nist special publication 800 137
play

NIST Special Publication 800-137 Information Security Continuous - PowerPoint PPT Presentation

Feb 23, 2024 •43 likes •353 views

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and

  1. NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training March 19th, 2014 Kelley Dempsey Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

  2. Why Monitor Continuously?  Monitoring is required by FISMA and OMB A-130  Continuous Monitoring was identified by the Administration as one of three Cross-Agency Priorities for Cybersecurity (95% by end of FY14)  Continuous Monitoring is the only way to maintain situational awareness of organizational and system security posture in support of risk management NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

  3. Objectives of Information Security Continuous Monitoring (ISCM)  Conduct ongoing monitoring of security  Determine if security controls continue to be effective over time  Respond to risk as situations change  Ensure monitoring and reporting frequencies remain aligned with organizational threats and risk tolerance NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

  4. Risk Management Framework Starting Point FIPS 199 / SP 800-60 CATEGORIZE Information System SP 800-37 / SP 800-53A FIPS 200 / SP 800-53 MONITOR SELECT Security State Security Controls Security Life Cycle SP 800-37 Many SPs SP 800-39 AUTHORIZE IMPLEMENT Information System Security Controls SP 800-53A ASSESS Security Controls NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

  5. OMB Policy Change OMB 2013 FISMA Reporting Guidance , Memorandum-14-04 http://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-04.pdf, question #34  “34. Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to make ongoing authorization decisions for information systems by leveraging security-related information gathered through the implementation of ISCM programs. Implementation of ISCM and ongoing authorization thus fulfill the three year security reauthorization requirement, so a separate reauthorization process is not necessary. ”  Follow guidance in NIST Special Publications 800-37 Revision 1 and 800-137 Bottom Line: Use security-related information from ISCM to support ongoing authorization NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

  6. Term Confusion?  Information Security Continuous Monitoring  Reauthorization (to operate)  Ongoing Authorization (to operate)  Ongoing Assessment  Continuous Diagnostics and Monitoring NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

  7. NIST SP 800-137 Definition Information security continuous * monitoring (ISCM) is maintaining ongoing* awareness of information security, vulnerabilities, and threats to support organizational risk management decisions * The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed, analyzed and reported at a frequency sufficient to support risk-based security decisions as needed to adequately protect organization information. Data collection, no matter how frequent, is performed at discrete intervals. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

  8. ISCM at TIER 1 Three Tiers ORGANIZATION Risk Tolerance/ Governance/Policies/ Strategies Tools Data TIER 2 MISSION/BUSINESS PROCESS (Collection/Correlation/Analysis/Reporting) Tools Data TIER 3 INFORMATION SYSTEMS (Collection/Correlation/Analysis/Reporting) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

  9. ISCM Process Steps 1. Define continous monitoring strategy 2. Establish continuous monitoring program Continuous Monitoring  Maps to risk tolerance a) Determine metrics  Adapts to ongoing needs  Actively involves b) Determine monitoring frequencies management c) Develop ISCM architecture 3. Implement the monitoring program 4. Analyze security-related information (data) and report findings 5. Respond to findings 6. Review and update monitoring strategy and program NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

  10. Step 1: Define the ISCM Strategy  Tier 1 - Organization:  Define the organization-wide strategy in accordance with organizational risk tolerance (developed at Tier 1 based on guidance in NIST SP 800-39)  Develop policies to enforce the strategy  Tier 2 – Mission/Business Process:  Assist/provide input to Tier 1 on strategy and policies  Develop procedures/templates to support Tier 1 strategy and fill in gaps  Tier 3 – Information System:  Assist/provide input to Tier 2 on procedures  Establish information system-level procedures NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

  11. Step 2: Establish the ISCM Program Three parts: a) Determine metrics b) Determine monitoring frequencies c) Develop technical architecture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

  12. Step 2a: Determine Metrics  Metrics - All the security-related information from assessments and monitoring (manually and automatically generated) organized into meaningful statistics that support decision making  Security-related information from multiple sources may support a single metric  Metrics should have a meaningful purpose that is mapped or tied to a specific objective that helps maintain or improve the security posture of the system/organization NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

  13. Step 2b: Establish Monitoring and Assessment Frequencies  Monitor metrics and each control with varying frequencies  Multiple requirements within a control may have to be monitored with differing/varying frequencies NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

  14. Frequency Determination Criteria  Control volatility  Organizational and system risk tolerance  Current threat and vulnerability information  System categorization/impact levels  Controls with identified weaknesses  Controls/components providing critical security functions  Risk assessment results  Output of monitoring strategy reviews  Reporting requirements NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

  15. Frequency Determination Example: Volatility  MA-5a – The organization establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel  Is volatility the only criterion to consider? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

  16. Step 2c: Develop ISCM Architecture  Continuous monitoring architecture uses standard protocols and specifications  Organizations seek to leverage existing tools/applications and infrastructure for continuous monitoring architecture  NISTIRs 7756, 7799, & 7800 describe a technical architecture that support ISCM NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

  17. Step 3: Implement the ISCM Program  All controls and metrics are monitored and/or assessed (common, system, and hybrid controls) at the frequency identified in step three  Tier 2 - Implement tools and processes associated with common controls and organization-wide monitoring (IDPS, vulnerability scanning, configuration management, asset management, etc.)  Organization-wide monitoring will pull at least some security-related information from the system level  Tier 3 – Implement tools and processes pushed down from Tier 2 and fill in any gaps at the system level  Tiers 2 and 3 – Organize/prepare data for analysis NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

  18. Step 4: Analyze Data and Report Findings  Analyze Data in the context of:  Stated organizational risk tolerance  Potential impact of vulnerabilities on organizational and mission/business processes  Potential impact/costs of mitigation options (vs. other response actions)  Report on Assessments  Report on Security Status Monitoring NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

  19. Step 5: Respond to Findings  Determine if the organization will:  Take remediation action  Accept the risk  Reject the risk  Transfer/Share the risk  Specific response actions will vary by Tier  May need to prioritize remediation actions NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

  20. Step 6: Review/Update the ISCM Strategy  Organizations establish a process for reviewing and modifying the strategy  Various factors may precipitate changes to the strategy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

  21. Step 6: Strategy Review Considerations  Is the strategy an accurate reflection of organizational risk tolerance?  Applicability of metrics  Applicability/appropriateness of:  Monitoring frequencies  Reporting requirements NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

  22. Step 6: Strategy Update Factors  Changes to missions/business processes  Changes in enterprise and/or security architecture  Changes in risk tolerance  Revised threat or vulnerability information  Increase or decrease in POA&Ms for specific controls or metrics  Trend analyses of status reporting output NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

  23. Automating Continuous Monitoring SP 800-137 Appendix D NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP MEP Overview What is Information Security? Cyber- Personnel security Security

587 views • 29 slides
Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity Interfaces for Personal Identity Verification Verification Jim Dray PIV Implementers Workshop June 27, 2005 SP800- -73 Structure 73 Structure

541 views • 18 slides
Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004

Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004

Special Pub 800-73 (Draft) Jim Dray/Teresa Schwarzhoff NIST Industry Day November 18, 2004 Design Goals Consider GSC-ISv2.1, PACS and PDMF Technology neutrality Standards compliance (ISO/IEC) Add card management Define

392 views • 6 slides
Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin

Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin

Special values of trigonometric Dirichlet series Legacy of Ramanujan OPSFA-13, NIST Armin Straub June 3, 2015 University of Illinois at UrbanaChampaign Includes joint work with : sec 2 ( n 5) = 14 135 4 n 4 n =1

858 views • 70 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/266951909 Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation) Conference Paper May 2012

916 views • 37 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing Organizations PIV Card Issuing Organizations Joan Hash Manager, Computer Security Management & Assistance June 28, 2005 1 NIST Special Publication

256 views • 25 slides
Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/249833577 Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special Education August 2003 DOI:

471 views • 12 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

642 views • 47 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

585 views • 43 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

605 views • 60 slides
government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12, 2009 AUTHORS President Obama Issues Memorandum to the Heads of Executive Departments and Paul Debolt

246 views • 3 slides
Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF

Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF

NIST Special Publication 800-160, Volume 2 Developing Cyber Resilient Systems A Systems Security Engineering Approach NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The Current Landscape Today's systems are very brittle, rely on a

595 views • 22 slides
Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST Heritage Room NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 NIST Building 101 Ground Floor Map Stairs to Outside and

664 views • 11 slides
FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST GAITHERSBURG NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 FCSM Quarterly Meeting Overview| 2 NIST-Guest Wireless Network

612 views • 14 slides
Small Unmanned Aircraft Systems (UAS) Proposed UAS Program Update Public Safety Committee

Small Unmanned Aircraft Systems (UAS) Proposed UAS Program Update Public Safety Committee

Small Unmanned Aircraft Systems (UAS) Proposed UAS Program Update Public Safety Committee Meeting March 12, 2019 Why implement a UAS program Adopted around the United States by local and state agencies to support operations and advanced

753 views • 16 slides
How to Handle Research Presentation Q&A Sessions Before Your Presentation Create a list

How to Handle Research Presentation Q&A Sessions Before Your Presentation Create a list

How to Handle Research Presentation Q&A Sessions Before Your Presentation Create a list the possible questions you will be asked Divide your list into 1) questions you CAN answer, and 2) questions you CANNOT (or do not want to) answer

378 views • 4 slides
Cameron University yliu@cameron.edu Objectives of the Assignment 1). To experience and practice

Cameron University yliu@cameron.edu Objectives of the Assignment 1). To experience and practice

ABC 83 rd Annual International Conference 2018, Miami, Florida My Favorite Assignment Presentation Yingqin Liu, Ph.D. Cameron University yliu@cameron.edu Objectives of the Assignment 1). To experience and practice discipline specific oral

543 views • 8 slides
Ergonomics and Manual Handling Induction Welcome to United Synergies induction for Office

Ergonomics and Manual Handling Induction Welcome to United Synergies induction for Office

Ergonomics and Manual Handling Induction Welcome to United Synergies induction for Office Ergonomic and Manual Handling. The aim of this training is to: ensure awareness of the correct ergonomic principles and workstation set up

606 views • 25 slides
ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to

ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to

ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to the growing demand and continuous success of our fitness activities. This way, a wide range of activities will be available to our guests, meeting

188 views • 18 slides
PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI BAPTIST CHURCH, IBADAN MARCH 10, 2013 Ibidunni Alonge Olumide Dada WHY LOW BACK PAIN? 2 Knee Back Neck WHAT IS LOW BACK PAIN? 3 Low back

1.56k views • 61 slides
The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan

The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan

The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan Computer Vision Scientist @affectiva Affectiva Emotion AI Emotion recognition from face and voice powers several industries Social Robots Mood

292 views • 25 slides
SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca Today's home network and IoT products and solutions lack secure testing and

696 views • 24 slides

More recommend