Within the US government’s requirements for operating and maintaining federal information systems safely and securely is the built-in need to validate and verify the operational, technical, and managerial security for each system, office, data component, and individual bit of information that is used, exchanged, stored, acted upon, and utilized by the governmental agency. Each governmental agency is required by law (both Federal Information Security Management Act (FISMA) and Privacy Act) to ensure the data and information it retains during the normal course of its activities be confidential (if it is not public information), accurate, and retrievable when needed. This process for ensuring the security of the systems and information is known in the federal community as “assessment” and is usually conducted by relatively independent organizations and individuals called “assessors.” This handbook is developed to provide assessors and other interested personnel the guides, techniques, tools, and knowledge to conduct these assessments for most all federal information systems. We will examine the needs and requirements for assessments, look at the methodologies for providing the assessments in three distinct formats (basic, focused, and comprehensive), and go in depth on the actual assessment techniques of examinations, interviews, and testing for and of each of the security controls as defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. SP 800-53 defines the security controls needed, required, or recommended for each federal information system. This security control “catalog” is extremely extensive and contains a vast number and types of security controls throughout the managerial, operational, and technical domains.
Generally speaking these three security control arenas cover:
1. Management: Actions taken to manage the development, maintenance, and use of the system
a. Examples are policies, procedures, and rules of behavior.
2. Operational: Day-to-day mechanisms and procedures used to protect operational systems and environment
a. Examples are awareness training, configuration management, and incident response.
3. Technical: Hardware/software controls used to provide protection of the IT system and the information it stores, processes, and/or transmits
a. Examples are access controls, authentication mechanisms, and encryption.
Now, an assessment is required by the federal organization to ensure and document that the system under review has the basic security components and requirements to meet the federal standards for operating on a federal network. These requirements are defined in several locations, starting with Public Law 107-347, Title III of the E-Government Act of 2002, otherwise known as the FISMA. The Office of Management and Budget (OMB) also has security requirements for systems to meet when deploying them onto federal networks in its Circular A-130, Appendix 3. Additional requirements are found throughout the federal statutory and regulatory environment in the various laws (i.e., Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH)/Computer Fraud and Abuse Act (CFAA), etc.), Presidential Directives (E.O. 13236, etc.), and agency regulations (Department of Health and Human Services (HHS) HIPAA Security and Privacy Rules, DODI 8510.01M, US Army AR 25-2, etc.).
By definition in NIST SP 800-53A, an assessment is: “The testing and/or evaluation of the managerial, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for an information system or organization.” As we begin to explore the processes, procedures, techniques, and means of testing and evaluating the various security components and controls used throughout the security industry, we will keep in mind the applicability and effectiveness needs for each control reviewed, each technique employed, and each policy or procedure recommended. Assessments require a large amount of skills, knowledge, and testing techniques, as well as automated and manual toolsets in order to accomplish the goal of providing assurance to the management and executives that the risks they are about to take are acceptable and reasonable for the level of security they desire within their systems. We will discuss the available tools and their usage when conducting the testing phase of each assessment. So, let us begin with the first area to be covered, the background for the security and risk process and what is at stake, the confidentiality, integrity, and availability of our systems.