CIPP Guide » CIA

Recommended Security Controls for Federal Information Systems

hannah — Tue, 26 Oct 2010 16:00:38 +0000

The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts.

Purpose of NIST SP 800-53

The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under the FISMA, the responsibility for developing security standards falls under the jurisdiction of the NIST. The NIST SP 800-53 provides guidelines for federal agencies to select and define security controls for their information systems. It is also used in non-federal government and private sector organizations as well.

Within the context of federal agencies, the publication was created to achieve the following:

Facilitate a consistent approach to select and specify information security controls.
Offer minimum information security controls.
Offer a catalog of information security controls to meet the current and future security needs of organizations.
Form a basis to develop security control assessment methods and procedures.

The NIST SP 800-53 is directed towards information system and security professionals, which may include:

Chief information officers
Senior agency information security officers
Authorizing officials
Program/project managers
Mission/application owners
System designers
System/application programmers
Information system owners
Information owners
Information system administrators
Information system security officers
Auditors
Inspectors general
Evaluators
Certification agents

Organization & Structure

There are three general classes of security controls and seventeen security control families, as listed below:

Management

Certification, Accreditation and Security Assessments
Planning
Risk Assessment
System and Services Acquisition

Operational

Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity

Technical

Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection

Baselines

The concept of baseline controls refer to the minimum security controls that are recommended for a system, based on its security categorization. The baseline enables agencies and organizations to determine the safeguards needed to protect the systems.

However, baselines alone are not enough to properly manage risk. The following considerations must be made when selecting baseline controls:

Security Controls – Which security controls are “common” controls? How does this relate to the responsibilities of the owners of the information systems?
Operational Environment – How can the operational environment of the system affect physical security controls?
Physical Infrastructure – Do the security controls of the facility provide adequate protection to the information system and its assets?
Public Access – What special security controls are necessary if users access the system through public interfaces? How are the issues of identification and authentication handled?
Technology – What types of technologies are being used within the system (e.g. cryptography, public key infrastructure, wireless technologies)? Which risks can be mitigated through automated mechanisms?
Policy and Regulation – Which laws, Executive Orders, directives, policies, standards or regulations apply to the types of data or systems used by the agency?
Security Objectives – Can any security controls be downgraded to the corresponding controls of a lower baseline?

There are three sets of baseline controls: low-impact, moderate-impact and high-impact levels. This is based on FIPS 199 (Federal Information Processing Standards Publication), which is the mandatory federal security categorization standard. Each impact level is associated with a different security category. Security categories facilitate the proper selection of security controls, as well as how to supplement the baseline to appropriately manage risk.

Security categories (low, moderate or high) are based on the security objectives of confidentiality, integrity and availability. The format for representing the security category (SC) of a system is as follows:

SC_{information system} = {(confidentiality, impact), (integrity, impact), (availability, impact)}

Potential impact values for each objective can be low, moderate or high. Low-impact systems are information systems that have all three security objectives set at “low.” Moderate-impact systems have at least one “moderate” security objective and no objectives greater than moderate. High-impact systems have at least one “high” security objective.

Overall impact levels of information systems take into consideration three elements:

1. Different types of information processed, stored or transmitted by the system.

2. Impact levels of each type of information.

3. Security categorization for each security objective.

The overall impact level is determined from the highest impact level of the three security objectives.

Risk Management

Proper risk management is crucial for any information security program. The risk approach balances security controls with efficacy, legislation, directives, regulations and policies. According to the NIST Risk Management Framework, managing risk involves the following steps:

The information system is categorized.
A set of baseline security controls are selected and used as a starting point for a risk assessment.
The baseline set of controls are supplemented with additional information, including agency security requirements, threat information and other circumstantial information.
The adjusted set of security controls is documented in the system security plan.
Security controls are implemented into the system.
Security controls are assessed using the appropriate methods and procedures.
Information system operation is based on risk determination. This may involve risk to operations, assets or individuals.
The selected security controls are monitored and assessed continuously. Any changes to the system are considered and reported as well.

Updating Controls

The security controls may need to be reassessed and updated. There are a number of events that may trigger this, including:

Data breach
Identification of a new and credible threat
Major changes to the system configuration

According to the NIST SP 800-53, it is recommended to take the following precautions:

Assess the sensitivity of the system and data processed, stored or transmitted by that system.
Assess the current situation of the system, taking into consideration vulnerabilities, threats and risks.
Determine any necessary corrections that may need to be initiated.
Determine if reaccreditation of the system is necessary.

Summary

This article introduces the NIST SP 800-53, which outlines recommended security standards and controls for information systems in federal agencies. The framework was developed as a mandate of the FISMA (Federal Information Security Management Act of 2002), and is recommended for use in the private sector as well. The article outlines the purpose of the NIST publication and lists the organizational structure for the security controls. It also looks at the process by which the controls are selected and how baseline controls can be updated to better reflect an organization’s security situation. Finally, the article outlines the reasons for which controls may be updated and how agencies or organizations can respond to events.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

FISMA performance (I.C.f.i.3.)
System compliance (I.C.f.i.ii.)

Executive Order 12333- United States Intelligence Activities

jbrook — Tue, 16 Mar 2010 12:00:18 +0000

Executive Order 12333 was issued in 1981 to regulate national intelligence activities. Part I of the Order outlines the goals and responsibilities of major Federal Agencies and Departments involved with national security an intelligence gathering. Part II created regulations for the collection of intelligence information.

Collection of Intelligence Information

Information is essential to national security. However, the need for such information does not override an individual’s right to privacy and safety. Part II of Executive Order 12333 states: “Collection of such information is a priority objective and will be pursued in a vigorous, innovative and responsible manner that is consistent with the Constitution and applicable law and respectful of the principles upon which the United States was founded.”

The following are the only permissible types of information that may be collected:

Publicly available information
Information obtained with the consent of the individual
Information considered foreign intelligence or counterintelligence or obtained during the course of such investigations
Information necessary to protect any person or organization from harm
Information about potential sources in order to determine credibility
Information that is obtained during the course of a lawful investigation
Information obtained through overheard reconnaissance as long as U.S. individuals are not specifically targeted.
Any information obtained incidentally which suggests criminal activity
Information needed for administrative purposes

Executive Order 12333 also places limits on how information may be collected. The following collection methods are not allowed unless otherwise authorized by the guidelines of the agency or the approval of the Attorney General.

In general, agencies may not use:

electronic surveillance
mail surveillance
physical surveillance
unconsented physical searches
monitoring devices

The order also outlines a few more specific restrictions:

The CIA may not conduct electronic surveillance in the United States excep for training, testing or conducting countermeasures
No agencies other than the FBI may conduct unconsented physical searches unless
- the search is against military personnel and approved by an authorized military commander
- the search is conducted by the CIA against non-United States persons lawfully in its possession
No agency may use physical surveillance against a United States person abroad to collect foreign intelligence unless it is the only mean of collecting such information.
The Attorney General of the United States is authorized to approve the use of any intelligence techniques for any purposes against any persons as long as probably cause has been determined.

Significance of Executive Order 12333

Executive Order was originally created with the following goals (Section 1.1)

To foster analytical competition in the Intelligence community
To develop intelligence information as consistent with United States Law and with consideration of the rights of United States Persons
Detecting and Countering espionage, terrorism and other threats
To allow the free exchange of information as consistent with United States law and with consideration of the rights of United States Persons

The Order was amended in 2008 to include the following statement in its list of goals, “The United States Government has a solemn obligation, and shall continue in the conduct of intelligence activities under this order, to protect the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law.”

Executive Order 12333 was created primarily to expand intelligence activities of the U.S. Government and coordinate such activities between different departments and agencies. Protection of privacy for U.S. persons was a secondary concern as evidenced by the wide range of information that may be collected and lack of oversight. However, by outlining the types of information that may be collected, the Order restricts the gathering of information outside of those provisions. The collection restrictions also reinforce privacy protections guaranteed under the Privacy Act of 1974 and similar public sector privacy laws. At its core, Executive Order 12333 is an attempt to reconcile the need for intelligence information with the protection of privacy and civil liberties by the U.S. Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

Executive Order 12333