.

Legal and Regulatory Organizations

Orders Issued by the President of the United States of America

Executive orders (EO) are issued by the president of the United States as head of the executive branch and have the full force of US law. Executive orders were issued as early as 1789 and arguably draw enforcement power directly from the Constitution of the United States. Historically, EOs are directed at government agencies or government officials, not at individuals.

A presidential directive (PD) is a special type of EO that is issued by the president after receiving advice and consent from the National Security Council, as laws from Presidential Directives impact the national security of the United States. There are several types of Presidential Directives. They are: national security presidential directives, homeland security presidential directives, presidential security directives, and presidential policy directives.

Office of Management and Budget (OMB)

The Office of Management and Budget is the largest component of the executive office of the president and reports directly to the president of the United States. The OMB has the unique mission of serving the president and implementing the president's vision across the executive branch. The OMB carries out the mission of being the enforcement arm of presidential policy across the government through its published critical processes. According to the OMB website, there are five processes that are critical to the president's ability to plan and implement priorities across the executive branch. These processes are budget development and execution, management, coordination and review of significant federal regulations, legislative clearance and coordination, and distribution and execution of executive orders and presidential memoranda.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology was founded in 1901 as the National Bureau of Standards and is now a federal research organization within the Department of Commerce. The NIST official mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

The E-Government Act of 2002 challenged and empowered the NIST computer security division to:

• Provide assistance in using NIST guides to comply with FISMA.

• Provide specifications for minimum security requirements for federal information and information systems using a standardized, risk-based approach.

• Identify methods for assessing effectiveness of security requirements.

• Bring the security planning process up to date with key standards and guidelines developed by NIST.

• Provide assistance to agencies and the private sector.

• Evaluate security policies and technologies from the private sector and national security systems for potential federal agency use.

• Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines.

• Provide outreach, workshops, and briefings.

• Satisfy annual NIST reporting requirement.

The risk management framework relies heavily on documentation created by the NIST security division. While many publications created by the security division will assist the security practitioner and risk manager, Federal Information Processing Standards (FIPS) and the Special Publications (SP) in the 800 series are most beneficial in implementing the RMF.

Committee on National Security Systems (CNSS)

The Committee on National Security Systems was created in 1953 as the National Security Telecommunications and Information Systems Security Committee (NSTISSC) by National Security Directive (NSD)-42, National Policy for the Security of National Security Telecommunications and Information Systems. On October 16, 2001, the NSTISSC became the CNSS by EO 13231, Critical Infrastructure Protection in the Information Age. The CNSS is responsible for setting national-level information assurance policies, directives, instructions, operational procedures, guidance, and advisories for US government (USG) departments and agencies for the security of national security systems (NSS) through the CNSS Issuance System. The CNSS is directed to assure the security of NSS against technical exploitation by providing reliable and continuing assessments of threats and vulnerabilities and the implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base, assuring that information systems security products are available to secure NSS.

Office of the Director of National Intelligence (ODNI)

A position established by the Intelligence Reform and Terrorism Prevention Act of 2004, the director of national intelligence (DNI) assumes many responsibilities of the director of central intelligence (DCI), a position that was occupied by the director of the Central Intelligence Agency (CIA) prior to the creation of the DNI. The Office of the Director of National Intelligence (ODNI) is responsible for establishing a cohesive intelligence capability for the United States by providing guidance to the member agencies of the IC. This is done through a number of methods, including publishing intelligence community directives (ICD) that mandate specific actions by members of the IC. ICD 503 mandates how systems within the IC are assessed, certified, and accredited prior to being fully implemented and allows for the use of CNSS and NIST publications in performing these functions. This ICD replaces the older Director of Central Intelligence Directive (DCID) 6/3 with a process that aligns with the RMF.

Department of Defense (DoD)

The Department of Defense, or DoD, maintains security purview over those systems supporting and assisting the mission of the United States military. Using the Department of Defense directives in the 8500 series, the department has developed extensive processes to ensure that military systems are correctly tested and accredited prior to use and continue to be tested and maintained throughout the system's life cycle. Primarily through the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), which is defined in the DoD 5200 series, and the more recent DoD Information Assurance Certification and Accreditation Process (DIACAP), which is defined in the DoD 8500 series, the DoD has provided detailed instructions on how to properly authorize or accredit information systems that support the military. The DoD 8500 series is currently under revision to accommodate the DoD transition to the RMF and to align with the rest of the federal government.

Laws, Policies, and Regulations

Privacy Act of 1974 (updated in 2004)

The Privacy Act of 1974 was written in response to the growing amount of information about individuals that is being collected by United States governmental organizations. This Act was amended by the Computer Matching and Privacy Act of 1988, which addresses the use of records in automated matching systems, and was updated again in 2004.

The Act restricts the disclosure of personally identifiable information (PII) and mandates safeguards to individual privacy. To protect PII, development and implementation of best practices is required. The law mandates that systems of record characteristics be published in the Federal Register.

Much of the Act is devoted to ensuring that PII is accurate and is stored, processed, and maintained in a secure manner. Individuals have the right to review information about themselves that is contained in agency records (other than specific law enforcement and intelligence information). If erroneous or incorrect information is discovered, individuals have the right to have the information corrected or amended.

Requirements for the accurate accounting of how PII is retained, including how and to whom information is disclosed, is defined by the Privacy Act. Civil officials who incorrectly disclose personal information face civil, monetary, and criminal penalties for violation of the Act.

Transmittal Memorandum No. 4, Management of Federal Information Resources, OMB A-130 (December, 1985)

In 1985 the OMB defined the terms “adequate security”, “application”, “general support system”, and “major application” in OMB A-130. This often-cited memorandum requires that all systems have a security plan and assign information and systems security responsibilities to senior organizational executives. They must ensure that the systems are authorized before being placed into operation. This authorization seeks to ensure that system security is addressed by placing responsibility and accountability of the security on the authorizing official, normally an agency executive.

The assignment of security responsibilities also ensures that those maintaining, developing, and using the system comply with security requirements. A specific requirement noted by OMB is that specialized training be completed prior to accessing the information system. This training is based on the individual's access rights and responsibilities.

Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)

The Clinger-Cohen Act was passed when the US government was faced with inefficiencies in the way it acquires information technology systems and equipment. Intended to improve the way the US acquires and disposes of IT systems, the Act requires careful planning of capital investment. It also requires clear accountability of management activities by appointing an agency chief information officer (CIO). Once appointed, the CIO is responsible for compliance with other Clinger-Cohen requirements.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Designed to protect workers and their families as they change jobs, the Health Insurance Portability and Accountability Act, or HIPAA, protects paper and electronic records. The Act defines the information it is protecting, specifically, protected health information (PHI). PHI can be generally described as protected information about a patient that can be linked in some way to the individual; for example, if an employee sends a manager an email requesting a special keyboard because the employee has carpal tunnel syndrome, that message would be PHI, as it links medical information to the individual.

The Act details requirements for the use, handling, and disclosure of PII. Administrative, physical, and technical safeguards, as well as privacy and security rules, are mandatory. Violations of the provisions of HIPAA include civil and monetary penalties.

Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act)

Although the Gramm-Leach-Bliley Act focuses on financial institutions, its passage strengthened the requirements of the Privacy Act of 1974. Requirements implemented to govern the collection, disclosure, and protection of consumers' nonpublic personal information are hallmarks of this law. The Act requires institutions to provide consumers with privacy notices when the consumer relationship is established and when policies change, and to annually explain how an institution uses, collects, and maintains private information. Instructions on how to opt out of allowing the institution to share personal information with other organizations must also be provided.

The Act has provisions for increased security, including requirements for financial institutions to implement policies to protect information from foreseeable threats in security and data integrity. It also requires the development and implementation of written information security plans.

Privacy Policies and Data Collection on Federal Web Sites, OMB M-00-13 (June, 2000)

As Internet and web use grew, the OMB issued M-00-13 to define requirements for the development of policies and data collection rules for federal websites. Organizations are mandated to clearly post privacy policies on government websites that house substantial personal information. Organizations must also develop standards for the use of cookies to store user information.

Executive Order 13231, Critical Infrastructure Protection in the Information Age, (October, 2001)

Executive Order 13231 was signed by President George W. Bush to establish a voluntary public-private partnership for the protection of components of the critical infrastructure of the United States; components include, but are not limited to, telecommunications and electrical systems as well as water distribution and transportation systems. The order establishes the President's Critical Infrastructure Protection Board (PCIPB), an organization that, among other things, will provide outreach to the private sector as well as state and local governments to develop standards and best practices.

This executive order gives the director of OMB the responsibility to secure information systems. It also reemphasizes the National Security Telecommunications Advisory Committee (NSTAC), an organization of no more than 30 members, that provides critical infrastructure security advice to the president of the United States.

Guidance for Preparing and Submitting Security Plans of Action and Milestones, OMB M-02-01 (October, 2001)

In order to ensure accurate tracking of system security deficiencies, OMB issued M-0201, which requires maintaining plans of action and milestones (POA&M) to address system deficiencies. The POA&M is one of three critical documents that must be included in the authorization package with the implementation of the RMF and is used by the authorizing official to make a decision on the authorization or accreditation decision for the system.

The POA&M format defined by OMB requires information for specific columns to be completed, including columns for the organization responsible for resolving the weakness, the completion schedule, key milestones with completion dates, the type and source of the weakness, funding resources required, and the status of the system. Once developed, the POA&M is used to track corrections of system security weaknesses and shortfalls. After the POA&M is published, items are not deleted but are amended to provide an audit trail for corrections of security deficiencies.

Federal Information Security Management Act of 2002 (FISMA)

Title III of the E-Government Act of 2002, or FISMA, provides a comprehensive framework that ensures the effectiveness of information security controls implemented for federal information resources. FISMA requires agencies to provide information security protections equal to or greater than the risk and magnitude of harm resulting from unauthorized use, disclosure, modification, or destruction of information or the information system. The law also requires the development and maintenance of minimum security controls to protect federal information and information systems. To ensure that these controls and protections are implemented and maintained correctly, periodic assessments, audits, and evaluations assess the security controls, policies, procedures, and practices implemented to protect organizational systems. The Act also defines “confidentiality”, “availability”, and “integrity”, terms known as the “CIA triad.”

Training is addressed as well, with the organizational CEO responsible for ensuring that personnel have been properly trained to assist with the implementation of FISMA. Specific training is also mandated for individuals with information security responsibilities.

While developing FISMA, a mechanism for improved oversight for security programs was developed that enables top level leadership insight into organizational security postures. An important condition of the law is the establishment of an agency-wide information security program and the development of information security policies, procedures, and control techniques. Development and documentation of a security plan is also required, as is development, maintenance, and inventory of secure federal systems. While NSS are generally exempt from FISMA requirements, some portions of the law do apply; therefore, understanding FISMA requirements is essential to developing secure and compliant information systems.

HSPD 7, Critical Infrastructure Identification, Prioritization, and Protection (December, 2003)

In Homeland Security Presidential Directive (HSPD) 7, President George W. Bush tasked the Department of Homeland Security with protecting critical infrastructure. This directive also treated cyberspace as a separate domain (like land, sea, and air) and added agriculture to the list of industries identified as part of the critical infrastructure, reversing Presidential Decision Directive 62.

Health Information Technology for Economic and Critical Health (HITECH) Act of 2009

The HITECH Act expands HIPAA by promoting the meaningful use of health information technology while including provisions that strengthen the civil and criminal enforcement of HIPAA. The law addresses security concerns associated with the electronic transmission of health information; it also mandates a reporting and disclosure requirement for security breaches, including public disclosure. New accounting requirements for the protection of information relating to the treatment, payment, and health care operations within an organization are mandatory under this Act.

Policy on Information Assurance Risk Management for National Security Systems (CNSSP 22. January, 2012)

This policy, directed at NSS, requires an organization-wide information assurance risk management program. CNSSP 22 defines a detailed approach to information assurance (IA) and risk management. This new approach replaces CNSS Policy No. 6, National Policy on Certification and Accreditation of National Security Systems, and National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 1000, National Information Assurance Certification and Accreditation Process (NIACAP), and aligns agencies supporting NSS with the NIST RMF.

Security Categorization and Control Selection for National Security Systems (CNSSI 1253, Version 2. March, 2012)

The Committee on National Security Systems Instruction (CNSSI) No. 1253 addresses categorizing NSS. This document expands the controls defined in the control catalog provided in NIST SP 800-53 with specific guidance tailored for NSS. It explains the process for categorizing NSS and how to select and tailor security control sets. It also introduces the concept of overlays, which are a specification of security controls and supporting guidance that are used to complement the security control baselines and parameter values in CNSSI No. 1253 and to complement the supplemental guidance in NIST SP 800-53.

National Institute of Standards and Technology (NIST) Publications

Federal Information Processing Standards (FIPS) and Special Publications (SP)

Approved federal information processing standards like FIPS 199 and FIPS 200 are mandatory and binding for federal agencies and may not be waived. Special publications, on the other hand, are generally issued by NIST as recommendations and guidelines. Most NIST SP publications serve as templates and guidelines unless mandated by FIPS requirements; for example, SP 800-53 is mandated by FIPS 200. Additionally, OMB requires compliance with specific NIST SP.

FIPS 199

FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, was published in February, 2004, and is mandatory for all federal information systems unless they are designated as NSS. This is the first of two published standards that are required by the Information Technology Reform Act of 1996 and the Federal Information Security Management Act of 2002. The primary goal of FIPS 199 is to address standards for categorizing systems; it also defines security categories, objectives, and impact levels.

FIPS 200

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, was published in March, 2006 and, like FIPS 199, it applies to all federal systems (excluding NSS) and is mandated by the same laws. Its focus is a specification on minimum security requirements for information and information systems for executive agencies that support the federal government. This document defines a risk-based process used to select the security controls required to satisfy these minimum security standards. FIPS 200 defines a repeatable process for selecting and specifying controls and establishes minimum levels of due diligence.

NIST SP 300-39

Special Publication 800-39, Managing Information Security Risk, was published in March, 2011, under the guidance of the Joint Task Force Transformation Initiative. This publication guides enterprises in developing an integrated, organization-wide information security risk management program.

SP 300-37

When referring to SP 800-37, it is important to distinguish Revision 1 from the initial issuance of this special publication. Originally issued in 2003 as the Guide for the Security Certification and Accreditation of Federal Information Systems, this document described how to implement the certification and accreditation (C&A) process. In 2010 this special publication was totally rewritten, under the guidance of the Joint Task Force Transformation Initiative, and retitled The Guide for Applying the Risk Management Framework to Federal Information Systems. The revision changed the former C&A process to a model that stresses an organizational risk management approach as defined in SP 800-39, which includes continuous monitoring of security controls and longer authorizations (formerly known as accreditations) for systems. SP 800-37 and its supporting publications even though they were often misunderstood, quickly became the rule book for properly applying the RMF.

SP 800-60

Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, is a 357-page, two-volume set published in 2008. This guide assists government agencies in categorizing information and information systems and to provision the appropriate level of information security protections and controls. Use of this document is critical in correctly categorizing information systems based on the information types the system will process. Identification of information types must occur as early as possible in the development of the system and the planning cycle to ensure that the system is built to the correct security profile.

SP 800-53

Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, was published under the guidance of the Joint Task Force Transformation Initiative. The purpose of this document is to detail the recommended and required security controls for information and information systems based on the system's categorization and risks to the system or information. SP 800-53 is required by FIPS 200 for all federal information systems, with the exception of NSS. Appendix C provides a detailed explanation of all of the controls in the Security Control Catalog. This book references the most recent approved version, Revision 3, published in 2009. As of this writing, Revision 4 is a draft document. As with all documents, be sure to check the appropriate website to ensure that the most current version is being used.

SP 800-53A

In June, 2010, NIST released an updated version of SP 800-53A, under the guidance of the Joint Task Force Transformation Initiative, to align with Revision 3 of SP 800-53. SP 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, assists assessors in evaluating the effectiveness of the implementation of required security controls within the RMF. Assessors can use the guidelines in this book to evaluate technical, operation, and management controls required of the system or organization through examinations, interviews, or technical tests. This volume details each control and the required testing procedure—examinations, interviews, or technical test events—which allows the security control assessors to evaluate each control to the same general standard.

SP 800-18

SP 800-18, Guide for Developing Security Plans for Federal Information Systems, was most recently released in February, 2006. This guide assists administrative and security professionals in developing security plans for information systems, organizations, and information as required by the Federal Information Security Management Act (FISMA).

SP 800-70

SP 800-70 Revision 2, National Checklist Program for IT Systems—Guidelines for Checklist Users and Developers, was sponsored by the Department of Homeland Security and published in February, 2011. This guide details the National Checklist Program (NCP) and includes descriptions of security configuration checklists and their benefits.

SP 800-59

SP 800-59, Guideline for Identifying an Information System as a National Security System, was published in August, 2003. This guideline assists in the determination of national security systems (NSS). This determination is critical, as NSS follow specific guidelines and are exempt from many FISMA requirements.