As part of the risk management framework for information systems and organizations, let's look at legal and regulatory organizations. Over the next few screens, we will cover several legal and regulatory requirements which drive the implementation of the risk management framework. We will discuss White House Executive Orders, National Institute of Standards and Technology Publications, Office of Management and Budget requirements, and Committee on National Security System Directives. Other references you may want to look into are, Office of Director of National Intelligence and Department of Defense requirements based on the systems and customers you may be supporting. First, let's look at some of the organizational roles. The White House is the executive office given statutory authority to issue executive orders, proclamations, and similar documents that initiate action, stop action, or require general notice to be given. This could be done in the form of Presidential Policy Directives, PDDs, Homeland Security Presidential Directive, HSPDs, and National Security Presidential Directives, NSPDs. White House documents you should be familiar with include, for example, Executive Order 13228, establishing the Office of Homeland Security and Homeland Security Council. What the executive order did is established the Office of Homeland Security and gave it the mission to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks. The order further details the functions such as national strategy, detection, preparedness, prevention, protection, response, and recovery, just to name a few, administration, the establishment of Homeland Security Council, and it gives it classification authority up to top secret. Another one you should be familiar with is Executive Order 13636; Improving Critical Infrastructure Cybersecurity. President Barack Obama issued Executive Order 13636 in February 2013, tasking NIST, the National Institute of Standards and Technologies, to create a cybersecurity framework that helps organizations mitigate risks to the nation's essential systems such as power generation and distribution, the financial services sector, and transportation. We call this critical infrastructure. NIST released the framework for Improving Critical Infrastructure Cybersecurity, also known as the CSF, in February of 2014, which consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The National Cybersecurity Center of Excellence is a US government organization that builds and publicly share solutions to cybersecurity problems faced by US businesses and demonstrates how the CSF, the Cybersecurity Framework, can be implemented in real-world environments. When an industry sector approaches the National Cybersecurity Center with a cybersecurity problem, the center maps the solutions to the cybersecurity framework, as well as other standards, controls, and best practices. The next executive order you should be familiar with is Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. President Trump issued executive order 13800 on May 11th, 2017, to improve the nation's cybersecurity posture and capabilities in the face of intensifying cybersecurity threats. Executive Order 13800 focuses on federal efforts on modernizing federal information technology infrastructure, working with states and local governments, and private sector partners to more fully secure critical infrastructure and collaborating with foreign allies. There are many other executive orders which may come to bear but the last document I want you to be aware of is the Homeland Security Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, also known as HSPD-7. This establishes a national policy for federal departments and agencies to identify and prioritize United States' critical infrastructure and key resources, and to protect them from terrorist attacks. Basically, it's intended to improve the internal management of the executive branch of the federal government. It also supersedes presidential policy directive, PDD 63, that also dealt with critical infrastructure protection. The National Institute of Standards and Technology, NIST, issues Federal Information Processing Standards, which are publicly announced standards developed by the United States federal government for using computer systems by non-military government agencies and government contractors. It also issues special publications. NIST uses three special publications sub-series to publish computer, cyber, information security and guidelines, recommendations, and reference material. The Special Publication 800 computer security series, which is NIST's primary mode of publishing computer cyber information security guidelines, recommendations, and reference material. The Special Publication 18000, NIST cybersecurity practice guides, this is a new sub-series created to complement the Special Publication 800 targets, specific cybersecurity challenges in the public and private sector are user-friendly guides to facilitate adoption of standards based on approaches to cybersecurity and the Special Publication 500, Computer Systems Technology series. This is a general IT sub-series used more broadly by NIST Information Technology Laboratories. Prior to the Special Publication 800 sub-series, NIST used the Special Publication 500 sub-series for computer security publications. You also have Information Technology Laboratory bulletins and NIST interagency or internal reports and other guidance. NIST has responsibility to ensure that standards and measures are developed to improve performance and changed by law with responsibility for information security standards, metrics, tests, and various other means to support agencies' missions. All the documents listed on this screen are used in the risk management process in one way or another, and you should be familiar with them. Over the next few minutes, I'll be calling out each one of these documents listed on the screen and giving you a small description of each one of them. Let's start with NIST Special Publication 800-18, the Guide for Developing Security Plans for Federal Information Systems. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe controls in place or planned for meeting those requirements. NIST Special Publication 800-18 introduces a set of activities and concepts to develop an information system security plan, system security plan templates and a glossary of terms and definitions used in the publication. It also includes references that support the publication. The next one down is NIST Special Publication 800-30, Guide for Conducting Risk Assessments. The purpose of special publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in special publication 800-39, Managing Information Security Risks, which we'll talk about later. Risk assessments are carried out at all three tiers, organization level, mission and business process level, and information system level in the risk management hierarchy are part of an overall risk-management process, providing senior leaders and executives with information needed to determine appropriate course of action in response to identified risks. In particular, 800-30 provides guidance for carrying out each of the steps in the risk assessment process, preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment. NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Technology IT Systems, provides instructions, recommendations, and considerations for federal information systems contingency planning. In this context, contingency planning refers to interim measures to recover information system services after a disruption. The interim measures may include relocation of information systems and operations to an alternate site, recovery of information systems functions using alternate equipment or performance of information system functions using manual methods. 800-34 addresses specific contingency planning recommendations for three platform types: client-server systems, telecommunication systems, and mainframe systems, and provides strategies and techniques common to all systems, like developing contingency planning policy statements, conducting the business impact analysis, identifying preventative controls, creating contingency strategies, developing an information system contingency plan, ensuring plan testing, training and exercises and ensures plan maintenance. Next, we have Special Publication 800-37, Risk Management Framework for Information Systems and Organizations, a system life-cycle approach for security and privacy. This is the meat of the subject for this course. First, we need to understand that the risk management framework is technology neutral and addresses security and privacy risks from two perspectives, an information system perspective and a common control perspective. 800-37 is intended to help organizations manage security and privacy risks and to satisfy the requirements in the Federal Information Security Management Act, the Privacy Act, Office of Management and Budget Policies, Federal Information Processing Standards, as well as other laws, regulations, and policies. Although 800-37 is mandatory for federal government use, the risk management framework can be applied to any type of non-federal organization, for example, private businesses, industry or academia. They are encouraged to use it on a voluntary basis as appropriate. The RMF is a six step process with a prepare phase in the middle. The steps are categorized system, select security controls, implement security controls, assess controls, authorize system, and monitor the system. We'll break all of these down later in the course. Special publication 800-39, Managing Information Security Risks, Organization Mission and Information System View provides guidance in the management of information security related risks driven from or associated with the operation and use of information systems or the environments in which those systems operate and should be used to complement an organization's enterprise risk management program. 800-39 is supposed to be used in coordination with other NIST documents, which should result in a more protected information system. Special publication 800-53, Security and Privacy Controls for Federal Information Systems and organization provides guidelines for selecting and specifying security controls. Over 249 controls within 18 control families. For information systems based on the classification and categorization results from the FIPS 199 and 200. It provides a set of baseline controls, low, approximately 115 controls, moderate, approximately,159 controls, and at the high level, 170 controls, which are then tailored for the organization. Remember that FIPS 200 has baselines for 17 security related areas, similar to 800-53, however, 800-53 adds the program management control. Controls are of three types; management, operational, and technical. There are 18 families of controls within the three types, four technical, five management, and nine operational. Now, Special Publication 800-53A, guide for assessing security controls in an information system, provides guidelines for building effective security assessment plans and privacy assessment plans. It also helps to build a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in an information system and organization supporting the executive agencies of the federal government. This is used in conjunction with 800-53. 800-53A helps make sure the controls being assessed are the selected 800-53 controls. As with any assessment plan, you need to make sure that the assessment doesn't break the system. Special publication 800-59 guidelines for identifying an information system as a national security system. Remember, FIPS publications do not apply to national security systems as defined in title 3, information security of FISMA, the Federal Information Security Management Act, which is really mapped to section 11103 of title 40 US Code, which basically states, national security systems mean a telecommunication or information system operated by the federal government. The function, operation or use of which involves intelligence activities, involves cryptologic activities related to national security, involves command and control of military forces, involves equipment that is an integral part of a weapons or weapons system or subject to paragraph 2, the limitations, which is critical to the direct fulfillment of military or intelligence missions. Paragraph 2, limitations basically states that it does not include a system to be used for routine administrative and business applications, including payroll, financial logistics, or personal management applications. Those are exempt from the provisions of title 11103 as a national security system. Next, we have the special publication 800-60 series, which has two volumes. Volume 1 guides for mapping types of information and information systems to security categories, and volume 2, which is the appendices. Users should review the guidelines provided in Volume 1, then refer only to that specific material from the appendices that apply to their own systems and applications. The provisional impact assignments are provided in Volume 2. Volume 1 contains the basic guidelines for mapping types of information and information systems to the security categories which you use when filling out the FIPS 199 and 200 worksheets. Volume 2 include security categorization, recommendations, and rationale for mission-based and management and support of information types for the worksheet, it is the guide for mapping types of information and information systems to the categories. Now, Special Publication 800-61, computer security incident handling guide, assists organization in establishing computer security incident response capabilities and handling incidence efficiently and effectively. The fact is that federal agencies must create provision and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team US CERT office within the Department of Homeland Security. In incident response capability should include creating an incident response policy and plan, developing procedures for performing incident handling and reporting, setting guidelines for communicating with outside parties regarding incidence, selecting a team, structure and staffing model, establishing relationships and lines of communications between the incident response team and other groups, both internal legal departments, HR, etc., and external law enforcement agencies, incident response groups, and those things, as well as determining what services the incident response team should provide and includes staffing and training the incident response team. Next, we have special publication 800-70, National Checklist program for IT Products, guidelines for checklists, users, and developers. A security configuration checklist, also known as a lockdown, hardening guide or benchmark, is a document that contains instructions or procedures for configuring an information technology IT product to an operational environment for verifying that the product has been configured properly and for identifying unauthorized changes to the product. This maintains the National checklist repository, which is a publicly available resource that contains information on a variety of security configuration checklist for specific IT products or categories of IT products. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks and identify changes that might otherwise go undetected. Next, we have special publication 800-115 Technical Guide for Information Security Testing and Assessment. Any information security assessment is a process of determining how effectively a host system network procedure, etc, which is being assessed, meets the specific security objectives. Three types of assessment methods can be used to accomplish this. Testing, which is the process of exercising one or more assessment objectives under specified conditions to compare actual and expected behaviors. Examination, which is the process of checking, inspecting, reviewing, observing, and studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification or obtained evidence, and finally, interviewing. Which is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieved clarification, or identify the location of evidence. Assessments can be used to support the determination of security control effectiveness over time. As we approach the bottom of the list here, SP 800-122, Guide for Protecting the Confidentiality of Personally Identifiable Information, assists federal agencies in protecting the confidentiality of PII in information systems. It explains the importance of protecting the confidentiality of PII and its relationship to privacy using fair information best practices by providing practical contextual based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. 800-122 suggests safeguards that may offer appropriate levels of protection. It also provides recommendations for developing response plans for incidents involving PII. Although the recommendations in this document are intended primarily for US Federal Government agencies and those who conduct business on their behalf, other organizations to include the private sector may find portions of this publication very useful for protecting their PII holdings. Next, we have SP 800-128 Guide for Security Focused Configuration Management of Information Systems. 800-128 provides general recommendations for ensuring that security considerations are integrated into an organizational configuration management process and provides guidelines for implementation of the configuration management family of the security controls defined in SP 853; CM1 through CM9 and FIPS 200. The configuration management concepts and principles described in 800-128 are supported by or contribute to the process outlined in 800-53, specifically the CM control family, as well as NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. Specifically the implement step, step 3, assess step, step 4, and the monitor step, step 6 of the risk management framework. Also in 800-137, information security continuous monitoring for Federal Information Systems and organizations, which we discussed next. SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations, provides the guidelines which assist organizations and development of an information security, continuous monitoring strategy, and the implementation of a program to provide awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security controls. Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This is supported by the configuration management process we just discussed in this SP 800-128, the risk management framework developed by NIST SP 837, describes the disciplined and structured process that integrates information security and risk management activities into the system development life-cycle. Ongoing monitoring is a critical part of that risk management process. In fact, it's Step 6 of the process. Monitor the systems which ensures that organization- wide operations remain within an acceptable level of risk despite any changes that occur because timely relevant and accurate information is vital, particularly when resources are limited and agencies are forced to prioritize their efforts. All of those NIST publications we've just gone through, are used in establishing a risk management framework. In addition to those NIST publications, we also have a couple of FIPS documents you need to be familiar with, because they're used in the RMF process. First, we have FIPS 199, which addresses the standards for categorizing information and information systems. It covers all official federal systems, provides three impact levels. Low, limited damage, moderate, serious damage, and high, catastrophic damage, and is used in tandem with NIST SP 800-60. The next one is NIST FIPS 200. It specifies minimum security requirements for federal information and information systems in 17 security-related areas, which are the same as the NIST 853 Control families we discussed earlier. They're used in conjunction with FIPS 199, the classification and categorization to establish a baseline of security controls in accordance with NIST special publication 853. NIST 853 has one additional control family, not listed in FIPS 200, which are the program management controls. The program management controls described in 853, are typically implemented at the organization level and not directed at individual organizational information systems, which is why it has been omitted at a FIPS 200 security-related areas. We also have FIPS 140-2 security requirements for cryptographic modules. This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The standard provides four increasing qualitative levels of security. Level 1 equals basic security. Level 2 adds a tamper-evident coding. Level 3 adds identified-based authentication, intrusion, prevention, and critical access parameters. Finally, level 4 requires any tampering of modules to erase all critical security information. These levels are intended to cover a wide range of potential applications, and environments in which cryptographic modules may be employed. FIPS 140-2 supersedes FIPS 140-1 security requirements for cryptographic modules in its entirety. Continuing with organizational roles, the Office of Management and Budget evaluates expenditures, effectiveness and provides oversight of administrative procurement, fiscal management, information management, and regulatory policies. There are two documents that the Office of Management and Budget, OMB, issues, and you should already be familiar with. They are circulars and memorandums. Listed on This screen are the circulars and memorandums you should be familiar with, which are related to the RMS process. First, we have circular A-130, transmittal memorandum number 4, management of federal information resources. It establishes policies for the management of federal information resources. OMB includes procedural and analytical guidelines for implementing specific aspects of the policies contained there in as dependencies. A-130 appendix 1, federal agency responsibilities for maintaining records about individuals, describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974 as amended. A-130 appendix 2, Implementation of Government Paperwork Elimination Act, seeks to preclude agencies or courts from systematically treating electronic documents, and signatures less favorably than their paper counterparts, so that citizens can interact with the federal government electronically. A-130 appendix 3, security of federal Automation information resources, which is the one that you're probably most familiar with, defines the term adequate security, requires accreditation of federal information systems to operate based on an assessment on management, operational and technical controls. Establishes a minimum set of controls to be included in federal automated information security programs. Assigns federal agencies responsibilities for security of automated information and links, agency automated information security programs, and agency management control systems established in accordance with OMB circular A-123. Finally, we have A-130 appendix 4, analysis of key sections, which provides a general context and explanation of the contents of the key sections of A-130. Next, we have some of the OMB memorandums. First, we have OMB-00-13, privacy policies, and data collection on federal websites, which clarifies the term persistent cookies. Persistent cookies remain on a user's computer for varying lengths of time from hours to years. M-00-13 stipulates that persistent cookies are not allowed unless it meets specific conditions. However, session cookies, which expire when the user exits the browser are permitted. M-00-13 was later rescinded by OMB memorandum M-10-22, guides for online use of web measurements and customization technologies. OMB M-02-01, guidance for preparing and submitting security plans of action and milestone. A plan of action of milestone, a POAM, is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish These elements of the plan, any milestones and meeting the tasks, and scheduled completion date for the milestones. The purpose of This POAM, is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress towards corrective efforts for security weaknesses found in programs and systems. The next one down is OMBM-04-04, e-authentication guidance for federal agencies. This memorandum directs agencies to conduct e-authentication risk assessments on electronic transactions to ensure that there is a consistent approach across government. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing Credential Service Providers, CSPs, on behalf of federal agencies. They are Level 1, little or no confidence in the asserted Identities validity, Level 2, some confidence in the asserted identities validity. Level 3, high confidence in the asserted identities validity, and finally Level 4, very high confidence in the asserted identities validity. Agencies should determine assurance levels by conducting a risk assessment of the e-government system, mapping identified risks to the appropriate assurance levels, selecting technology based on e-authentication technical guidance, validating that the implemented system has achieved the required assurance level, and periodically reassessing the system to determine technology refresh requirements. Next, we have M-06-15, safeguarding personally identifiable information. What this memorandum did is re-emphasize the responsibilities of safeguarding sensitive, personally identifiable information as directed by the Privacy Act, and emphasizes the requirements of training employees on their responsibilities in protecting PII. M-06-19, PII reporting provides updated guidance on the reporting of security incidents involving personally identifiable information. Reminded agencies of existing requirements and explains requirements agencies need to provide when addressing security and privacy in their fiscal year information technology reporting. The main provision is the requirement to report all incidents involving personally identifiable information to Us cert within one hour of discovery of the incident. That goes hand in hand with OMBM-07-16, safeguarding against and responding to the breach of personally identifiable information. OMBM-07-16 requires agencies to develop and implement a breach notification policy, and ensure the assignment of impact levels to all information and information systems. Implementation of minimum security requirements and controls, certifying an accrediting the information system and training employees on their privacy and security responsibilities before permitting access to agency information and information systems. It also requires agencies to review and reduce the volume of personally identifiable information, reduce the use of social security numbers, implement security requirements like encryption, controlling remote access, having a time out function, logging and verification, as well as ensuring understanding of roles and responsibilities. As we get to the bottom and end of this slide, M-10-28, clarifying cybersecurity responsibilities and activities of Executive Office of the President and the Department of Homeland Security, sets OMB as the Reporting Agency and DHS as a gathering agency for cybersecurity data and events. M14-03, enhancing the security of federal information and information systems, and M-14-04 fiscal year 2013, reporting instructions for Federal Information Security Management Act, and agency privacy management, both cover security of federal agency and current reporting requirements. M-14-03 establishes requirements for information security, continuous monitoring under DHS Control, and M-14-04 establishes a change in the Federal Information Security Management Act re-authorization process, if information security continuous monitoring programs are active within the organization. As we continue with the organizational roles, Committee on National Security Systems, CNSS, formally known as the NSTISSC, National Security Telecommunications and Information Systems Security Committee, provides a participative forum to examine national policy and provide direction, operational procedures, instructions, and other forms of authoritative guidance for national security systems. Depending on the assessment and system type, you may also need to reference documents from ODNI, Office of Director of National Intelligence and DOD, Department of Defense. In summary, in this course, we discussed legal and regulatory organizations such as the White House for executive orders, NIST, National Institute of Standards and Technology, OMB, Office of Management and Budget, and the Committee on national security systems. We mentioned other possible references depending on assessments such as ODNI, Office of Director of National Intelligence, and Department of Defense.
