Guide for developing security plans for federal

Guide For Developing Security Plans For Federal-Free PDF

  • Date:13 Feb 2020
  • Views:35
  • Downloads:0
  • Pages:48
  • Size:366.40 KB

Share Pdf : Guide For Developing Security Plans For Federal

Download and Preview : Guide For Developing Security Plans For Federal


Report CopyRight/DMCA Form For : Guide For Developing Security Plans For Federal


Transcription:

Guide for Developing Security Plans for Federal Information Systems. Reports on Information Systems Technology, The Information Technology Laboratory ITL at the National Institute of Standards and. Technology promotes the United States economy and public welfare by providing technical. leadership for the Nation s measurement and standards infrastructure ITL develops tests test. methods reference data proof of concept implementations and technical analyses to advance the. development and productive use of information technology ITL s responsibilities include the. development of management administrative technical and physical standards and guidelines for. the cost effective security and privacy of non national security related information in federal. information systems This Special Publication 800 series reports on ITL s research guidelines and. outreach efforts in information system security and its collaborative activities with industry. government and academic organizations, Guide for Developing Security Plans for Federal Information Systems. This document has been developed by the National Institute of Standards and Technology. NIST in furtherance of its statutory responsibilities under the Federal Information. Security Management Act of 2002 Public Law 107 347. NIST is responsible for developing standards and guidelines including minimum requirements for. providing adequate information security for all agency operations and assets but such standards. and guidelines shall not apply to national security systems This guideline is consistent with the. requirements of the Office of Management and Budget OMB Circular A 130 Section 8b 3. Securing Agency Information Systems as analyzed in A 130 Appendix IV Analysis of Key. Sections Supplemental information is provided in A 130 Appendix III. This guideline has been prepared for use by federal agencies It may be used by nongovernmental. organizations on a voluntary basis and is not subject to copyright Attribution would be. appreciated by NIST, Nothing in this document should be taken to contradict standards and guidelines made mandatory. and binding on federal agencies by the Secretary of Commerce under statutory authority Nor. should these guidelines be interpreted as altering or superseding the existing authorities of the. Secretary of Commerce Director of the OMB or any other federal official. Certain commercial entities equipment or materials may be identified in this document in. order to describe an experimental procedure or concept adequately Such identification is. not intended to imply recommendation or endorsement by the National Institute of. Standards and Technology nor is it intended to imply that the entities materials or. equipment are necessarily the best available for the purpose. Guide for Developing Security Plans for Federal Information Systems. Acknowledgements, The National Institute of Standards and Technology would like to acknowledge the authors of the. original NIST Special Publication 800 18 Guide for Developing Security Plans for Information. Technology System The original document was used as the foundation for this revision. Additionally thank you to all the NIST staff that reviewed and commented on the document. Guide for Developing Security Plans for Federal Information Systems. Table of Contents,EXECUTIVE SUMMARY VII,1 INTRODUCTION 1.
1 1 BACKGROUND 1,1 2 TARGET AUDIENCE 1,1 3 ORGANIZATION OF DOCUMENT 1. 1 4 SYSTEMS INVENTORY AND FEDERAL INFORMATION PROCESSING STANDARDS FIPS 199 2. 1 5 MAJOR APPLICATIONS GENERAL SUPPORT SYSTEMS AND MINOR APPLICATIONS 2. 1 6 OTHER RELATED NIST PUBLICATIONS 3,1 7 SYSTEM SECURITY PLAN RESPONSIBILITIES 3. 1 7 1 Chief Information Officer 4,1 7 2 Information System Owner 5. 1 7 3 Information Owner 5, 1 7 4 Senior Agency Information Security Officer SAISO 6. 1 7 5 Information System Security Officer 6,1 7 6 Authorizing Official 7.
1 8 RULES OF BEHAVIOR 7,1 9 SYSTEM SECURITY PLAN APPROVAL 8. 2 SYSTEM BOUNDARY ANALYSIS AND SECURITY CONTROLS 9. 2 1 SYSTEM BOUNDARIES 9,2 2 MAJOR APPLICATIONS 11,2 3 GENERAL SUPPORT SYSTEMS 12. 2 4 MINOR APPLICATIONS 12,2 5 SECURITY CONTROLS 13. 2 5 1 Scoping Guidance 13,2 5 2 Compensating Controls 15. 2 5 3 Common Security Controls 16,3 PLAN DEVELOPMENT 19.
3 1 SYSTEM NAME AND IDENTIFIER 19,3 2 SYSTEM CATEGORIZATION 19. 3 3 SYSTEM OWNER 19,3 4 AUTHORIZING OFFICIAL 20,3 5 OTHER DESIGNATED CONTACTS 20. 3 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 21,3 7 SYSTEM OPERATIONAL STATUS 21. 3 8 INFORMATION SYSTEM TYPE 21,3 9 GENERAL DESCRIPTION PURPOSE 21. 3 10 SYSTEM ENVIRONMENT 22, 3 11 SYSTEM INTERCONNECTION INFORMATION SHARING 23.
3 12 LAWS REGULATIONS AND POLICIES AFFECTING THE SYSTEM 23. 3 13 SECURITY CONTROL SELECTION 24, Guide for Developing Security Plans for Federal Information Systems. 3 14 MINIMUM SECURITY CONTROLS 24,3 15 COMPLETION AND APPROVAL DATES 26. 3 16 ONGOING SYSTEM SECURITY PLAN MAINTENANCE 26, APPENDIX A SAMPLE INFORMATION SYSTEM SECURITY PLAN TEMPLATE 27. APPENDIX B GLOSSARY 31,APPENDIX C REFERENCES 41, Guide for Developing Security Plans for Federal Information Systems. Executive Summary, The objective of system security planning is to improve protection of information system resources.
All federal systems have some level of sensitivity and require protection as part of good. management practice The protection of a system must be documented in a system security plan. The completion of system security plans is a requirement of the Office of Management and Budget. OMB Circular A 130 Management of Federal Information Resources Appendix III Security. of Federal Automated Information Resources and Title III of the E Government Act entitled the. Federal Information Security Management Act FISMA, The purpose of the system security plan is to provide an overview of the security requirements of. the system and describe the controls in place or planned for meeting those requirements The. system security plan also delineates responsibilities and expected behavior of all individuals who. access the system The system security plan should be viewed as documentation of the structured. process of planning adequate cost effective security protection for a system It should reflect input. from various managers with responsibilities concerning the system including information owners. the system owner and the senior agency information security officer SAISO Additional. information may be included in the basic plan and the structure and format organized according to. agency needs so long as the major sections described in this document are adequately covered and. readily identifiable, In order for the plans to adequately reflect the protection of the resources a senior management. official must authorize a system to operate The authorization of a system to process information. granted by a management official provides an important quality control By authorizing. processing in a system the manager accepts its associated risk. Management authorization should be based on an assessment of management operational and. technical controls Since the system security plan establishes and documents the security controls. it should form the basis for the authorization supplemented by the assessment report and the plan. of actions and milestones In addition a periodic review of controls should also contribute to. future authorizations Re authorization should occur whenever there is a significant change in. processing but at least every three years, Guide for Developing Security Plans for Federal Information Systems. 1 Introduction, Today s rapidly changing technical environment requires federal agencies to adopt a. minimum set of security controls to protect their information and information systems. Federal Information Processing Standard FIPS 200 Minimum Security Requirements. for Federal Information and Information Systems specifies the minimum security. requirements for federal information and information systems in seventeen security. related areas Federal agencies must meet the minimum security requirements defined in. FIPS 200 through the use of the security controls in NIST Special Publication 800 53. Recommended Security Controls for Federal Information Systems NIST SP 800 53. contains the management operational and technical safeguards or countermeasures. prescribed for an information system The controls selected or planned must be. documented in a system security plan This document provides guidance for federal. agencies for developing system security plans for federal information systems. 1 1 Background, Title III of the E Government Act entitled the Federal Information Security Management.
Act FISMA requires each federal agency to develop document and implement an. agency wide information security program to provide information security for the. information and information systems that support the operations and assets of the agency. including those provided or managed by another agency contractor or other source. System security planning is an important activity that supports the system development. life cycle SDLC and should be updated as system events trigger the need for revision in. order to accurately reflect the most current state of the system The system security plan. provides a summary of the security requirements for the information system and. describes the security controls in place or planned for meeting those requirements The. plan also may reference other key security related documents for the information system. such as a risk assessment plan of action and milestones accreditation decision letter. privacy impact assessment contingency plan configuration management plan security. configuration checklists and system interconnection agreements as appropriate. 1 2 Target Audience, Program managers system owners and security personnel in the organization must. understand the system security planning process In addition users of the information. system and those responsible for defining system requirements should be familiar with. the system security planning process Those responsible for implementing and managing. information systems must participate in addressing security controls to be applied to their. systems This guidance provides basic information on how to prepare a system security. plan and is designed to be adaptable in a variety of organizational structures and used as. reference by those having assigned responsibility for activity related to security planning. 1 3 Organization of Document, This publication introduces a set of activities and concepts to develop an information. system security plan A brief description of its contents follows. Guide for Developing Security Plans for Federal Information Systems. Chapter 1 includes background information relevant to the system security. planning process target audience information on FIPS 199 Standards for. Security Categorization of Federal Information and Information Systems a. discussion of the various categories of information systems identification of. related NIST publications and a description of the roles and responsibilities. related to the development of system security plans. Chapter 2 discusses how agencies should analyze their information system. inventories in the process of establishing system boundaries It also discusses. identification of common security controls and scoping guidance. Chapter 3 takes the reader through the steps of system security plan development. Appendix A provides a system security plan template. Appendix B provides a glossary of terms and definitions. Appendix C includes references that support this publication. 1 4 Systems Inventory and Federal Information Processing Standards FIPS 199. FISMA requires that agencies have in place an information systems inventory All. information systems in the inventory should be categorized using FIPS 199 as a first step. in the system security planning activity, FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all. information and information systems collected or maintained by or on behalf of each. agency based on the objectives of providing appropriate levels of information security. according to impact Security categorization standards for information and information. systems provide a common framework and understanding for expressing security that for. the federal government promotes i effective management and oversight of information. security programs including the coordination of information security efforts throughout. the civilian national security emergency preparedness homeland security and law. enforcement communities and ii consistent reporting to the Office of Management and. Budget OMB and Congress on the adequacy and effectiveness of information security. policies procedures and practices, 1 5 Major Applications General Support Systems and Minor Applications. All information systems must be covered by a system security plan and labeled as a. major application1 or general support system 2 Specific system security plans for minor. OMB Circular A 130 Appendix III defines major application as an application that requires special. attention to security due to the risk and magnitude of harm resulting from the loss misuse or unauthorized. access to or modification of the information in the application. NIST Special Publication 800 18 Revision 1 Guide for Developing Security Plans for Federal Information Systems Marianne Swanson Joan Hash Pauline Bowen

Related Books