Portaal Informatiebeveiliging: FISMA (US Federale Overheid)

Home

Introductie:

Veel gebruikte afkortingen:
FISMA = Federal Information Security Management Act
FIPS PUB = Federal Information Processing Standards Publication
OMB = Office of Management and Budget
NIST SP = National Institute of Standards and Technology Special Publication
De Amerikaanse (US) federale overheid maakt een onderscheid tussen twee soorten federale computersystemen:
1. 'national security systems', die vallen onder het National Security Directive 42 (NSD-42), 1990. Met dit directive werd de NSTISSC ingesteld, waarvan de naam in 2001 gewijzigd is in CNSS. Deze systemen worden hier niet behandeld.
2. 'all other systems'. Deze page gaat over de informatiebeveiliging van deze systemen
De Federal Information Security Management Act (FISMA) regelt de informatiebeveiliging van alle informatiesystemen van de US federale overheid, die geen 'national security systems' zijn, waarbij informatiebeveiliging wordt gedefinieerd als bescherming (protection) van de integrity, confidentiality en availability van informatie en informatiesystemen.
De FISMA draagde het National Institute of Standards and Technology (NIST) op om te ontwikkelen:
1. Standards to be used by all Federal agencies to categorize all information and information systems or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
2. Guidelines recommending the types of information and information systems to be included in each such category; and
3. Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.
De NIST heeft twee Federal Information Processing Standards (FIPS) ontwikkelt, die onder de FISMA verplicht (mandatory) zijn: FIPS 199 en 200. Daarnaast zijn er twee Special Publications (SP) die van groot belang zijn.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, vereist dat federale overheidsinstellingen hun informatie en informatiesystemen, voor elk van de drie 'security objectives': confidentiality, integrity en availability, categoriseren naar drie niveau's (levels) van 'potential impact': low, moderate en high. Zo ontstaan 9 'security categories'. Een voorbeeld van een security categorization van een SCADA systeem: {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}.
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems specificeert de 'minimum-security requirements' voor informatie en informatiesystemen over zeventien 'security-related areas': ": (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.". Deze zeventien 'areas' betreffen de 'management, operational and technical safeguards and countermeasures' die nodig zijn.
In NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems' worden de 'security controls' opgesomd in 'low, moderate, and high security control baselines'
NIST SP800-60, Guide for Mapping Types of Information and Information Systems to Security Categories geeft advies over de toekenning van security categories aan informatie en informatiesystemen.

Wet- en regelgeving:

FISMA:

Federal Information Security Management Act of 2002 (Public Law 107-347, Title III)
Federal Information Security Management Act (FISMA) 2004 Report to Congress - OMB, 2005

OMB Circular A-130:

Appendix III to OMB Circular No. A-130. Security of Federal Automated Information Resources html pdf

NIST:

Algemeen:

FISMA Implementation Project

FIPS PUB 199:

Standards for Security Categorization of Federal Information and Information Systems - February 2004 (Originele document)
FIPS 199 - Shirley Radack, 2004 (NIST commentaar)

FIPS PUB 200:

Minimum Security Requirements for Federal Information and Information Systems - March 2006

SP 800-18:

Guide for Developing Security Plans for Information Systems - Marianne Swanson, Joan Hash & Pauline Bowen, February 2006 (NIST SP800-18, Rev. 1)

SP 800-26:

Guide for Information Security Program Assessments and System Reporting Form. Draft, Revision 1 - Marianne Swanson, Joan Hash, Mark Wilson & Richard Kissel, August 2005 (NIST SP800-26, Rev. 1, Draft, 1.153 KB)

SP 800-30:

SP 800-37:

Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004 (738 KB)

SP 800-53:

Recommended Security Controls for Federal Information Systems, Second Public Draft - Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner & George Rogers, July 26, 2006 (NIST SP800-53 Revision 1)
Clean Copy (159 p., 2.774 KB) - Markup Copy (167 p., 2.955 KB)

Consolidated Security Controls (updates through June 17, 2005):
Annex 1: Low Baseline - Annex 2: Moderate Baseline - Annex 3: High Baseline