demystifying the cyber nists
TRANSCRIPT
Demystifying the
Cyber NISTs
WEBINAR
1
Federal Alphabet Soup
Acronym Overload!
Compliance, Critical Infrastructure, Cyber Security,
EO 13636 - and Cyber Cyber Cyber…
FedRAMP, FISMA, NIST, FIPS, RMF, DIACAP
SP 800-53, SP 800-171, SP 800-37
FIPS 199, FIPS 200, OMB Circular 130
• Provide baseline knowledge of the most discussed
frameworks, standards, and programs
• Put the acronyms in context of their intention and
discuss their relationship to other standards
• Attempt to dispel some common misconceptions
Learning Objectives
Cybersecurity threats exploit the increased
complexity and connectivity of critical
infrastructure systems, placing the Nation’s
security, economy, and public safety and
health at risk.
Source – NIST Cybersecurity Framework
Bottom line is that the government has defined cybersecurity as the function of
protecting interconnected critical infrastructure and data
About That Cyber Term…
2
Diving into the “NISTs”
• Laws – Speak in terms of goals and objectives (e.g. FISMA)
• Regulations – Clarify the goals and objectives of a law
• Executive Orders – Provide additional guidance and direction
• Frameworks – Bring together series of goals, objectives, and standards and implementation
guidance like the NIST Cybersecurity Framework
• Standards and Best Practices
• FIPS – Federal Information Processing Standards
• NIST SP – Special Publication (for security)
• Information Supplements
• Programs – Designed to implement and enforce laws, regulations, and standards for a defined
group (e.g. FedRAMP for Cloud Computing)
Note that the focus will largely be around standards and frameworks that Schellman’s service provider clients have to follow.
Framing the Discussion for Federal
• FISMA – Federal Information Security Management Act
• FISMA is a law that governs government agencies
• Applies by extension to those that use government data or resources
• Not a compliance certification
• Regulations and Rulings
• Often agency specific (e.g. ITAR)
• HIPAA – Final Security Ruling
• Executive Orders
• Can provide clarity and enforcement guidance
(e.g. EO 13636 signed by Barack Obama)
Laws, Regulations, and EOs
• Why start here?
• NIST SP 800-53 is the
Kevin Bacon of federal
cybersecurity
• If not directly referenced
within a law it is no more
than two degrees of
separation from everything!
Standards:NIST SP 800-53
• National Institute of Standards and Technology Special
Publication 800-53 - Security and Privacy Controls for
Federal Information Systems and Organization
• Currently revision 4 (5 is being put out to comment)
• Supports government FISMA compliance
• Is the detail behind Federal Information Processing
Standard (FIPS) 200
• Is tailored based on FIPS 199
NIST SP 800-53 (cont.)
• Federal Information Processing Standards (FIPS) Publications are
standards issued by NIST after approval by the Secretary of Commerce
pursuant to the Federal Information Security Management Act (FISMA)
• Most Common include:
• FIPS 200 – Minimum Security Requirements for Federal Information and
Information Systems
• FIPS 199 – Provides the methodology for establishing information
categorization based on risk (i.e. low, moderate, and high)
• FIPS 140-2 – Security Requirements for Cryptographic Modules
• FIPS tie laws to standards and in almost all cases, FIPS are supported by
more detailed guidance within the NIST Special Publications (e.g. NIST
800-53)
• https://csrc.nist.gov/publications/PubsFIPS.html
Back to FIPS
NIST SP 800-171
• Protecting Controlled Unclassified Information in
Nonfederal Information Systems and Organizations
• Designed largely for federal contractors
• Uses a carved out subset of the NIST 800-53 requirements
• Revision 1 released in December of 2016
Other Relevant Standards
• Special Publications
• SP 800-145 – The NIST Definition of Cloud Computing
• SP 800-117 and 800-126 – Multiple standards related to the Security Content Automation Protocol (SCAP)
• SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: a
Security Life Cycle Approach
• Multiple SPs related to encryption and key management in support of FIPS 140-2
• Others are platform and technology specific (e.g. virtualization, wireless, and Apple OSX, and more)
• http://csrc.nist.gov/publications/PubsSPs.html
• Additional
• Common Criteria aka ISO/IEC 15408
• Federal Risk and Authorization Management Program (FedRAMP)
defined standard and requirements
• Designed for cloud service providers (CSPs) being used by federal
agencies
• Core Documentation/Deliverables - System Security Plan (SSP),
FIPS 199, Security Assessment Plan (SAP) and Security
Assessment Report (SAR), and Plan of Action and Milestones
(POA&M)
• Based on NIST SP 800-53 and 800-53A (testing procedures)
Program: FedRAMP
• DoD has additional frameworks and controls
for maintaining mission critical systems
• Leverages the Risk Management Framework
(RMF) set forth in NIST SP 800-37
• Defines impact levels of 2 through 6
• FedRAMP moderate = Level 2
• FedRAMP+ = FedRAMP plus additional controls
from the DoD Supplemental Resource Guide (SRG)
• http://iasecontent.disa.mil/cloud/SRG/
DoD Instruction (DoDI) 8500.01, entitled
Cybersecurity, directs Director DISA, under
the authority, direction, and control of the
DoD CIO to develop and maintain Control
Correlation Identifiers (CCIs), Security
Requirements Guides (SRGs), Security
Technical Implementation Guides (STIGs),
and mobile code risk categories and usage
guides that implement and are consistent
with DoD cybersecurity policies, standards,
architectures, security controls, and
validation procedures, with the support of the
National Security Agency Central Security
Service (NSA/CSS), using input from
stakeholders, and using automation
whenever possible.
Program: Department of Defenseand FedRAMP+
DoD Impact Levels Broken Out
• Originally published in 2014. Version 1.1
comments were solicited until April 10, 2017.
• Designed to scale with flexibility regardless
of industry
• Builds on SP 800-53 and also maps to ISO
27001, COBIT, and Industrial Controls
requirements
• Recently pitched to the healthcare industry
for adoption
https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
Framework: NIST Cybersecurity Framework
Describes how cybersecurity risk is
managed by an organization and degree
the risk management practices exhibit
key characteristics
Cybersecurity activities and
informative references, organized
around particular outcomes
Enables communication of
cyber risk across
an organization
Aligns industry standards and best
practices to the Framework Core in a
particular implementation scenario
Supports prioritization and
measurement while
factoring in business needsFramework
Profile
Framework
Core
Framework
Implementation
Tiers
• International Traffic in Arms Regulation (ITAR)
• Criminal Justice Information System (CJIS)
• Program
• Includes a “policy” of standards requirements
• Department of Commerce National Technical Information Service (NTIS)
Limited Access Death Master File (DMF)
• Standard for protecting a file of social security numbers associated with deceased persons
• Includes an attestation report/template
What Else?
3
Bringing it Back Together
Understanding the Cyber NIST Pieces of the Puzzle
Laws, Regulations,
and EOs
FISMA
HIPAA
EO 13636
FIPS Standards
FIPS 200
FIPS 199
FIPS 140-2
SP Standards
800-53
800-37
800-171
Compliance Programs
FedRAMP
DoD SRG
CJIS
Frameworks
NIST Risk Management Framework
NIST Cybersecurity
Framework
• Don’t have to be an expert
• Recognize the core
standards most applicable
for your business
• Know where to look for
help (and who to ask!)
Closing Thoughts
STAY UP-TO-DATE
www.schellmanco.com