CHAPTER 12:
AUTHORIZATION IN THE FEDERAL GOVERNMENT
Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Federal Information Security Management Act (FISMA), 2002
In this chapter:
System security authorization boundaries
Federal security authorization process
So where and how do we start the authorization process in accordance with FISMA? Well, first we need to define the boundary of the information system. We define the boundary through drawing real network boundaries, logical system boundaries, physical boundaries, management, or organizational/ mission based boundaries. These boundaries are also known as authorization or accreditation boundaries.
Draft NIST SP 800-37 Rev.1 states:
Authorization boundaries need to be established before security categorization and the development of security plans. Authorization boundaries that are unnecessarily expansive (i.e. including too many system components) make the authorization process extremely unwieldy and complex. Boundaries that are unnecessarily limited increase the number of security authorizations that must be conducted and thus unnecessarily inflate the total security costs for the organization.
Establishing information system authorization boundaries (also known as accreditation boundaries)
The process of uniquely assigning information resources to an information system defines the security authorization boundary for that system. If you are given the task of setting or defining the security authorization boundary, you should collect a few system artifacts before you start:
a system description;
network and dataflow diagrams; and
the system inventory (all firmware, hardware, and software).
The system description
First you will want to get a system description. At a minimum the system description should include:
A full system name and current version.
A system identifier (OMB-300, or agency/component registration number).
System or security categorization (if completed).
Data and/or information types (processed, stored, transmitted, reviewed, and managed).
General description and system purpose.
System environment. (Where the system will reside both physically and logically. Will it be standalone, dmz, or part of a larger enterprise or organizational system?)
System contact information (with at least):
• authorizing official;
• risk executive function;
• system owner, data owner, steward (with related contact information);
• technical POC (sometimes this is referred to as the system subject matter expert);
• information security POCs (CISO, ISSO, ISSM, and alternates).
The system development life cycle (SDLC) or system life cycle (SLC) stage that the system is currently in.
Network and dataflow diagrams
Next gather a set of diagrams that describe the agency’s networks or systems as a whole – hopefully an enterprise diagram or organizational network diagram. Usually the CIO or CIO’s office completes a network diagram of the agency’s system assets. Depending on the size, complexity, and locations of the agency’s systems this could be one or multiple drawings. It could also include more than network drawings, but system data-flow, and data center physical layout diagrams.
If you are working with an information system with a specific mission function (many times referred to as major application or minor application), it is critical that you obtain or develop a data flow diagram. The data flow diagram provides an architectural view of the systems, how they interact, and the graphical representation of how data flows from component to component of the system. This will provide a graphical representation of the software and systems functions.
These diagrams will allow you to do a few things. First, you will be able to better assess the common controls you will be able to inherit for your system (you may also be given a completed common control SSP). This will help us throughout the process as we decide what controls to implement and monitor. Next, you will be able to more easily establish managerial, physical, and logical boundaries around your system.
The federal C&A process allows for great flexibility in the process of setting security authorization boundaries, so we are not required to physically and logically delineate our systems – although we have found it to be easier to manage the systems and security by doing so.
The system inventory
The next set of information you will need is a system inventory. The system inventory should include a comprehensive list of all firmware, hardware, and software. At a minimum for all firmware, hardware, and software you should include:
The vendor information (e.g. Microsoft, Cisco, Oracle).
The specific version or release (e.g. 1.0, 1.1.3.A.02).
The number of copies (this will help with developing the contingency plans).
A basic description and/or use.
Any security relevant information.
It is possible that the system is in the initiation or early stages of development and you have not acquired any firmware, software, or hardware. This is not a problem, but you should still be able to describe the components based on what tasks the components will perform. For example, you may not be able to give the actual technology that will be used to implement a web solution you are developing, such as Microsoft® IIS. However, you should be able to identify that you will be using a web server. You should document this information so that you will be able to more easily identify the technology-specific security requirements later.
Now that we have a base understanding of the system, we can set the authorization boundary. The authorization boundary should be based on the following criteria:
Be under the same management control. This requires the AO to be responsible for all components of the authorization boundary. For example, a system owner in Treasury should not be making a risk-based decision for the CIO at State Department. However, if a system in Treasury is going to interconnect or share information, the authorizing officials from both agencies should sign an MOU/MOA, or an interconnection security agreement (ISA), based on organizational policy.
Have the same function or mission objective and essentially the same operating characteristics and information security needs. The same function or mission objective allows you to delineate or group systems based on the information systems’ overall processing objective. For example, if you have a mission objective to provide taxpayers with refunds, then you may have several subsystems that allow you to meet that objective. You may have a subsystem that verifies social security numbers and address information with the Social Security Administration (SSA). Or a subsystem that compares the actual returns to information you have collected from banks, creditors, employers, etc. and a subsystem that contacts the Department of Treasury to cut the check or make a direct deposit into the taxpayer’s account. You may also decide that each one of the above mentioned subsystems have very specific security needs and do not fall under the same management control in your organization – therefore you will set independent authorization boundaries for each system. The important thing to remember is that you want to keep the authorization boundaries realistic.
Reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments). This boundary deals specifically with the location where all or most of the important system components reside. For example, you may have a facility in one location that provides many common controls to other information systems that reside on or ride on the facilities’ telecommunication backbone. This would be considered a site accreditation based on location. You may also have a large distributed information system that is interconnected to other systems worldwide. In this instance, as long as the facilities (offices, datacenters, etc.) have similar operating environments (perform similar duties with similar security controls in place) then you can consolidate the authorization boundary. This is many times referred to as a type accreditation.
Choose the proper accreditation vehicle
Another initial step in performing any civilian federal C&A is to choose the proper accreditation vehicle. Basically you must ensure your system is not a DOD system or a National Security System (NSS). If the DOD has procured the system (providing funds to develop, procure, or manage the system through the DOD capital planning process) and the system is not a NSS, then read the previous chapter on DIACAP.
With all of the information sharing and intelligence sharing going on, it is very important for you to be able to distinguish whether or not your system is a NSS. By definition, a NSS is any information system (including any telecommunications system) used or operated by an agency or by another organization on behalf of an agency where:
the function, operation, or use of which: involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapon system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example payroll, finance, logistics, and personnel management applications); or
is protected at all times by procedures established by an executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy. [44 USC, Sec. 3542]
Once you are sure you do not have a DOD system or a NSS, let’s begin. Federal agencies use the authorization process as defined by NIST SP 800-37 and the risk management framework (RMF), as defined by NIST SP 800-39.
Figure 33: Risk management framework
Source: Adapted from the National Institute for Standards and Technology
Security authorization process
C&A, now called the “security authorization process” (SAP), is organized into three steps: preparation, execution, and maintenance. The process is supported by the risk management framework (RFM). The RFM is broken into six steps: categorizing the information system, selecting the security controls, implementing the security controls, assessing the security controls, authorizing the information system, and monitoring the current state. The six primary steps can be further broken down into 13 steps.
The figure below shows the risk management framework (RMF), which supports the life cycle approach to the authorization process.
Figure 34: RMF security/privacy control development
Source: Adapted from the National Institute for Standards and Technology
Step 1: Categorizing the information system
Once you have established the authorization boundary and ensured you have selected the proper accreditation vehicle, the next step is to categorize the information system. To do this, you will need to know what type of information/data will be stored, processed, transmitted, reviewed, disseminated, and managed by the system.
It is also very important to understand the information system’s current or future mission. You will use the information/data types and mission to derive the security categorization using NIST Special Publication 800-60 and FIPS 199 as your guides.
To support the analysis, it is useful to collect the following documents before conducting the security categorization:
A comprehensive system description that contains information about the system mission on data/information types (see above description of a system description).
The system’s enterprise architecture (EA) and the enterprise architecture security and privacy profile (EA SPP) if it is also available.
Any documentation relating to the acquisition, development, maintenance, or operation of the system (statement of work, technical description document, data models, data flow diagrams, coding standards, data/information libraries, data schemas, data dictionaries, SOPs, administrator’s guide, etc.).
The security categorization is a fairly straightforward process if you have enough information to perform the security categorization analysis. The security categorization analysis is also a very important step that will determine the baseline controls for your information system going forward. To determine the baseline controls, you will use NIST Special Publication 800-60.
NIST Special Publication 800-60 provides the mission-based, management, and support information types used as the foundation for assigning appropriate FIPS 199 impact levels. The FIPS 199 impact levels are based on the security objectives for confidentiality, integrity, and availability. FIPS 199 impact levels will be used to establish the actual security categorization, and correspondingly, the baseline control requirements. NIST Special Publication 800-60 is broken down into two volumes:
Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories.
Volume II: Guide for Mapping Types of Information and Information Systems to Security Categories Appendices.
Volume I outlines the step by step process of categorizing an information system and Volume II provides all of the information types and recommended categorizations. Let’s look at the process for properly categorizing an information system.
Before we begin, remember that you will only be performing the categorization on the information/data that is processed, transmitted, stored, disseminated, reviewed, or managed by the system you are analyzing. The rule of thumb is that you will never evaluate any information or data types outside your systems authorization boundary.
Step 1
• Document the agency’s business and mission areas. This will usually be found on the agency’s website or in the agency’s strategic plan. This will allow us to better understand whether or not our system is mission critical, mission essential, or mission support to the organization.
• Identify all of the information types that are input, stored, processed, managed, and/or output from each system.
• Identify mission-based information type categories based on supporting Federal Enterprise Architecture (FEA) lines of business.
• As applicable, identify management and support information type categories based on supporting FEA lines of business.
• Specify applicable sub-functions for the identified mission-based and management and support categories [NIST SP 800-60 Volume II, Appendices C and D].
• As necessary, identify other required information types (these will usually be agency specific). Many times you will find this information in the information system design documentation.
• Document applicable information types for the identified information system along with the basis for the information type selection.
Step 2
• Select the security impact levels for the identified information types from the recommended provisional impact levels for each identified information type [Volume II, Appendices C and D) or, from FIPS 199 criteria. FIPS 199 is described in detail below:
Federal Information Processing Standard (FIPS) 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact values assigned to the respective security objectives are the highest values (i.e. high water mark) from among the security categories that have been determined for each type of information resident on those information systems.
The generalized format for expressing the security category (SC) of an information system is:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, moderate, or high.
Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept is used to determine the impact level of the information system for the express purpose of selecting an initial set of security controls from one of the three security control baselines. Thus, a low-impact system is defined as an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high.
Step 2 (continued)
• Determine the security category (SC) for each information type as described using the formula above.
• Document the provisional impact level of confidentiality, integrity, and availability associated with the system’s information type.
Step 3
• Review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing.
• Adjust the impact levels as necessary based on the following considerations:
• confidentiality, integrity, and availability factors;
• situational and operational drivers (timing, lifecycle, etc.);
• legal or statutory reasons.
• Document all adjustments to the impact levels and provide the rationale or justification for the adjustments.
Step 4
• Review identified security categorizations for the aggregate of information types.
• Determine the system security categorization by identifying the security impact level high water mark for each of the security objectives (confidentiality, integrity, availability):
SC system X = {(confidentiality, impact), (integrity, impact), (availability, impact)}
• Adjust the security impact level high water mark for each system security objective, as necessary.
• Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability).
• Follow the agency’s oversight process for reviewing, approving, and documenting all determinations or decisions
Once we have completed the security categorization we can move onto the next steps of registering the information system and selecting the security controls.
Step 2: Registering the information system
Registering the information system is the process of officially identifying and entering the information system in the system inventory. It establishes a relationship between the information system undergoing security authorization and the parent or governing organization that owns, manages, and/or controls the system. It is usually performed by the information system owner.
Registration of the information system requires that you have:
completed the authorization boundary;
identified and assigned all key authorization stakeholders (AO, system owner, ISO, and technical POCs);
completed a comprehensive system description.
Registration, either formal or informal in accordance with organizational policy, uses information in the system identification section of the security plan to inform the parent or governing organization of:
the existence of the information system;
the key characteristics of the system; and
any security implications for the organization due to the ongoing operation of the system.
Information system registration provides organizations with an effective management and tracking tool for security status reporting in accordance with the requirements of FISMA and OMB policy. Registration is also essentially the kickoff of the authorization process. It allows all stakeholders, including the information security engineering team, to start planning on providing information systems security engineering (ISSE) support throughout the information system’s development life cycle (SDLC).
Implementation tip: System registration is different in every federal agency (or DOD component). Sometimes it is executed completely outside the security program and performed as part of an information systems acquisition. It can also be tracked through the federal capital planning and investment control process (CPIC).
In most cases, the information system will be assigned a unique identifier during the registration process or it may reuse the OMB-300 number assigned to the system. Often, the registration process requires you to use an organizationally specific workflow tool and requires the system owner to submit the system through the change control board (CCB).
Step 3: Selecting the security controls
After the security categorization process and system registration is completed, the list of appropriate baseline security controls can be specified for each information system. Selection of security controls for an information system is one of the most important tasks in the authorization and security engineering process. The security control selection process, as described in NIST Special Publication 800-53, consists of three activities:
Set the baseline: Use the baseline and supplemental controls as outlined in NIST SP 800-53 and the minimum security requirements defined in FIPS 200. You will use the security categorization (SC) you assigned to your system as the basis for selecting the minimum required controls. The number of baseline controls increases as your SC becomes higher. For a low baseline, you will have fewer controls than you would for a moderate or high baseline. The rigor with which the controls are implemented and tested will also be based on the SC of the system (controls assigned a higher SC will be more comprehensive and tested with more rigor than controls of a lower SC).
Tailor the controls as needed: Tailor the controls with respect to specific mission and business processes, organizational requirements, and environments of operation. Tailoring allows you to decide which baseline controls are applicable to your information system and mission and identify which controls are not. For example, it is probably not a good idea to allow the console on a medical life support system to lock the screen every fifteen minutes – even if this is a requirement in your baseline controls. You may also have instances where the baseline controls are not applicable, simply because your information system does not implement a technology specific control. If your system does not employ Voice over Internet Protocol (VoIP), then you will be able to de-scope the control related to VoIP.
Supplement the tailored baseline: As required, supplement the tailored baseline security controls with additional controls based on an assessment of risk and local conditions including specific and credible threat information, organization-specific security requirements, cost-benefit analyses, and special circumstances. Every system and instance has specific requirements based on risk. For example, you may need to institute specific controls at the Department of Treasury on your systems that perform financial transactions, or you may have to tailor controls to a specific requirement your organization is required to meet. This may sound generic, but every single federal organization has specific mission requirements and, in many cases, specific laws, policies, and standards outside the baseline controls. Some examples would be Health Insurance Portability and Accountability Act (HIPAA) for medical systems and Federal Information System Controls Audit Manual (FISCAM) requirements for financial systems.
The following figure depicts the security control selection process.
Figure 35: Security control selection process
Source: Adapted from the National Institute for Standards and Technology
Security controls are typically characterized as system-specific, common, or hybrid (combination of system-specific and common).
System-specific controls are usually under the direct control of individual information system owners and their associated authorizing officials. They are generally not inherited as common controls, but are the specific technical, operational, and managerial implementations unique to the information system. Frequently, system-specific controls are technical in nature and are implemented at the system level. For example, you may have a common control (e.g. a policy) that requires your system to uniquely identify and authorize each user. In order to meet this requirement, your system uses a pin and biometric device to authenticate the users. The implementation of the common control policy would be the system-specific control.
Organizations may also assign a hybrid status to security controls in situations where one part of the control is deemed to be common, while another part of the control is deemed to be system-specific. For example, an organization may view the IR-1 (Incident Response policy and procedures) security control as a hybrid control, with the policy portion of the control determined to be common and the procedures portion of the control deemed to be system-specific. In another example, a hybrid control would implement the CP-2 (contingency planning) security control as a master template for a generalized contingency plan for all organizational information systems with individual information system owners tailoring the plan, where appropriate, for system-specific issues.
Many of the security controls needed to protect an information system (e.g. contingency planning controls, incident response controls, security training and awareness controls, personnel security controls, physical and environmental protection controls, and intrusion detection controls) may be excellent candidates for common security control status. By centrally managing the development, implementation, and assessment of the common security controls designated by the organization, security costs can be amortized across multiple information systems. When it comes to common controls the organization is responsible for:
identifying which security controls are to be considered common controls;
assigning responsibility for common controls to appropriate organizational entities;
developing, implementing, and assessing the effectiveness of common controls; and
ensuring that the appropriate information systems organization-wide can inherit the protection measures provided by the common controls.
The identification of common security controls should be an organization-wide activity and should consider the totality of the organization’s mission/business processes and the information systems supporting those processes. For each of the security control baselines defined in Special Publication 800-53 (low, moderate, and high impact), organizations should determine which security controls in each of the baselines are to be designated as common controls. The organization assigns responsibility for the development, implementation, and assessment of the selected common controls to specific organizational entities. The ultimate objective of the organization is to have accountability for every security control supporting the organization-wide protection strategy.
Since common security controls can provide protection for multiple information systems at different FIPS 199 impact levels, it is important for organizations to consider the most appropriate and cost-effective impact level for the common controls to be deployed to best accommodate the information systems using the controls. If the organization chooses to implement common controls at an impact level that falls below the highest impact levels required for individual information systems, then the system owners and authorizing officials for those systems should take appropriate actions to supplement those controls as required for any protection deficits that result at the system level.
If over 70% of your organization’s systems are rated moderate or below, it may also be cost effective to develop a separate physical and logical network for your higher categorized assets. For example, if your organization has a primary operations data center and a backup operations data center, it may be more cost effective to build separate rooms with separate logical connections to the rooms for those systems. This will allow your organization to implement more stringent logical, physical, and personnel controls without having to make major investments to protect your less important or lower categorized systems.
It is also important to tailor and supplement the control baseline based on your organization’s mission. In many cases, additional security controls or control enhancements will be needed to address specific threats to and vulnerabilities in information systems or to satisfy the requirements of applicable laws, executive orders, directives, policies, standards, or regulations.
Risk assessments at this stage in the security control selection process provide important inputs to determine the sufficiency of the security controls in the tailored baselines – that is, the security controls needed to adequately protect organizational operations and assets, individuals, other organizations, and the nation.
Documenting an organization’s protection strategy begins with the enterprise architecture description and the results of the security categorization process for the information and information systems supporting organizational mission/business processes. The security controls allocated to individual information systems and to the supporting infrastructure are documented in the respective security plans as described in NIST Special Publication 800-18.
Security plans provide an overview of the security requirements for the information systems and supporting infrastructure within an organization and describe the security controls in place or planned for meeting those requirements. The plans also describe the rationale for security categorization, tailoring, and supplementation activities, how individual controls are implemented within specific operational environments, and any use restrictions to be enforced on information systems due to high-risk situations.
Security plans provide a description of the risk mitigations that are deemed necessary to reflect the information system trustworthiness which is required to help ensure mission and business success. They are important because the plans document the decisions taken during the security control selection process and the rationale for those decisions. Security plans should be approved by the appropriate authorizing officials within the organization, since they are one of the key documents in security accreditation packages that are instrumental in authorization decisions.
Step 4: Implementing the security controls
Implementing security controls is the point where the information systems security engineering (ISSE) process is aligned with the respective phase of the SDLC. The earlier the information system is in the SDLC, the number of controls you will be able to implement will be limited by the maturity of the system. However, you should be considering the requirements for the later implementation of controls even at this early date.
If you are in the initiation stage of the SLDC, you should be designing many of the controls into your system architecture. You should use your system security plan (SSP) to assign planned controls along with dates based on your proposed operations schedule.
As you get closer to the full operation and authorization of the information system (and or continued maintenance on an existing information system), you will need to implement many more operational and managerial controls, such as patching, personnel training, personal background investigations for users (this may also be a common control). By the time your system is ready for the independent testing all controls will have been “baked into the solution” and you will have adequate documentation to backup the design and implementation.
As you implement the security controls, you should remember a few important things:
You need to have a clear picture of the system’s mission as you design the controls into the information system. You may have selected, tailored, and supplemented controls as needed – but you should not forget the operational deployment scenarios or the end users. Do not lock down a system so well that it does not function, but start implementing and testing the security controls early on in the system life cycle so that the controls are part of the system – not an afterthought that requires you to tradeoff security for functionality.
Use organizationally approved firmware, hardware, and software that align with the organization’s enterprise architecture when possible. This will allow your system to more easily fit, function, and be monitored with the rest of the organization’s assets.
As you are implementing each security control, remember to update your SSP with the most recent information. Keep all system development and vendor related information and documentation as it relates to each security control.
Cleary define each component in the information system, so you can choose the related lockdown guidance for the specific system components. For example, if you are developing a web-based application that will have a backend database, you should refer to NIST SP 800-70 and choose the following technology security guides:
• For the application itself, use the Defense Information System Agency (DISA) application – Security Technical Implementation Guidance (STIG).
• For the web server, use the DISA web server STIG (remember, if a technology specific guide does not exist use the generic STIG – in this case, use the web server STIG).
• For the database, use the DISA database STIG (if you were using an Oracle 10.0 database, then you would use the Oracle 10.0 STIG. If you were using a database that did not currently have a technology specific security guide, then use the generic DISA database STIG).
• Use NIST Special Publications when you need to understand a specific technology, such as secure socket layer (SSL), virtual private networks (VPN), intrusion prevention systems, etc.
Once you have completed the implementation of all of the required managerial, operational, and technical controls to the information system, ensure you complete an internal functional quality and security test of the information system and all of the security controls. Document any findings in both your SSP and create a plan of action and milestones (POA&M) for any security controls that are not in place or working as planned.
Step 5: Identify and select the independent security control assessor (assessment team)
The authorizing official (AO) must select a security control assessor that will be independent and impartial in regards to the system development or operation. Often, organizations have a list of approved assessors (internal or external) that are not currently providing system development or operational support to the agencies’ systems.
When selecting an assessor you should look for some of the following criteria:
The assessor(s) or entity that provides the assessor(s) should be independent of the acquisition, development, operation, or management of the system. This ensures the assessor(s) or entity that provides the assessor(s) do not have any organizational conflict of interest.
The assessor(s) should be trained, qualified, and certified to assess the controls in accordance with the organizational requirements.
The assessor(s) should undergo at least the same, even preferably more stringent background investigations, as those that are or will be operating the information system.
In small organizations with limited budgets that cannot afford to use a completely independent assessor, the AO should assign separate teams to implement and to carefully review each control together with a government official, such as the ISO. They may also choose to assign one or two individuals to perform independent verification and validation (IV&V) of selected security controls.
Step 6: Develop the security control assessment plan
The security assessor or team should develop a security assessment plan for each engagement. The following items should be considered by assessors in developing plans to assess the security controls in information systems:
information contacts;
a system/mission description;
the purpose of the test (annual assessment, independent authorization test, security impact analysis, etc.);
scope (authorization boundary);
objectives;
the framework being used (800-53A, COBIT, etc.);
the assessment methods;
automated tools;
roles and responsibilities (including testing team); and
assumptions and constraints.
Some of the actions you should take in developing the security control assessment plan include:
Determine which security controls/control enhancements are to be included in the assessment based upon the contents of the security plan and the purpose/scope of the assessment. You will need to review the SSP and gain a clear understanding of the system’s mission, the various system components, and the authorization boundary.
Select the appropriate assessment procedures and automated tools to be used during the assessment based on the security controls and control enhancements that are to be included in the assessment.
Tailor the selected assessment procedures, as needed.
Develop additional assessment procedures, if necessary, to address security controls and control enhancements that are not contained in NIST Special Publication 800-53, and to address additional assurance needs beyond what is provided in NIST Special Publication 800-53A. Remember that you need to perform complete coverage of all controls for all components.
Optimize the assessment procedures to reduce duplication of effort and provide cost-effective assessment solutions.
Finalize the assessment plan and obtain the necessary approvals to execute the plan from the authorization official.
Step 7: Prepare for the test
After the test plan is approved, your next step should be a formal kickoff meeting with the system stakeholders. This is also where you should request any outstanding documentation that you may have not been given at this point. At a minimum you should ask for:
The completed and updated information system SSP (if it has changed from a version provided earlier)
The organization’s common control SSP, if it exists, to include any testing results to ensure the common controls can be inherited as stated.
Any documents related to the design, configuration, deployment, security, and or maintenance of the system (these may be appendixes to the SSP).
Supporting materials such as procedures, reports, logs, and records showing evidence of security control implementation.
Previous assessment results from tests conducted within the past 365 days that are directly related to the controls stated in the SSP.
Organizational policies, procedures, guidelines, standards, or written documentation stating organizational security requirements.
Internet protocol (IP) addresses and any configuration that will be required to perform your automated tests (to include rules of engagement and authorized scanning times).
Step 8: Conduct the security controls assessment test
At this point, you should have a good idea how the actual testing is going to take place based on your test plan, meetings, and any information provided by the system stakeholders. However, here are with some things to remember to do a few days before the actual SCA test:
Always test your automated tools to ensure they are working correctly and all licenses are up to date. We cannot count the number of times security assessors have shown up to the testing site and they discover the licenses on the assessment software to be tested are either expired or the tool is not adequate or appropriate for the type of system being tested.
Download the latest patches/updates for your systems and double check to ensure your configurations meet the baseline requirements of the organization to which your systems will connect to perform the automated tests.
Make sure you have all the authorized tools and media you will need to collect evidence for the test.
What follows is a list of some of the things to remember before you arrive onsite for the SCA test:
Call your onsite testing POC to make sure everything is a go so that you can make any last minute changes if need be.
Pre-brief your team and go over any last minute changes to the test plan or schedule.
Ensure your team has approved identification and clearly understands the sites rules of engagement for testing.
Ensure you have an updated slide deck for the in-brief and out-brief.
Remember that the controls assessment is used to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. The assessor’s job is to help the authorizing official make a truly risk-based authorization decision on the information system being assessed using unbiased, factual reporting.
You are there to help in the authorization process, not hinder the operational mission of the organization. Ensure you provide specific recommendations on how to correct weaknesses or deficiencies in the controls and reduce or eliminate identified vulnerabilities as you proceed through the assessment. Speak with technical POCs and provide suggestions on how they can fix, remediate, and mitigate issues found.
After the test is completed, it is important to provide a high-level report to the stakeholders on any issues, findings, and recommendations from the security control assessment. This should be done in the same or a similar format that you will use for the final assessment report. It is also useful to develop and deliver an executive out-brief in the form of a handout or slideshow. We usually do this prior to sending the final report – there is not as much confusion and it also allows the stakeholders to provide any last minute information that might be needed in the final report.
Some tips for preparing the final assessment report
Here are several useful tips when preparing the final assessment report:
Remove false positives. You can do this by looking for results and findings that do not match actual evidence. Often, scan results will come back with findings on services or even systems that were not part of the authorization boundary. For example, on many occasions, we have seen scan results that do not properly enumerate systems we know about or list vulnerabilities on printers or devices that were not scanned or are not part of the authorization boundary.
Perform in-depth analysis on results and prioritize findings based on severity and risk based on organization and mission requirements.
Research weaknesses found during the assessment and perform analysis to provide possible remediation, mitigation, or acceptance strategies.
Prepare the final assessment in a format that allows the information system owner the ability to write a clear and concise plan of actions and milestones (POA&M) for each finding.
Step 9: Update the system security plan
Now that the assessment is complete, the security plan should be updated to reflect the actual state of the security controls. Particularly when the plan was developed early in the life cycle, the system owner or whoever completed the SSP may have believed the system met or exceeded certain control requirements. After completion of the test, however, this may no longer be true. As a result, the SSP should contain an accurate list and description of the security controls implemented (including compensating/ supplemental controls) and a list of identified vulnerabilities (i.e. security controls not implemented or not implemented correctly).
Step 10: Develop the POA&M
The POA&M describes the specific measures that are planned to correct any weaknesses or deficiencies in the security controls noted during the security control assessment and to address the remaining known vulnerabilities in the information system.
The actual POA&M document identifies:
the security control not being met;
the actual weaknesses or vulnerabilities;
the tasks needing to be accomplished;
the resources required to accomplish the elements of the plan (usually quantitative in a dollar amount);
any milestones in meeting the tasks;
the scheduled completion dates for the milestones. Thus, the plan of action and milestones is used by the authorizing official to monitor the progress in correcting weaknesses or deficiencies noted during the security control assessment;
the status of the POA&M:
• ongoing,
• completed,
• non applicable, or
• not tested; and
the risk based decision (whether the authorizing official has decided to accept the risk).
It is also possible that the POA&M includes information on the type of POA&M (such as enterprise or system-specific), the level of risk, any ongoing maintenance costs related to the POA&M, who discovered the weakness, and comments related to the POA&M.
Step 11: Security authorization decision
Now that the SSP has been updated to reflect the results of the final security assessment report (SAR) from the SCA test and a current POA&M has been developed, you now have the documents required for a complete authorization package. This package will be sent forward to the AO for an authorization decision.
Figure 36: Security authorization package
Source: Adapted from the National Institute for Standards and Technology
The AO’s risk based authorization decision should be based on the content of the security authorization package as it relates to:
the system’s ability to meet the organizational security and risk objectives;
the system’s operational/mission capability against the system’s current residual risk; and
input provided by system stakeholders, the risk executive or related positions as it relates to the system’s risk should it be authorized to operate.
The AO’s decision will result in the development of an authorization decision document. The authorization decision document contains the following information:
authorization decision;
terms and conditions for the authorization;
authorization termination date (ATD);
a formal signature by the AO (digital or non-digital).
The security authorization decision indicates to the information system owner whether the system is:
authorized to operate (ATO);
or has been denied authorization to operate (DATO).
The terms and conditions for the authorization provide a description of any specific limitations or restrictions placed on the operation of the information system that must be followed by the system owner.
Step 12: Continuous monitoring and ongoing risk acceptance
Once a system has been authorized for operation, it now needs to be entered into the organization’s continuous monitoring program. This allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and mission/business processes.
Continuous monitoring of security controls should take advantage of automated support tools to facilitate near real-time risk management for information systems. An effective continuous monitoring program includes:
strict configuration management and control processes;
security impact analyses on actual or proposed changes to information systems and environments of operation;
assessment of selected security controls in information systems and controls inherited by those systems (i.e. common controls);
security status reporting to appropriate organizational officials.
We cannot stress how important the use of strict configuration management and control processes are to the continuous monitoring of your systems. In order for continuous monitoring to work, you need to become situationally aware of your systems and environment. Although automated tools can make this process much easier to manage, nothing replaces a strong and strictly enforced configuration management process. You need to know when and what changes are happening to your environment on an ongoing basis. If you are aware of changes going on in your environment, you can properly perform security impact analysis of these changes.
Your organization should develop a change control board (CCB) if one does not already exist. Both the authorizing official and the security team play an important role in the CCB and should have voting roles. You can also use the CCB to provide the system owner with guidance on updating security authorization packages or when a change is significant enough to require the system to undergo a new authorization process.
Step 13: Decommissioning the information system
This is the last step in the authorization process for information systems in federal agencies. At the end of an information system’s life, it is very important to properly decommission the system. Decommissioning an information system allows you to formally remove the system registration from the organization’s inventory or registration system.
Some things you should remember when decommissioning your system:
Ensure to follow organizational media protection requirements. Many times organizations have well established requirements, policies, and system checklists to formally retire a system.
Do not forget that most systems have records management and data retention requirements – even if the system is going away – the data must usually be retained for an organizationally defined period.
Ensure the AO formally signs the information system decommissioning paperwork. This will provide the required information the organizational IG will usually require so that they do not have to report the status of the system.
|
Further reading |
|
National Institute of Standards and Technology (NIST) Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Final Public Draft), July 2008. |
|
National Security Systems (NSS) Instruction No. 1253 (ODNI/CIO Draft 4), Security Control Catalog for National Security Systems, December 2007. |
|
National Security Systems (NSS) Instruction No. 1253A (ODNI/CIO Draft 2), Guide for Assessing the Security Controls in National Security Systems, July 2008. |
References
Department of Defense (DOD) Directive 8500.1, Information Assurance, November 21, 2003.
Director of Central Intelligence Directive 6/3, Protecting Sensitive Compartmented Information Within Information Systems, June 1999.
National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.
National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2, Recommended Security Controls for Federal Information Systems, December 2007.
National Institute of Standards and Technology (NIST) Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Final Public Draft), July 2008.
National Institute of Standards and Technology (NIST) Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.
National Institute of Standards and Technology (NIST) Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004.
National Institute of Standards and Technology (NIST) Special Publication 800-64, Revision 1, Security Considerations in the Information System Development Life Cycle, June 2004.
National Institute of Standards and Technology (NIST) Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006.
National Security Systems (NSS) Instruction No. 1253 (ODNI/CIO Draft 4), Security Control Catalog for National Security Systems, December 2007.
National Security Telecommunications and Information Systems Security Instruction No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP), April 2000.
Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.