An Act to strengthen Federal Government information security, including through the requirement for the development of mandatory information security risk management standards. OMB uses information security technical publications pdf data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. 68 billion or about 9. 2 percent of the total information technology portfolio.
In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies. NIST performs its statutory responsibilities through the Computer Security Division of the Information Technology Laboratory. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. FISMA requires that agencies have in place an information systems inventory. The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.
The guidelines are provided by NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories. The overall FIPS 199 system categorization is the “high water mark” for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of “Low” for “confidentiality,” “integrity,” and “availability,” and another type has a rating of “Low” for “confidentiality” and “availability” but a rating of “Moderate” for “integrity,” then the impact level for “integrity” also becomes “Moderate”. Federal information systems must meet the minimum security requirements.
Minimum Security Requirements for Federal Information and Information Systems”. Recommended Security Controls for Federal Information Systems”. The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication 800-53. This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.
The controls selected or planned must be documented in the System Security Plan. The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of security for all federal information and information systems. One then determines risk by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities and describes whether the risk should be accepted or mitigated.
If mitigated by the implementation of a control, one needs to describe what additional Security Controls will be added to the system. Agencies should develop policy on the system security planning process. NIST SP-800-18 introduces the concept of a System Security Plan. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls. The System security plan is the major input to the security certification and accreditation process for the system. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted.
The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document. Once the system documentation and risk assessment has been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems”.