Guide for the security certification and accreditation of federal information systems

Abstract: This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of C… Show more

“…Agencies typically meet this requirement with ongoing security control assessments, which focus on a selected subset of system-specific and common controls used by each system. Guidance on continuous monitoring in the first version of Special Publication 800-37 recommended this approach, based in part on an assumption that comprehensive security control monitoring is infeasible [3]. Many organizations conduct annual security control assessments, dividing the total controls each year so that all controls are re-assessed at least once during the typical three-year authorization cycle.…”

“…These requirements direct system owners to review their implemented security controls at a frequency "commensurate with the acceptable level of risk for the system" and when significant modifications occur to the system, or at least every three years regardless of whether the system or its environment has changed [2]. The initial system certification and accreditation guidance NIST published to support FISMA requirements prescribed three continuous monitoring program requirements for agencies: configuration management and configuration control processes; security impact analyses of any changes to the system; and assessment of a selected subset of security controls with assessment results reported to agency officials [3]. Under the revised certification and accreditation process using the Risk Management Framework, the focus of security control monitoring activities in step 6 of the RMF is on security impact analysis and control re-assessment prompted by planned changes to information systems or their environments.…”

Continuous Monitoring

“…Agencies typically meet this requirement with ongoing security control assessments, which focus on a selected subset of system-specific and common controls used by each system. Guidance on continuous monitoring in the first version of Special Publication 800-37 recommended this approach, based in part on an assumption that comprehensive security control monitoring is infeasible [3]. Many organizations conduct annual security control assessments, dividing the total controls each year so that all controls are re-assessed at least once during the typical three-year authorization cycle.…”

“…These requirements direct system owners to review their implemented security controls at a frequency "commensurate with the acceptable level of risk for the system" and when significant modifications occur to the system, or at least every three years regardless of whether the system or its environment has changed [2]. The initial system certification and accreditation guidance NIST published to support FISMA requirements prescribed three continuous monitoring program requirements for agencies: configuration management and configuration control processes; security impact analyses of any changes to the system; and assessment of a selected subset of security controls with assessment results reported to agency officials [3]. Under the revised certification and accreditation process using the Risk Management Framework, the focus of security control monitoring activities in step 6 of the RMF is on security impact analysis and control re-assessment prompted by planned changes to information systems or their environments.…”

Continuous Monitoring

“…This section provides a summary of the major points provided by Kenneth van Wyk in his SEPG tutorial [van Wyk 2007]. The security problem is reinforced by the continuous growth of software vulnerabilities that more than double each year, as demonstrated by CERT research.…”

“…• Security must not be always saying "no" and thus regarded as an impediment to the organization [van Wyk 2007]. Software security problems are complicated.…”

Process Improvement Should Link to Security: SEPG 2007 Security Track Recap

“…In this case, federal agencies would need to define a much more rigorous and formal certification process than the one in NIST SP-800-37, which is the certification standard currently in use. 19 In the FAA, NAS accrediting organizations have shown a marked resistance to using the protection profiles for accrediting systems.…”

Applying the common criteria in systems engineering