nist special publication 800 137
play

NIST Special Publication 800-137 Information Security Continuous - PowerPoint PPT Presentation

Feb 23, 2024 •43 likes •353 views

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and

  1. NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training March 19th, 2014 Kelley Dempsey Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

  2. Why Monitor Continuously?  Monitoring is required by FISMA and OMB A-130  Continuous Monitoring was identified by the Administration as one of three Cross-Agency Priorities for Cybersecurity (95% by end of FY14)  Continuous Monitoring is the only way to maintain situational awareness of organizational and system security posture in support of risk management NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

  3. Objectives of Information Security Continuous Monitoring (ISCM)  Conduct ongoing monitoring of security  Determine if security controls continue to be effective over time  Respond to risk as situations change  Ensure monitoring and reporting frequencies remain aligned with organizational threats and risk tolerance NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

  4. Risk Management Framework Starting Point FIPS 199 / SP 800-60 CATEGORIZE Information System SP 800-37 / SP 800-53A FIPS 200 / SP 800-53 MONITOR SELECT Security State Security Controls Security Life Cycle SP 800-37 Many SPs SP 800-39 AUTHORIZE IMPLEMENT Information System Security Controls SP 800-53A ASSESS Security Controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

  5. OMB Policy Change OMB 2013 FISMA Reporting Guidance , Memorandum-14-04 http://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-04.pdf, question #34  “34. Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to make ongoing authorization decisions for information systems by leveraging security-related information gathered through the implementation of ISCM programs. Implementation of ISCM and ongoing authorization thus fulfill the three year security reauthorization requirement, so a separate reauthorization process is not necessary. ”  Follow guidance in NIST Special Publications 800-37 Revision 1 and 800-137 Bottom Line: Use security-related information from ISCM to support ongoing authorization NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

  6. Term Confusion?  Information Security Continuous Monitoring  Reauthorization (to operate)  Ongoing Authorization (to operate)  Ongoing Assessment  Continuous Diagnostics and Monitoring NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

  7. NIST SP 800-137 Definition Information security continuous * monitoring (ISCM) is maintaining ongoing* awareness of information security, vulnerabilities, and threats to support organizational risk management decisions * The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed, analyzed and reported at a frequency sufficient to support risk-based security decisions as needed to adequately protect organization information. Data collection, no matter how frequent, is performed at discrete intervals. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

  8. ISCM at TIER 1 Three Tiers ORGANIZATION Risk Tolerance/ Governance/Policies/ Strategies Tools Data TIER 2 MISSION/BUSINESS PROCESS (Collection/Correlation/Analysis/Reporting) Tools Data TIER 3 INFORMATION SYSTEMS (Collection/Correlation/Analysis/Reporting) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

  9. ISCM Process Steps 1. Define continous monitoring strategy 2. Establish continuous monitoring program Continuous Monitoring  Maps to risk tolerance a) Determine metrics  Adapts to ongoing needs  Actively involves b) Determine monitoring frequencies management c) Develop ISCM architecture 3. Implement the monitoring program 4. Analyze security-related information (data) and report findings 5. Respond to findings 6. Review and update monitoring strategy and program NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

  10. Step 1: Define the ISCM Strategy  Tier 1 - Organization:  Define the organization-wide strategy in accordance with organizational risk tolerance (developed at Tier 1 based on guidance in NIST SP 800-39)  Develop policies to enforce the strategy  Tier 2 – Mission/Business Process:  Assist/provide input to Tier 1 on strategy and policies  Develop procedures/templates to support Tier 1 strategy and fill in gaps  Tier 3 – Information System:  Assist/provide input to Tier 2 on procedures  Establish information system-level procedures NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

  11. Step 2: Establish the ISCM Program Three parts: a) Determine metrics b) Determine monitoring frequencies c) Develop technical architecture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

  12. Step 2a: Determine Metrics  Metrics - All the security-related information from assessments and monitoring (manually and automatically generated) organized into meaningful statistics that support decision making  Security-related information from multiple sources may support a single metric  Metrics should have a meaningful purpose that is mapped or tied to a specific objective that helps maintain or improve the security posture of the system/organization NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

  13. Step 2b: Establish Monitoring and Assessment Frequencies  Monitor metrics and each control with varying frequencies  Multiple requirements within a control may have to be monitored with differing/varying frequencies NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

  14. Frequency Determination Criteria  Control volatility  Organizational and system risk tolerance  Current threat and vulnerability information  System categorization/impact levels  Controls with identified weaknesses  Controls/components providing critical security functions  Risk assessment results  Output of monitoring strategy reviews  Reporting requirements NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

  15. Frequency Determination Example: Volatility  MA-5a – The organization establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel  Is volatility the only criterion to consider? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

  16. Step 2c: Develop ISCM Architecture  Continuous monitoring architecture uses standard protocols and specifications  Organizations seek to leverage existing tools/applications and infrastructure for continuous monitoring architecture  NISTIRs 7756, 7799, & 7800 describe a technical architecture that support ISCM NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

  17. Step 3: Implement the ISCM Program  All controls and metrics are monitored and/or assessed (common, system, and hybrid controls) at the frequency identified in step three  Tier 2 - Implement tools and processes associated with common controls and organization-wide monitoring (IDPS, vulnerability scanning, configuration management, asset management, etc.)  Organization-wide monitoring will pull at least some security-related information from the system level  Tier 3 – Implement tools and processes pushed down from Tier 2 and fill in any gaps at the system level  Tiers 2 and 3 – Organize/prepare data for analysis NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

  18. Step 4: Analyze Data and Report Findings  Analyze Data in the context of:  Stated organizational risk tolerance  Potential impact of vulnerabilities on organizational and mission/business processes  Potential impact/costs of mitigation options (vs. other response actions)  Report on Assessments  Report on Security Status Monitoring NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

  19. Step 5: Respond to Findings  Determine if the organization will:  Take remediation action  Accept the risk  Reject the risk  Transfer/Share the risk  Specific response actions will vary by Tier  May need to prioritize remediation actions NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

  20. Step 6: Review/Update the ISCM Strategy  Organizations establish a process for reviewing and modifying the strategy  Various factors may precipitate changes to the strategy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

  21. Step 6: Strategy Review Considerations  Is the strategy an accurate reflection of organizational risk tolerance?  Applicability of metrics  Applicability/appropriateness of:  Monitoring frequencies  Reporting requirements NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

  22. Step 6: Strategy Update Factors  Changes to missions/business processes  Changes in enterprise and/or security architecture  Changes in risk tolerance  Revised threat or vulnerability information  Increase or decrease in POA&Ms for specific controls or metrics  Trend analyses of status reporting output NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

  23. Automating Continuous Monitoring SP 800-137 Appendix D NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Recommend

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP MEP Overview What is Information Security? Cyber- Personnel security Security

587 views • 29 slides
Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity Interfaces for Personal Identity Verification Verification Jim Dray PIV Implementers Workshop June 27, 2005 SP800- -73 Structure 73 Structure

541 views • 18 slides
Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004

Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004

Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004 Design Goals Consider GSC-ISv2.1, PACS and PDMF Technology neutrality Standards compliance (ISO/IEC) Add card management Define

392 views • 6 slides
Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin

Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin

Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin Straub June 3, 2015 University of Illinois at UrbanaChampaign Includes joint work with : sec 2 ( n 5) = 14 135 4 n 4 n =1

858 views • 70 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/266951909 Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation) Conference Paper May 2012

916 views • 37 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing Organizations PIV Card Issuing Organizations Joan Hash Manager, Computer Security Management & Assistance June 28, 2005 1 NIST Special Publication

256 views • 25 slides
Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/249833577 Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special Education August 2003 DOI:

471 views • 12 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

642 views • 47 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

585 views • 43 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

605 views • 60 slides
government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12, 2009 AUTHORS President Obama Issues Memorandum to the Heads of Executive Departments and Paul Debolt

246 views • 3 slides
Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF

Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF

NIST Special Publication 800-160, Volume 2 Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Current Landscape Today's systems are very brittle, rely on a

595 views • 22 slides
Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST Heritage Room NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 NIST Building 101 Ground Floor Map Stairs to Outside and

664 views • 11 slides
FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST GAITHERSBURG NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 FCSM Quarterly Meeting Overview| 2 NIST-Guest Wireless Network

612 views • 14 slides
NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC got into our standard What we did when we realized what had happened What we're doing now 2 What's the Issue? NIST and NSA coauthored a

388 views • 36 slides
OOMMF eXtensible Solver M. J. Donahue and D. G. Porter NIST, Gaithersburg, MD USA OOMMF:

OOMMF eXtensible Solver M. J. Donahue and D. G. Porter NIST, Gaithersburg, MD USA OOMMF:

OOMMF eXtensible Solver M. J. Donahue and D. G. Porter NIST, Gaithersburg, MD USA OOMMF: http://math.nist.gov/oommf MAG: http://www.ctcms.nist.gov/~rdm/mumag.org.html orient 1 Tcl Control Problem Specification Script LLG Evolver

512 views • 27 slides
NIST/DOE Workshop on Wide-Bandgap Power Electronics for Advanced Distribution Grids Al Hefner

NIST/DOE Workshop on Wide-Bandgap Power Electronics for Advanced Distribution Grids Al Hefner

NIST/DOE Workshop on Wide-Bandgap Power Electronics for Advanced Distribution Grids Al Hefner (NIST) http://www.nist.gov/pml/high_megawatt/ NIST High-Megawatt PCS Workshops High-Megawatt Converter Workshop: January 24, 2007 HMW PCS

345 views • 18 slides
Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: Risk management 2. Guide for

929 views • 55 slides
DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content

DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content

DLMF Content Dictionaries The Next Iteration Bruce R. Miller NIST Background DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content Dictionaries Conclusion Bruce R. Miller NIST August 10, 2018 DLMF Content

241 views • 20 slides
Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr.

Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr.

How Many AMR Deaths Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr. Widjaja Lukito, Sp.GK, Ph.D Special Advisor to Minister of Health (2006-2009) Secretary to a Member of the Advisory Council of

535 views • 16 slides
Divisibility properties of sporadic Ap ery-like numbers Symbolic Computation and Special

Divisibility properties of sporadic Ap ery-like numbers Symbolic Computation and Special

Divisibility properties of sporadic Ap ery-like numbers Symbolic Computation and Special Functions OPSFA-13, NIST Armin Straub June 2, 2015 University of Illinois at UrbanaChampaign n 2 n + k 2 n A ( n ) = k k k

717 views • 56 slides

More recommend