shawn nicolen - ia500 - final research paper

Final Research Paper Agency System Security Authorization Program

IA 500 – Seminar on Public Sector Security

Shawn Nicolen

3/17/2015

Agency System Security Authorization Program 2

Contents Agency Charter...................................................................................................................................6

Overview ...........................................................................................................................................6

Program Objectives ............................................................................................................................7

The Risk Management Framework.......................................................................................................8

Information Categorization .................................................................................................................8

Types of Information Systems..........................................................................................................9

Notable Information Types ........................................................................................................ 10

Security Controls .............................................................................................................................. 15

Access Control (AC) ....................................................................................................................... 16

AC-2 Account Management ....................................................................................................... 16

AC-18 Wireless Access ............................................................................................................... 17

Awareness and Training (AT) ......................................................................................................... 17

AT-2 Security Awareness............................................................................................................ 17

Audit and Accountability (AU)........................................................................................................ 18

AU-2 Auditable Events ............................................................................................................... 18

AU-13 Monitoring for Information Disclosure ............................................................................. 18

Certification, Accreditation, and Security Assessments (CA)............................................................. 19

CA-5 Plan of Action and Milestones ............................................................................................ 19

Configuration Management (CM) .................................................................................................. 19

CM-2 Baseline Configuration ...................................................................................................... 19


Contingency Planning (CP) ............................................................................................................. 20

CP-2 Contingency Plan ............................................................................................................... 20

Identification and Authentication (IA) ............................................................................................ 20

IA-2 Identification and Authentication (Organizational Users) ...................................................... 20

Incident Response (IR)................................................................................................................... 21

IR-2 Incident Response Training ................................................................................................. 21

Maintenance (MA) ........................................................................................................................ 22

MA-6 Timely Maintenance ......................................................................................................... 22

Media Protection (MP) .................................................................................................................. 22

MP-4 Media Storage .................................................................................................................. 22

Physical and Environmental Protection (PE).................................................................................... 23

PE-11 Emergency Power ............................................................................................................ 23

Planning (PL)................................................................................................................................. 23

PL-2 System Security Plan .......................................................................................................... 23

Personnel Security (PS).................................................................................................................. 24

PS-3 Personnel Screening........................................................................................................... 24

Risk Assessment (RA) .................................................................................................................... 24

RA-2 Security Categorization ...................................................................................................... 24

RA-3 Risk Assessment ................................................................................................................ 25

System and Services Acquisition (SA) ............................................................................................. 25


SA-2 Allocation of Resources ...................................................................................................... 25

System and Communications Protection (SC).................................................................................. 26

DC-9 Transmission Confidentiality .............................................................................................. 26

System and Information Integrity (SI) ............................................................................................. 27

SI-4 Information System Monitoring ........................................................................................... 27

Risk Assessment ............................................................................................................................... 27

Threat .......................................................................................................................................... 28

Vulnerability ................................................................................................................................. 28

Impact.......................................................................................................................................... 28

A Note on Measurement ............................................................................................................... 29

System Security Authorization ........................................................................................................... 29

Plan of Action and Milestones ....................................................................................................... 29

Security Authorization Package...................................................................................................... 30

Risk Determination ....................................................................................................................... 31

Risk Acceptance ............................................................................................................................ 31

Information System Monitoring......................................................................................................... 32

Asset Management ....................................................................................................................... 32

Configuration Management........................................................................................................... 32

Event and Incident Management ................................................................................................... 32

Information Management ............................................................................................................. 33


License Management .................................................................................................................... 33

Malware Detection ....................................................................................................................... 33

Network Management .................................................................................................................. 33

Software Assurance ...................................................................................................................... 33

Vulnerability and Patch Management ............................................................................................ 34

References ....................................................................................................................................... 35


Agency Charter

The Office for Lunar and Martian Affairs (OLMA) was founded in 1964 to address growing concerns

surrounding colonial political tensions within the United States Lunar and Martian colonies established

by Edwin Hubble and The Explorers Club in 1932. In addition to administrating the day to day

operational and mission based objectives of these colonies the agency was also charged with the

separate but equally important task of keeping knowledge of the colonies a secret from the general

public of planet Earth, per Executive Order 1111A issued by president Kennedy in his address to the

Joint Chiefs of Staff on November 3, 1963 (OLMA, STIMU Document Library).

Overview

This document describes the policies governing information technology usage and security at OLMA in

compliance with directions established by federal laws, policies, and regulations. In 1996 the Office of

Management and Budget stated that federal agencies must provide, “security commensurate with the

risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or

modification of information” (OMB A-130, Page 5). This was further enforced by the Federal Information

Security Management Act of 2002 (FISMA), which required federal agencies to, “provide a

comprehensive framework for ensuring the effectiveness of information security controls over

information resources that support Federal operations and assets” (FISMA, Section 3541).

In compliance with these directives OLMA has adopted the standards for information security described

in the following:

Federal Information Processing Standards (FIPS) Publication 199: Standards for Security

Categorization of Federal Information and Information Systems and Publication 200: Minimum

Security Requirements for Federal Information and Information Systems.


The National Institute of Standards and Technology (NIT) Special Publication 800 series

pertaining to computer security, especially those on the risk management framework (SP 800-

37), information system categorization (SP 800-67), and security controls (SP 800-53).

It should be noted that the policies and practices in this document do not apply to systems designated

as national security systems or information designated as classified as described in Executive Order

13526, Classified National Security Information and its amendments. For guidance in identifying these

national security systems please refer to NIST SP 800-59, Guideline for Identifying an Information System

as a National Security System.

Program Objectives

The goal of processes outlined in this document is to provide governance in efforts to secure the

informational resources of the OLMA in accordance with federal directives and standards. This

document derives its processes from those established by NIST in support of the Federal Information

Security Management Act of 2002 (FISMA).

FISMA charged NIST with the development of three key directives in support of information security

which defined the scope of their efforts (FIPS 199, Page 1):

The creation of standards for all federal agencies for categorization of all information and

information systems used by those agencies with the goal of providing adequate security based

on risk exposure.

Guidelines regarding the types of information and information systems in each of those

categories.

The minimum management, operational, and technical control requirements for securing

information and information security systems in each of those defined categories.


The Risk Management Framework

The Office for Lunar and Martian Affairs utilizes the Risk Management Framework described in NIST SP

800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems .

These standards have been created to ensure that the management of risk as it related to information

and information systems is consistent with the mission and function of the agency.

The six steps of this process are:

1. Categorize the Information and Information System.

2. Select a provisional set of baseline security controls based on the system categorization.

3. Implement the provisional security controls.

4. Assess the effectiveness of the provisional security controls.

5. Authorize the information system for use based on a determination the risk present on that

system.

6. Monitor the information system and its security controls continuously to assess their

effectiveness. Changes made to the system are noted and evaluated for impact on the level of

risk present on that system.

Information Categorization

Security categorization is a necessary step in integrating agency business and technology management

with security, establishing the path to the standardization, measurement, and evaluation of security

efforts (NIST SP 800-60, Page 4), and is the first step of the risk management framework outlined in SP

800-37. FIPS 199 provides standards for categorizing information and information systems based on the

impact to the agency of events that jeopardize the accomplishment of its mission, assets, legal

responsibilities, day to day functions, and people (FIPS 199, Page 1). These categories are used in


assessing the risk to an information system alongside information about relevant threats and

vulnerabilities as a part of a formal, standardized, and measurable risk assessment process.

FISMA section 3532 describes a three axes system for measuring information relevance to an

information security program:

Confidentiality, a measure of the desired level of disclosure of information.

Integrity, a measure of the intactness, non-repudiation, and authenticity of information.

Availability, the timeliness and reliability of access to information.

Per FIPS 199, the OLMA uses these three security objectives to measure the potential impact that the

loss or compromise of information would have on the agencies assets, operations, mission, or people. A

low impact is attributed to an event that causes a limited adverse effect, a moderate impact is due to an

event with a serious adverse effect, and a high impact is described as severe or catastrophic: preventing

the accomplishment of the agencies primary function.

The security category of an information system on which information of various levels of impact resides

is based on the highest level of impact within each of those information types. FIPS 199 refers to this as

the “high water mark” method (Page 4), being the “highest values from among those security categories

that have been determined for each type of information resident on the information system.” It is the

role of the information system owner, with support of other officials such as the Information System

Security Officer, to provide this categorization.

Types of Information Systems

NIST provides guidance in mapping types of information systems to recommended security categories in

SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories ,

volumes I and II. This document provides a catalog of types of information systems which can be

referred to in order to determine a provisional recommended security category for those systems. While

these recommended security categories can be used initially in the initial absence of a formal impact


analysis every attempt should be taken to determine the actual security category for each information

system under the responsibility of the OLMA.

Early colonists took steps to ensure the secrecy of their efforts and, for the most part, common

terrestrial technologies were not in place to adequately detect their presence on these worlds until the

mid-1950s when some evidence of their activities was leaked to the general public but, fortunately,

interpreted as science fiction. Pursuant to Executive Order 1111A of 1963 one of the OLMA’s missions is

to conceal the existence of the colonies from the general public until a time which knowledge of their

existence would no longer pose a risk of disruption to the societies and nations of Earth . Because of this

some information of any type may be classified and, therefore, not subject to the policies and guidance

within this document.

Notable Information Types

While the OLMA’s charter extends to nearly all aspects of life on the Lunar and Martian colonies, some

system functions and types of information may be of notable regard to its mission of the agency or have

special considerations to the unique nature of the OLMA’s mission.

Energy Supply Information Type

This type of information is in regard to the generation, obtaining, use, distribution, and consumption of

power.

While the original Lunar and Martian colonists generated and governed the generation of their own

energy supply, mainly via use of atomic reactors, these operations were later federalized under the

authority of the OLMA in 1964.

The provisional security category of systems in this function or containing this type of information is

moderate. The provisional impact for each axis is:

Confidentiality: Low


Integrity: Moderate

Availability: Moderate

Note that, due to the fact that the colonies rely, in part, on atomic energy, some information in this

category is considered classified and national security related. That information is outside of the scope

of this document.

The above information regarding this information type was drawn from NIST SP 800-60 Vol 2, section

D.7.1, on page 133. Fore more details about this type of information please refer to that document.

Environmental Monitoring and Forecasting Information Type

This type of information is in regard to the observation and prediction of environmental conditions,

including air quality, water levels and quality, emissions, and weather.

Conditions on Luna and Mars are quite different from Earth and as such sometimes require specialized

techniques to measure or predict. In some cases environmental forecasting is critical to the continued

existence of the colony, such as in the case of solar flares, Martian dust storms, and continuous

monitoring of artificial environments.


moderate according to default NIST guidance. The provisional impact for each axis is:


Integrity: Moderate

Availability: Low (See Note Below)

In the case of information regarding off world systems OLMA recommends that the provisional impact

along the availability axis is raised to high, due to the extreme nature and sudden changes in the

environments of the off world colonies. In some cases changes in the environment can have a

catastrophic effect resulting in the loss of human life and, therefore, it is critical that information about


such potentially deadly environmental factors should always be immediately available to the off world

colonists and support teams on Earth.


D.8.1, on page 139. For more details about this type of information please refer to that document.

Space Operations Information Type

This type of information describes and supports activities related to missions and people conducting

aerospace based missions and operations.

The mission of OLMA is directly related to space and space travel to and from off world colonies on Luna

and Mars. Since the federalization of the colonies OLMA has taken steps to bring the security of

information regarding space operations to these colonies within federally mandated guidelines.

The provisional security category of systems in this function or containing this type of information is high

according to default NIST guidance. The provisional impact for each axis is:

Confidentiality: Low (See Note Below)

Integrity: High

Availability: High

OLMA recommends that the provisional confidentiality impact for space operations information, and

therefore space operations related information systems, to be moderate. While not all information

regarding the off world colonies is classified any information regarding space operations, especially

regarding the Sagan Space Center (SSC) in Antarctica, is particularly telling and could lead to further

unwanted inquiries that may compromise the secrecy of the OLMA’s mission.




Space Exploration and Innovation Information Type

Information regarding innovation and development of technologies and knowledge related to space,

space based transportation, and the exploration of space.

The OLMA is directly engaged to support off word Lunar and Martian colonists in their pursuit to further

research and development of technologies in extra-terrestrial environments. While most research is

conducted within planetary or moon based boundaries it is still considered to fall within this information

type due to the heavy level of interaction the off world colonists have with outer space and regions

where there is little to no boundary between the surface and space, such as on the surface of Luna.



Confidentiality: Low (See Below)

Integrity: Moderate

Availability: Low

OLMA recommends that the provisional confidentiality impact for space exploration and innovation

should be moderate. The technologies researched on the off world colonies are, in some cases,

extremely dangerous or unacceptable within the current social and cultural climate. Detailed knowledge

of such research efforts could have a serious adverse effect on the mission of the OLMA.



Civilian Operations Information Type

This information type describes the provisioning of non-military service by federal government

employees.


The personnel conducting efforts and research on the off world colonies are primarily civilian with

guidance, direction, and support from the OLMA, which is a military agency. Though not always the case

most support operations are conducted per direction of the OLMA which research and scientific efforts

are directed by civilian operations.

Information about Civilian Operations is a vehicle by which the federal government provides services to

the citizens of the off world colonies under the care of the OLMA. This information type is essentially a

means of delivery for other mission-based services information and subject to the provisional security

category and impact levels described for each of those services as described in NIST SP 800-60 Revision

1, Volume 2.

Information Security Information Type

All functions regarding addressing the security needs of federal information systems fall under the

information security information type. This includes but is not limited to creation of security policies,

guidelines, procedures, security controls regarding authentication, authorization, investigations, non-

repudiation, and risk determination.

While not of great concern in the past, the recent actions of native Martians regarding colonial

separation have spurred the development and enforcement of IT Security policies and procedures

specific to the off world colonies under the OLMA’s guidance.




Integrity: Moderate

Availability: Low



C.3.5.5, on page 96. For more details about this type of information please refer to that document.

Security Controls

FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems ,

establishes the minimum requirements for the security of federal information systems over seventeen

different areas. The minimum requirements for these areas are met by implementing and exercising

security controls as described in NIST SP 800-53 Revision 3: Recommended Security Controls for Federal

Information Systems applicable within each of those areas.

Control selection is done in consideration of the security category of the information system and

determined level of impact of the information along the three axes of confidentiality, integrity, and

availability. This is done by means of an established baseline set of controls which represent the

minimum controls required to adequately secure the information system. These controls must also then

be appropriately tailored, or modified for use on the information system according to its operational

scope and functional purpose.

As defined in FIPS 200 security control selection based on information system impact is done in the

following manner:

Low-impact information systems must, at minimum, use security controls from the low baseline

set of controls.

Medium-impact information systems must, at minimum, use security controls from the medium

baseline set of controls.

High-impact information systems must, at minimum, use security controls from the high

baseline set of controls.

For each of the seventeen security areas that FIPS 200 has identified NIST SP 800-53 lists, amongst other

controls specific to each area, governance based controls that are both common to all areas and


consistently within the highest priority grouping. While not explicitly mentioned as controls of note

below the section below these, “policy and procedure” controls are exercises for each of these security

areas at the OLMA, as governance creates the foundation and authority upon with the implementation

and exercise of other controls relies. More information on policy and procedure controls and their

implementation for each of the seventeen security areas can be found in their respective sections of the

Office for Lunar and Martian Affairs security policy documents (OLMA, STIMU Document Library).

While many different security controls may be deployed on the information systems the OLMA there are

some of note within each category that may require special consideration or supplemental guidance

based on the mission and operational requirements unique to this agency.

Access Control (AC)

The agency limits access to information systems such that only authorized users, their processes, or

known devices can utilize these appropriate informational resources.

AC-2 Account Management

This control requires that the agency manage information system accounts by identifying account types,

group memberships, access privileges, managing account lifecycle, reviewing accounts, and granting

access based on valid authorization.

Due to the nature of some of the systems that the OLMA manages, including life support and access to

sensitive scientific information, it is imperative that accounts are managed, tracked, and provisioned

appropriately. As off-world colonists rarely, if ever, return to Earth the termination of their accounts is

generally only done at the time of their retirement, death, or transfer to an unrelated system with their

own separate account management system.

Control Reference: NIST AP 800-53 Revision 3, Page I-5


AC-18 Wireless Access

Wireless access control creates guidance for the implementation of wireless communications systems,

monitors those systems for unauthorized access, authorizes access, and enforces other requirements.

While many wireless communications systems are used by the OLMA it is important to note that the lack

of a magnetosphere on Luna and Mars presents some technical hurdles not found in traditional long

range wireless communications implementations, possibly allowing for the range of the signals to be

modified depending on the technology used to either further limit the use of communications or in the

signals radiating beyond expected boundaries. In the latter case this may lead to a loss of confidentiality

and care should be exercised.

Control Reference: NIST AP 800-53 Revision 3, Page I-6

Awareness and Training (AT)

The agency ensures that personnel are made aware of security risks, governance requirements, and

applicable procedures while also being adequately trained to carry out their security related functions.

AT-2 Security Awareness

All new users are given a basic security awareness training. Existing users are given supplemental

training periodically or when conditions arise which warrant it. This training includes information about

the need for security programs as well as actions they can take themselves in order to ensure or

promote a secure environment. This can include techniques such as use of posters, communications and

news articles, reminders on computer screens, and events designed to promote security awareness such

as seminars or simulations.

This control and agency specific reasoning is related to control IR-2 Incident Response Training.


Control Reference: NIST AP 800-53 Revision 3, Page F-21

Audit and Accountability (AU)

The agency monitors and collects information system audit records sufficient for purposes of analysis

and investigation of impactful security events.

AU-2 Auditable Events

Information systems must be capable of auditing a specified set of events defined by the agency.

The OLMA places emphasis on auditing events associated with environmental controls that have the

potential to either place a person into immediate danger, such as an airlock opening or closing, and

events which have the potential to place multiple people in great danger after a period of time, such as

a leak in an atmospheric seal. The ability to track these events and gather information about them is

paramount to the safety of the off world colonists under the OLMA’s governance.


AU-13 Monitoring for Information Disclosure

The agency monitors available sources of information for evidence of unauthorized information leakage.

Much of the work happening at the off word colonies under the OLMA’s guidance is confidential and

could pose a danger to the mission and function of the scientific colonies on Luna and Mars if exposed.

Because of this OLMA has dictated, as one of its security functions, that open sources of information

such as the internet or television be monitored for information which may reveal or lead to be re vealed

the important work being done in the off world colonies.



Certification, Accreditation, and Security Assessments (CA)

The agency periodically assesses the effectiveness of security controls on information systems to

determine their level of effectiveness.

CA-5 Plan of Action and Milestones

When necessary the agency will develop a Plan of Action and Milestones (POA&M) document to track

remediation efforts for weaknesses identified in its information systems such as vulnerabilities or

misconfigurations.

The POA&M document is an essential part of the system authorization process employed by the OLMA,

which is in turn based on standards established by NIST SP 800-37 Revision 3: Guide for Applying the Risk

Management Framework to Federal Information Systems. See section 3.5, step 5.1 of the Risk

Management Framework for more information.


Configuration Management (CM)

The agency establishes and enforces baselines controls and configurations for its information systems

and maintains and inventory of those systems.

CM-2 Baseline Configuration

The agency creates, maintains, and documents a baseline configuration for information systems.

Standardization creates a baseline of measurement from which deviations can be detected and

resolved. In hostile environment where resources, even time, are scarce it is important to be able to find


and remediate problems in information systems which may result in a compromise or delay of the

mission of the OLMA.


Contingency Planning (CP)

The agency creates, maintains, and exercises plans for response to emergency situations,

implementation of backup operations, and disaster recovery scenarios.

CP-2 Contingency Plan

Information systems that provide essential functions must have contingency plans that provide for

recovery via recovery point objectives, recovery priorities, metrics, defined roles and responsibilities,

contact information, ability to maintain essential functions despite disruption, and lead towards full

information system recovery.

As the OLMA operated in environments hostile to life it is of essential importance that the colonies are

able to continue in the event of an incident or disaster. The civilian colonists rely on the OLMA to

provide safety and security so that their focus can be on the continuance of their important work.


Identification and Authentication (IA)

The agency identifies system devices, users, and their processes and verifies their identities to grant

them access to agency information systems.

IA-2 Identification and Authentication (Organizational Users)

Information systems must have the ability to identify agency personnel.


The OLMA represents a unique partnership between the civilian colonists of Luna and Mars and the

United States federal government. While the OLMA provides services to the colonists they are expected

to, in turn, work alongside the agency. In some cases it is important than an information system may

need to respond or grant authorization differently to OLMA personnel than it would to a civilian colonist

in order to properly maintain this partnership. This control and reasoning are also related directly to

control IA-8 Identification and Authentication (Non-Organizational Users).


Incident Response (IR)

The agency creates a process which includes preparation, detection, analysis, containment, and

recovery activities to respond to incidents which may have a negative impact on the organization. These

incidents are monitored, documented, and reported to the appropriate agency personnel or authorities.

IR-2 Incident Response Training

As the resources on the off world colonies are spread over the vast distances of space the OLMA holds

security awareness and the ability to respond to an incident are of high priority; each person must be

responsible for the security of their environment and information systems to some degree as rapid

response may not be present due to either the distance between physical security resources or the time

it takes for communications signals to pass between colonies on different astral bodies depending on

their current orbital positions. For example, it will take on average between 4 and 5 minutes for signals

to travel between Luna and Mars. Because of this a certain degree of self -reliance is necessary for all of

the OLMA’s personnel.

This control and reasoning are related to control AT-2: Security Awareness.



Maintenance (MA)

The agency performs periodic maintenance on its information systems and provides oversight on the

tools, practices, and people involved in those maintenance activities.

MA-6 Timely Maintenance

This control ensures that support or parts are available for information systems within a given time span

of failure.

As the OLMA oversees various environmental control systems essential to life on the off world colonies

it is of high importance that maintenance is performed on a regular and timely basis. In general systems

which have a higher availability impact have a lower response time and faster time to completion for

maintenance activities.


Media Protection (MP)

The agency takes steps to protect both analog and digital information media, limiting access to that

media to appropriate personnel and destroying the media where necessary.

MP-4 Media Storage

This control dictates that storage media is to be stored securely and protected from damage.

As both the colonies of Luna and Mars lack a magnetosphere of Earth they are subject to exposure to

various sources of radiation and energy from space. While most of the colonies are underground,

providing shielding from these harmful sources of radiation, some parts of them are exposed. In all cases

any media subject to damage from interstellar radiation, such as magnetic tapes, should be stored in

properly shielded containers.



Physical and Environmental Protection (PE)

The agency limits physical access to its informational resources, protects physical information system

components and infrastructure, and provides environmental controls for facilities where those

information systems are located.

PE-11 Emergency Power

Short term power is available to facilitate the proper shutdown of an information system. In some cases

long term emergency power supplies may be necessary.

Information systems maintained by the OLMA may be performing important scientific calculations,

simulations, or supports life sustaining environmental function. The higher the security category of an

information system the longer an emergency power supply should be able to operate for until normal

operations are restored.


Planning (PL)

The agency develops, revises, and exercises security plans for information systems which describe the

use of security controls and behavior requirements for assigned personell.

PL-2 System Security Plan

The agency creates a security plan for an information system that defines boundaries, categorization

rationale, requirements, relationships to other systems, and describes existing security controls already

in place.


This plan is reviewed and approved by the authorizing official during the system authorization pro cess.


Personnel Security (PS)

The agency takes steps to ensure the trustworthiness of people in positions of responsibility and the

security of information systems in use by those people. When necessary, formal action is taken against

personnel who have violated agency security policies.

PS-3 Personnel Screening

This control dictates that potential employees are screened prior to gaining authorization to agency

information systems and rescreened when certain conditions are met.

The OLMA must take great care in ensuring that it can trusts its personnel due to the secretive and

impactful nature of the work being done under its purview. In additional to background checks to

ensure a history of trustworthiness further behavioral analysis based interview techniques are used

during any screening process, both initial and subsequent.


Risk Assessment (RA)

The agency periodically assesses the risk to its people, assets, and information systems.

RA-2 Security Categorization

The information and information systems within the responsibility of the agency are categorized in

accordance with federal laws and standards.


Categorization is the first step of the Risk Management framework described in NIST SP 800-37 Revision

3. The OLMA follows this process a means to properly detect, manage, and remediate risk on its

information systems.


RA-3 Risk Assessment

The agency performs a formalized assessment of risk present on an information system, reviews the

results, and performs periodic updates of the assessments.

A risk assessment is a useful tool when done as a part of the risk management framework and its

associated processes. According to NIST SP 800-37 Revision 3, “a risk assessment guides the

prioritization process for items included in the plan of action and milestones.”

Guidance on risk assessments can be found in NIST SP 800-30 Revision 1: Guide for Conducting Risk

Assessments.


System and Services Acquisition (SA)

The agency allocates sufficient resources to provide adequate protection to its information systems,

utilizes a systems development lifecycle that addresses security concerns, and monitors the use of

software.

SA-2 Allocation of Resources

The agency determines the resources required to implement the security controls necessary to provide

an information system with adequate security.


As resources in the off world colonies are extremely limited it is important to be able to know exactly

how many will be required by the security controls assigned for use on that system. Colonies on Luna

may have more immediate access to resources from Earth, while resource scarcity on Mars is always an

issue. In many cases the colonies must be self-sufficient with any additional resources from Earth seen

as unnecessary but not unwelcome.


System and Communications Protection (SC)

The agency monitors, controls and protects communication of information at key points along system

boundaries, both external and internal, and makes use of architectural, software development, and

engineering techniques that contribute to secure information transmission practices.

DC-9 Transmission Confidentiality

Information with a confidentiality requirement must be protected from unauthorized disclosure while in

transit.

As much of the OLMA’s work is done in secret the classification of much of the information about this

work along the confidentiality dimension is high. Encrypted communications tunnels, especially those

for shared communications channels such as the main band used by Mars and Luna to communicate

with Sagan Station on Earth, must be used.

This control and reason are also related directly to control SC-28 Protection of Information at Rest.



System and Information Integrity (SI)

The agency locates, reports, and remediates information system flaws in a timely manner, providing

protection from malicious code, and monitoring security alerts and intelligence in order to facilitate an

appropriate response.

SI-4 Information System Monitoring

The agency tracks events on information systems in accordance with its objectives and is able to detect

information systems attacks.

This control and its reasoning are directly related to controls AU-2 Auditable Events and control AU-13

Monitoring for Information Disclosure.


Risk Assessment

"I often say that when you can measure what you are speaking about, and express it in numbers, you

know something about it; but when you cannot express it in numbers, your knowledge is of a meagre

and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts,

advanced to the stage of science, whatever the matter may be.” – William Thomson, Lord Kelvin

The OLMA measures risk according to the following conceptual formula:

Risk = Threat x Vulnerability x Impact

There are several variants of the risk formula in use throughout the security industry. Some risk

assessment models, such as the NIST model, also include the likelihood of a threat event occurring as a

component of risk. For the purposes of the OLMA likelihood is considered a factor of threat and will be

included therein as many of our assessment tools already use this methodology.


The results of a risk assessment, including source documents for each component of the risk formula,

are then documented for later reference throughout the Risk Management Framework.

The components of this formula are defined in NIST SP 800-30 Revision 1:

Threat

“Any circumstance or event with the potential to adversely impact organizational operations and assets,

individuals, other organizations… through an information system via unauthorized access, destruction,

disclosure, or modification of information, and/or denial of service.”

This value is typically provided for us by automated vulnerability scanners and stored in reports

generated by those scanners. Sources of threats may be intentional, accidental, or environmental.

Vulnerability

“A weakness in an information system, system, security procedures, internal controls, or implementation

that could be exploited by a threat source.”

This value is typically provided for us by automated vulnerability scanners and stored in reports

generated by those scanners.

Impact

“The level of impact from a threat event is the magnitude of harm that can be expected to result from

the consequences of unauthorized disclosure of information, unauthorized modification of information,

unauthorized destruction of information, or loss of information or information system availability.”

It should be noted that impact is partially defined by the thing being affected by the threat and

vulnerability. That is, no external source can automatically tell us what the impact on our own

environment will be because it is ours and unique to its use and position within the OLMA.


The classification of the information present on or used by an information system can be used to help

determine this value. Information of a higher security category should be represented as having a

greater level of impact on the level of risk determined.

A Note on Measurement

Measurements of components of risk for the OLMA’s information systems are gathered according to a

0.0 to 10.0 scale. If these values are going to be used in other calculations they should be kept on this

scale to preserve likeness and precision. Results of calculations, for use in reports or presentations, can

be translated into other scales as needed, such as the 1-5 scale used by most corporate risk assessment

methodologies or the 1-3 scale used by some federal agencies or the CVSS 2.0 rating system.

For our purposes values shown in reports will use the following scale:

Rating Scale (0-5) None

Very Low Low

Medium High

Critical

System Security Authorization

Step 5 of the Risk Management Framework is the authorization of an information system based upon a

determination of the risk present on that system. This is addressed by several tasks, each of which is also

represented by a corresponding security control.

Plan of Action and Milestones

The Plan of Action and Milestones (POA&M) document describes actions necessary to address and

correct weaknesses in the security controls used on an information system or the vulnerabilities on the


information system which those security controls do not adequately address. The document then

describes the issues and tasks to remediate those issues, the resources necessary to do so, and any

milestones met during the course of completion of the plan.

Risk assessments are used to assign priority to these tasks based on the issues they address and help to

guide time requirements for completion of tasks. Control RA-3 Risk Assessment represents the

corresponding security control for this step.

The corresponding security control for this step is CA-5 Plan of Action and Milestones. The OLMA

specific reasoning and considerations can be found in the corresponding section of this document.

Reference: NIST SP 800-37 Revision 1, Page 34

Security Authorization Package

The POA&M, along with the security assessment document and the security plan created during earlier

steps of the Risk Management Framework process, is used to complete the security authorization

package. The Authorizing official can use the information in this package to conduct further analysis

based on the vulnerabilities, threats, and impact described therein to make a determination of risk. The

authorizing official can request additional information to add to the authorization package as necessary

in order to make a more accurate determination of risk.

The security plan is related to control PL-2 System Security Plan. The security assessment is related to

control CA-2 Security Assessments. More information on security controls not explicitly described in this

document are described in NIST SP 800-53 Revision 3.



Risk Determination

The authorizing official, working with the senior information security officer as appropriate, reviews the

information in the authorization package to examine security controls currently in place on the

information system, determine the current level of risk present, and review the recommendations

provided in the POA&M document. The current risk level is determined along with risk mitigation

strategies. Remaining risk is compared to the level of acceptable risk to determine if further action is

required.

The OLMA has determined that a very low level of risk, based on the five point rating scale described

earlier in this document, is acceptable to the agency due to the heavy reliance of the mission and

function of the agency on information technology.


Risk Acceptance

It is the authorizing official’s role to determine if the risk to the mission, function, image, reputation,

assets, people, or organizations is acceptable within the bounds set by the OLMA’s risk policies while

weighing this risk against continued operational and mission demands placed on the system. This

decision is documented in the authorization decision document detailing the final decision of the

authorizing official regarding the acceptance of risk associated with this information system and if that

system is authorized to begin or continue operations. Terms and conditions may also be included in this

document, providing for special cases for use or describing limits on use of the information system. This

document also describes the period of expiration of this authorization, prompting another authorizing

review to take place. This information is then given to the system owner and security control provider as

well as other parties as necessary.


Reference: Reference: NIST SP 800-37 Revision 1, Page 35

Information System Monitoring

Because people and resources are relatively scarce on off world colonies the OLMA relies heavily on

automation and automated processed to monitor the security of its information systems. NIST SP 800-

137 Appendix D describes several types of tools that, when deployed appropriately and with oversight

of human expertise, are useful in system monitoring practices.

Asset Management

These tools let security analysis know what systems are present in their environment. This is the

foundation of an effort to secure all of the systems in an organization, as security controls cannot be

deployed to systems if you don’t know what systems you have in the first place, especially if the

environment is so large or widespread than an accurate and timely manual inventory would be

impossible.

Configuration Management

Centralized configuration management allows administrators to deploy consistent settings to many

categories of systems simultaneously, ensuring compliance with pre-established parameters as security

controls. This tool can also find deviations in settings from the established normal identifying these

flawed security control deployments in real time and, in many cases, correct them automatically.

Event and Incident Management

These tools are used to gather information about specific occurrences happening on a given system,

such as detection of attacks based on known signatures, system behavioral patterns, or other logs of

activity. If there is a common cause to particular sets of behavior the information can be organized as an

incident enabling for common reference of related events.


Information Management

The security category of a system is determined by the type of data on that system. Information

management tools are able to track this information and how it moves over the network, possibly

preventing information leakage and allowing the security team to identify the sensitivity of a given

system based on the type of information present on that system.

License Management

License management can detect the number of installations of an application in the environment and

compare this against the number which the organization is allowed or has purchased. This allows for

avoidance of fees or legal action by the software distributor by detecting this deviation and enabling the

security team to correct it, or by preventing the installation of the unlicensed software in the first place.

Malware Detection

Symantec corporation defines Malware as, “a category of malicious code that includes viruses, worms,

and Trojan horses.” This tool is used to find such software and, in many cases, take a predetermined

action against it, enabling for real-time protection of a system and mitigation of the risk created by the

malware threat.

Network Management

Network management tools allow for discovery of new hosts on the network and monitoring of traffic.

These tools allow for real time discovery of systems on the network which are not in the inventory of

allowed systems or network devices.

Software Assurance

This set of tools allows for the analysis of software behavior enabling an organization to verify the

trustworthiness of an application. For software developed internally this can be utilized as part of the

software development cycle to improve on the security compliance of an application.


Vulnerability and Patch Management

These tools scan systems to detect software flaws or determine if a software update is available and

needed to address a known issue. These tools can allow for quick discovery of such issues through

regularly scheduled scans and remediation via pre-determined patching mechanisms.


References

1. E-Government Act of 2002. Pub. L. No. 347.107, Stat. 2899, P. 116. Retrieved January 2015 from

U.S. Government Printing Office at: http://www.gpo.gov/fdsys/pkg/PLAW-

107publ347/html/PLAW-107publ347.htm

2. Mell, P., Scarfone, K., Romanosky S. (2007 January). A Complete Guide to the Common

Vulnerability Scoring System Version 2.0. Retrieved March 2015 from First at

https://www.first.org/cvss/cvss-guide.pdf

3. National Institute of Standards and Technology. (2014 April 1). FISMA – Detailed Overview.

Retrieved January 2015 from NIST at: http://csrc.nist.gov/groups/SMA/fisma/overview.html

4. National Institute of Standards and Technology. (2004 February). Federal Information Processing

Standards Publication: Standards for Security Categorization of Federal Information and

Information Systems. Retrieved February 2015 from NIST at:

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

5. National Institute of Standards and Technology. (2006 March). Federal Information Processing

Standards Publication: Minimum Security Requirements for Federal Information and Information

Systems. Retrieved March 2015 from NIST at:

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

6. National Institute of Standards and Technology. (2015 January 28). NIST Computer Security

Publications - NIST Special Publications (SPs). Retrieved March 2015 from

http://csrc.nist.gov/publications/PubsSPs.html

7. National Institute of Standards and Technology. (2010 February). NIST Special Publication 800-37

Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems.

Retrieved February 2015 from NIST at: http://csrc.nist.gov/publications/nistpubs/800-37-

rev1/sp800-37-rev1-final.pdf

http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm

http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm

https://www.first.org/cvss/cvss-guide.pdf

http://csrc.nist.gov/groups/SMA/fisma/overview.html

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

http://csrc.nist.gov/publications/PubsSPs.html

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf


8. National Institute of Standards and Technology. (2013 April). NIST Special Publication 800-53

Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations .

Retrieved February 2015 from NIST at:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

9. National Institute of Standards and Technology. (2003 August). NIST Special Publication 800-59:

Guideline for Identifying an Information System as a National Security System . Retrieved March

2015 from NIST at: http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf

10. National Institute of Standards and Technology. (2008 August). NIST Special Publication 800-60

Revision 1: Volume 1: Guide for Mapping Types of Information and Information Systems to

Security Categories. Retrieved February 2015 from NIST at:

http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

11. National Institute of Standards and Technology. (2008 August). NIST Special Publication 800-60

Revision 1: Volume 2: Appendices to Guide for Mapping Types of Information and Information

Systems to Security Categories. Retrieved February 2015 from NIST at:


12. Nicolen, Shawn. (2015 March 21). OLMA STIMU: Stuff That I Made Up. Personal Interview,

March 2015.

13. Office and Management and Budget. (1996 February 8). CIRCULAR NO. A-130. Retrieved March

2015 from the OMB at: https://www.whitehouse.gov/omb/circulars_a130

14. Office of the Press Secretary. (2009 December 29). Executive Order 13526- Classified National

Security Information. Retrieved March 2015 from The White House at:

https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-

information

15. Symantec. Malware - Malicious Virus Code Detection - Trojan - Trojan Horse. Retrieved March

2015 from Norton at: http://us.norton.com/security_response/malware.jsp

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf



https://www.whitehouse.gov/omb/circulars_a130

https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information

https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information

http://us.norton.com/security_response/malware.jsp

shawn nicolen - ia500 - final research paper

Government & Nonprofit

security categorization24ra

security awareness17audit

security commensurate

security assessments

information integrity

information technology

office of management

federal agencies