NIST Publications - USALearning

2y ago
924.93 KB
27 Pages
Last View : 10d ago
Last Download : 5m ago
Upload by : Ryan Jay

NIST PublicationsTable of ContentsLegal and Regulatory Requirements (NIST Publications) . 2NIST Publications . 3FIPS and SPs . 4FISMA Phase I Publications . 5FIPS 199 . 6FIPS 200 . 7NIST Special Instructions – NIST SP 800-18 Rev 1. 8NIST Special Instructions – NIST SP 800-30 Rev 1. 10NIST Special Instructions – NIST SP 800-37 Rev 1. 11NIST Special Instructions – NIST SP 800-39 . 14NIST Special Instructions – NIST SP 800-53 Rev 4. 15NIST Special Instructions – NIST SP 800-53 Rev 4. 17NIST Special Instructions – NIST SP 800-53A Rev 1 . 19NIST Special Instructions – NIST SP 800-59 . 20NIST Special Instructions – NIST SP 800-60 Rev 1. 21NIST Special Instructions – NIST SP 800-70 Rev 2. 23NIST Special Instructions – NIST SP 800-137 . 24Notices . 27Page 1 of 27

Legal and Regulatory Requirements (NIST Publications)Legal and RegulatoryRequirements(NIST Publications)1**001 Dean Bushmiller: Let's getinto the legal and regulatoryrequirements. Really what we wantto focus in on is our tools that we'regoing to use. These are the NISTSpecial Publications.Page 2 of 27

NIST PublicationsNIST PublicationsNIST created several information technology securitypublications to provide guidance and resources to aidorganizations in implementing security programs.The following types of NIST information technology securitypublications are available from the NIST website Federal Information Processing Standards (FIPS) Special Publications (SPs) NIST Interagency Reports (NISTIRs) Information Technology Laboratory (ITL) Bulletins2**002 So we're going to focus onthe NIST Special Publications here;and a couple of branches that arearound them.I love these documents. When Ihave nothing, I can reach to theNIST Special Publication, to the FIPSStandards, to the NIST InteragencyReports, to the InformationTechnology Laboratory Bulletins. Ican reach to them and they'll give meguidance on what I need.They're great guidance in general.And so let's look at the ones that arerelevant to what we're talking abouthere.Page 3 of 27

FIPS and SPsFIPS and SPsFIPS Issued by NIST after approval by the Secretary of Commerce Mandatory standards to be used by all federal agenciesSpecial Publications (SPs) - the SP 800 series Established in 1990 to provide a separate identity for informationtechnology security publications Included documents of general interest to the computer securitycommunity Reports on the Information Technology Laboratory's research,guidelines, outreach efforts in computer security and its collaborativeactivities with industry, government, and academic organizations.3**003 Before we get into that, weneed to separate the FIPS and theSpecial Publications; and theunderstanding between them.So NIST is going to issue these; andthese are mandatory. So all the FIPSis mandatory in any federal agencywhatsoever. The Special Publicationseries is really good guidance; it's notquite mandatory at that point.But listen; let me tell you something.If they're saying to do it in thisSpecial Publication and it's after thefirst version of that document, it'swell-heeled advice that has beencollected from the entire communityPage 4 of 27

out there. So it's a really goodreason to do exactly that thing.FISMA Phase I PublicationsFISMA Phase I PublicationsFIPS Publication 199 – Security CategorizationFIPS Publication 200 – Minimum Security RequirementsNIST SP 800-18 – Security PlanningNIST SP 800-30 – Risk AssessmentNIST SP 800-37 – Risk Management FrameworkNIST SP 800-39 – Risk ManagementNIST SP 800-53 – Recommended Security ControlsNIST SP 800-53A – Security Control AssessmentNIST SP 800-59 – National Security SystemsNIST SP 800-60 – Security Category MappingNIST SP 800-70 – Guidelines for ChecklistsNIST SP 800-137 – Continuous Monitoring4**004 Okay so let's look at theFISMA Phase I Publications; in otherwords the ones that really count forus, the ones that are the mostimportant for us.And here's your laundry list. We'regoing to go through each one ofthese and talk about how they'rerelevant and where they fit in withwhat we do.Page 5 of 27

FIPS 199FIPS 199Standards for Security Categorization of Federal Informationand Information SystemsPotential Impact of Low (Limited) Moderate (Serious) High (Catastrophic)5**005 So FIPS 199. It talks aboutthe Categorization of FederalInformation Systems. Well what arethe categorizations? Low, Moderateand High. And those threecategories of the information systemsthat are out there, we want to usethat definition in FIPS 199 to assign itto a particular- to a particular set ofsystems that are out there.Page 6 of 27

FIPS 200FIPS 200Minimum Security Requirements for Federal Informationand Information Systems Promotes the development, implementation, and operation of moresecure information systems Establishes minimum levels of due diligence for information security Facilitates a more consistent, comparable, and repeatable approachfor selecting and specifying security controls6**006 FIPS 200 is the MinimumSecurity Requirements for theinformation systems. And what it'sgoing to do is it's going to allow us todevelop and implement more secureoperating systems.If we follow these guidelines and weput these implementations in place,the system will work better; and bemore consistent with all of the othersystems. And also- this would alsobe consistent with a lot of NISTSpecial Publications that are outthere.Page 7 of 27

NIST Special Instructions – NIST SP 800-18 Rev 1NIST Special Instructions – NIST SP 800-18 Rev 1Guide for Developing Security Plans for Federal InformationSystems Includes background information relevant to the system securityplanning process Discussion of the categories of information systems Description of the roles and responsibilities related to thedevelopment of system security plans Discusses the steps of system security plan development Provides a system security plan template7**007 So let's talk about the SpecialPublications.Now it's important to look at- whenyou're looking at the SpecialPublications you want to look at thething after the 800; becausesometimes that can be a little bitconfusing.If we talk about 800 Rev 1, wellthat's the revision of SpecialPublication 800-18. That little Rev onthe end is telling you what version itis. And that becomes very important.That's inconsistently applied, fromwhat I've found; and I'll explain thatPage 8 of 27

when we get to 800-30 and 39 in justa second. They may reuse thenumbers.So what is 18? Okay. Well it's theguides for developing the securityplans. How are we going to put thisin place?And a lot of times you'll walk into anenvironment and it's already set up,it's already running; everything'sgood.But what happens if you start with agreen field; what will you do? Sowhat you're going to do is you'regoing to set up the categories of theinformation systems.And it's really nice because in a lot ofcases you'll say: Well this device ishooked to that network and thatnetwork is that label over there; sothis has to have that same level. Andif it has those same levels, all thosecontrols are there and all thesecontrols are here. How will I putthose controls in place in a greenfield? Where will I start? How will Imove through this?This is going to give you the steps todevelop that plan and provide a plantemplate that you can execute on.So you don't have to make it upyourself. That's what's great about18.Page 9 of 27

NIST Special Instructions – NIST SP 800-30 Rev 1NIST Special Instructions – NIST SP 800-30 Rev 1Guide for Conducting Risk Assessments Revision 1 was a significant change— Changed title from Risk Management to Risk Assessment— Changed steps and tasks for completing a risk assessment, made itmore flexible The purpose of SP 800-30 is now to provide guidance forconducting risk assessments of federal information systems andorganizations, amplifying the guidance in SP 800-39 on riskmanagement.8**008 Okay 30 Rev 1. Now there'sonly one thing that I have a problemwith in Special Publication 800-30 isthat they took out this really cool,clear, concise nine set of steps fromRev 1 to the previous version of it.I really liked that; because for peoplewho were learning about riskassessments and how to conductthem, it gave them a nice clean planto execute on. And I always tell mystudents: Go out and find the oldversion and look at those nine steps.Don't make that the gospel. But startoff there.Page 10 of 27

Now it's changed. So how has itchanged? Well it was a pure riskassessment document. Now what itdoes is it respects risk managementin the 800-39 and the 800-37. So itgives you guidance on how to- howto actually- how to conduct a riskassessment in your organization.And that's the risk assessment; that'sthe technical side of it.Remember, 800-39 does the riskmanagement. That's the businessprocess or the technical- the nontechnical portion of this.NIST Special Instructions – NIST SP 800-37 Rev 1NIST Special Instructions – NIST SP 800-37 Rev 1Guide for Applying the Risk Management Framework toFederal Information Systems: A Security Life Cycle ApproachGuidelines developed To ensure that managing information system security risks isconsistent with the organization’s objectives and overall risk strategy To ensure that information security requirements are integrated intothe organization’s enterprise architecture and SDLC To support consistent and ongoing security authorization decisions To achieve more secure information and information systemsthrough the implementation of appropriate risk mitigation strategies9**009 Let's talk about 37; which is aPage 11 of 27

relatively new document in terms ofme working with Special Publications.It is a Risk Management Framework;and what it includes is somethingthat we didn't think about before,which is the life cycle approach, thesecurity life cycle approach. And ittells us that when we initiate aproject we have to make sure that itfits in with all of our other controlsthat are out there; and it's consistentwith the risk strategies that we'vechosen.When we pick up new products-- andthis is very, very new products-when we pick up those new productssometimes the product is all aboutjust getting it done; it's all aboutavailability, it's all about processingthe data in a new way. And then yousay: Okay now we're going to putsome controls onto it.Well if it's very early in stages, maybethat's not something that we want totake on as a tool in our environment;because the risk to operate in ourenvironment could be relatively high.I'm not saying don't choose newproducts. I'm saying be careful ofnew products; because they're allabout actually getting it done. Andthen when it gets rolled out, getsdeployed down range, in some caseswhat happens is well- in some caseswhat happens is they find somebugs, they find some flaws, they findsome issues with it. And that meansthat they've got to adjust for it.Page 12 of 27

So if you're going to do a riskassessment and you're using 37 andit's early in the lifecycle of thisparticular product, respect that thatcould cause problems.If you have a relatively matureproduct in your environment andyou've done good SDLC on it, thenyou'll know you're in maintenancemode and you've picked up some ofthose bugs.Really what this is doing for us is it'sgoing to give us a consistent ongoingsecurity profile-- well it'll allow thepeople that are doing theauthorization to make gooddecisions.Page 13 of 27

NIST Special Instructions – NIST SP 800-39NIST Special Instructions – NIST SP 800-39Managing Information Security Risk: Organization, Mission,and Information System View Provides guidelines for managing risk at the organizational,mission/business, and information system level Provides a structured, yet flexible approach for managing risk Contains the definitions and the practical guidance for responding toand monitoring risks10**010 800-39. This document hasalso changed over time. It's acomplement to the other two.The idea here is is to figure out whatthe organization is, what the missionis of that organization, and how we'regoing to make sure that well our riskstrategies fit that mission.If we're in a very forward operationslocation, it could be that we may takemore or very less risk in thisparticular activity that we're doing;especially when we're talking abouttechnology.Page 14 of 27

Now what we have to do is we haveto be able to realize that the situationunder which we operate couldchange. And so we have to be wilingto accept more or less risk, based onthat situation; based on the contextof what's going on here and now.But we also have to later on when wecome back it and say: Okay why didyou make those decisions? It wasbased on a well thought out process.NIST Special Instructions – NIST SP 800-53 Rev 4NIST Special Instructions – NIST SP 800-53 Rev 4Security and Privacy Controls for Federal InformationSystems and Organizations Provides guidelines for selecting and specifying security controls forinformation systems Helps achieve more secure information systems and effective riskmanagement Provides a stable, yet flexible catalog of security controls forinformation systems11**011 800-53. Notice that there isno letter after that. That will becomeimportant in a second.Page 15 of 27

800-53 Rev 4 is all about the securityand privacy controls. What securitycontrols are we going to put in place?And also what privacy controls arewe going to put in place?I think the privacy issue-- I thinkwe've all found examples out there ofwhere privacy has failed andindividuals' records have beenexposed. I mean, there's tons of it inData Loss DB. It talks about all thethings that have happened; and I'msure there are systems that you'veheard of. Or maybe you've evenbeen affected by those systems.And so since it's so close to home,we want to make sure that we alsopay attention to the privacy; becauseit's becoming more and moreimportant, making sure that thosecontrols are in place to address thoseparticular issues.We want a stable and flexible catalogof security controls to apply to ourinformation systems. We may notapply them all in this instance. Itmay be that this happens, I don'tknow, in a future date.Page 16 of 27

NIST Special Instructions – NIST SP 800-53 Rev 4NIST Special Instructions – NIST SP 800-53 Rev 4Security and Privacy Controls for Federal InformationSystems and Organizations Revision 4—Removed discussion of control classes (Management, Operational,Technical), though these have not bee removed from FIPS 200.—Updated security controls and control enhancements into the catalogaddressing such areas as: mobile and cloud computing; applicationssecurity; trustworthiness, assurance, and resiliency of informationsystems; insider threat; supply chain security; and the advancedpersistent threat.—Appendix J, Privacy Control Catalog, is a new addition to NIST SpecialPublication 800-53. It is intended to address the privacy needs offederal agencies. It includes eight new privacy control families.12**012 A little bit more on Rev 4.Some things that happen now. Whatwe've done is we've removed thediscussion of the control classes. Youmay have known of them asManagement, Operational andTechnical. Even though they haven'tbeen removed from FIPS 200, they'vebeen removed from this documenthere.And we've also included some newactivities, some new things that weweren't thinking about; because theNIST Special Publication has to grow,it has to deal with as much mobilecomputing and cloud computing asPage 17 of 27

we have today. We really need toaddress that directly in 800-53. Sothere's been a new section addedthere.It also starts talking about thattrustworthiness, the assurance andthe resilience of the informationsystems.And remember when we talk aboutresiliency, that's not necessarilyredundancy. A lot of people confusethe two. Resiliency is the strengthand power of this one thing to submitto attack; whereas the redundancysays: Well we've got two of them; soif this one fails we can switch over tothe next one. So those are a little bitdifferent.When you look at this, also look inAppendix J and look at the PrivacyControl Catalog. And this is a newaddition; and this bears specialmention. It is critical to more andmore operations these days.Page 18 of 27

NIST Special Instructions – NIST SP 800-53A Rev 1NIST Special Instructions – NIST SP 800-53A Rev 1Guide for Assessing the Security Controls in FederalInformation Systems and Organization: Building EffectiveSecurity Assessment Plans Provides guidelines for building effective security assessment plansand a set of procedures for assessing the effectiveness of securitycontrols Helps achieve more secure information systems Enables more consistent, comparable, and repeatable assessmentsof security controls Used in conjunction with NIST SP 800-53 Rev 413**013 Now notice: 800-53A. We'veadded an A on the end. Now we'retalking about assessing the securitycontrols in the federal informationsystems.This is going to give us goodplanning documents, a set ofprocedures for assessing theeffectiveness of those controls thatare in place; and it's going to allowus to well secure the informationsystems better. Because we're goingto know that well this control isn'tsufficient to protect this level. Sowe'll go and say: Okay well let's addthe next level up from it.Page 19 of 27

I don't want to get into the specificsof it because that- really thosecontrol surfaces are going to be- wellthey're going to be based on thatparticular- that particular control. Soit digs down into a subject that wedon't want to cover here, just for asecond.You're going to use 800-53A inconjunction with 800-53 Rev 4.Those are two separate documents.Sit them side by side and say: Oh thisis how they work together.NIST Special Instructions – NIST SP 800-59NIST Special Instructions – NIST SP 800-59Guideline for Identifying an Information System as aNational Security System Assists agencies in determining which of their systems are nationalsecurity systems Ensures that agencies receive consistent guidance on theidentification of systems that should be governed by nationalsecurity system requirements14**014 Let's talk about 800-59. Thisis identifying information systems.Page 20 of 27

So which systems are nationalsecurity systems? We want to haveconsistent guidance on identificationof those systems. Is that phone thatyou're using, or that tablet, or thatlaptop, a national security system?Does it just hook to a nationalsecurity system; or is it a part of it?800-59 gives us guidance on that.NIST Special Instructions – NIST SP 800-60 Rev 1NIST Special Instructions – NIST SP 800-60 Rev 1Guide for Mapping types of Information and InformationSystems to Security CategoriesHelps agencies consistently map security impact levels totypes of: Information (e.g., privacy, medical, proprietary, financial, contractorsensitive, trade secret, investigation) Information systems (e.g., mission critical, mission support,administrative)15**015 800-60 Rev 1 gives us aguide for mapping those informationtypes of information and informationsystems to security categories.Page 21 of 27

So it's not just Secret/Top Secret.It's also privacy; it's medical; it'sproprietary.When I deal with financial servicesfirms, they always say: Oh we onlyhave to worry about the financialdata. I go: Well what about yourHIPAA data? What about that?What about your high-tech data?What about your payment cardindustry data? And they go: Oh wellI guess we didn't think about that.When I deal with colleges, they alsohave an additional level on top ofthat, which is something calledFERPA; which is protecting thegrades of students.So when you're in your environment,you have to consider all of thesedifferent types of informations thatare out there; and then also thesystem that they sit on. Is thismission critical? Does it support themission or is it way outside of that?Is it some sort of administrativesystem that-- a payroll system?Page 22 of 27

NIST Special Instructions – NIST SP 800-70 Rev 2NIST Special Instructions – NIST SP 800-70 Rev 2National Checklist Program for IT Products-Guidelines forChecklist Users and Developers Describes security configuration checklists and their benefits Explains how to use the NIST National Checklist Program (NCP) tofind and retrieve checklists16**016 800-70 Rev 2. Well this isone of my favorites.So if you look at Security TechnicalImplementation Guides, STIGs, oryou look at the National ChecklistProgram, the NCP-- well actually thisall goes back to-- there's a SANSorganization that's called Center forInternet Security, CI Security.This checklist tells us how toimplement these products in a securemanner. So look at the NISTNational Checklist Program. This willbecome very familiar if you've everdealt with the STIGs.Page 23 of 27

NIST Special Instructions – NIST SP 800-137NIST Special Instructions – NIST SP 800-137Information Security Continuous Monitoring (ISCM) forFederal Information Systems and Organizations Provides guidance on defining, establishing, and implementing anISCM program Provides guidance on analyzing data and reporting and respondingto findings Enables organizations to move from compliance-driven riskmanagement to data-driven risk management17**017 137; about continuousmonitoring.Now the discussion comes up about-well I hate to use it but I'm going touse the-- the security-o-meter, theSecurity dashboard; the dashboardthat tells us are we safe or are we not?And there's this movement incontinuous monitoring to watch whatactivities are going on; and whenthat needle moves anything at all,well we want to know: What's goingon? And somebody dives in andsays: Hey how come our risk profilewent up? So I don't like the securityo-meter. I really- I really don't like it.Page 24 of 27

And when we talk about continuousmonitoring, the data that comes outof continuous monitoring forinformation security systems actuallygoes into those security-o-meters.So I caution you against thosesecurity-o-meters in that fog of war,if you will, where everybody'spounding on you and saying: Wellwhy has this changed?But let's step back from it and let'sfind the good in it. So what we reallywant is instead of doing riskassessments at a point in time,instead of collecting data as amonolithic event, what we want to dois we want to actually have a way topull data from those tools andreporting from those tools in a- in areasonable continuous manner, toautomate a lot of this so that itdoesn't become such an odious task.Now what this does is this stops usfrom being compliance driven; inother words, oh my God the auditorsare coming in. No, we don't knowwhen the auditors are coming. Thedata will always be there.It used to be that when we'd say: Ohmy God the auditors are coming in,let's turn on all the controls. That'smore in a commercial environment.Then what would happen is theauditors would come in and all thecontrols would be on, and wecouldn't get any work done.What we need to do is we need tohave controls that will balance this.Page 25 of 27

We need to say that this control willwork all the time in our environment;but we don't have to turn it on andturn it off to go ahead and makesome sort of compliance checklistwork.We want to do data driven riskmanagement, which says that-- whenwe're getting down the road-- thatwe can- we can drive down the roadwith our seatbelt on; and we don'tnecessarily need a five-point harness.So that's the idea behind thedocuments that we need to gathertogether and bring to the table whenwe're talking about the CAP.Page 26 of 27

NoticesNotices 2014 Carnegie Mellon UniversityThis material is distributed by the Software Engineering Institute (SEI) only to course attendees for theirown individual study.Except for the U.S. government purposes described below, this material SHALL NOT be reproduced orused in any other manner without requesting formal permission from the Software Engineering Institute material was created in the performance of Federal Government Contract Number FA8721-05-C-0003with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally fundedresearch and development center. The U.S. government's rights to use, modify, reproduce, release,perform, display, or disclose this material are restricted by the Rights in Technical Data-NoncommercialItems clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identifiedcontract. Any reproduction of this material or portions thereof marked with this legend must also reproducethe disclaimers contained on this slide.Although the rights granted by contract do not require course attendance to use this material for U.S.government purposes, the SEI recommends attendance to ensure proper understanding.THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY ANDALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OFFITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,MERCHANTABILITY, AND/OR NON-INFRINGEMENT).CERT is a registered mark owned by Carnegie Mellon University.2Page 27 of 27

NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST

Related Documents:

2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7

NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .

Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000

Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53

Apr 08, 2020 · Email Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for

Guidance – NIST SP 800-115 Provides guidance on basic technical aspects of conducting information security assessments and penetration testing NIST Publications 4 **004 There are a couple . publications that I'd like to cite here . that may be helpful. One is I would . recommend NIST SP 800-53, and this . is specifically 53A, so it's going to be NIST RMF Quick Start Guide CATEGORIZE STEP Frequently Asked Questions (FAQs)RISK MANAGEMENT FRAMEWORK RMF NIST NIST Risk Management Framework (RMF) Categorize Step . ecurity categorization standards for information and systems provide a common framework and understanding for expressing security

glorified beyond its due by making analytic geometry and calculus its slaves. With the plethora of new ideas that cannot be avoided in the early portion of the course, it seemed prudent to allow the students the comfort of their familiarity with plane rectangular coordinates for any new work on standard graphs and to. delay introducing vectors until Chapter 8. Even here the third dimension is .