FISMA Certification and Accreditation Handbook pdf

federal agencies than those established by GISRA.Today, with FISMA, andthe process known to support FISMA, Certification and Accreditation C&A,agencies are far more diligent about assess

w w w s y n g r e s s c o m

Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment

of value-added features such as free e-books related to the topic of this book, URLs

of related Web site, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS

For readers who can’t wait for hard copy, we offer most of our titles in able Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably.

download-SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our e-books onto servers

in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.

Visit us at

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

FISMA Certification & Accreditation Handbook

Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except as permitted under the

Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the pub- lisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-116-0

ISBN-13: 978-1-59749-116-7

Publisher: Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Gary Byrne Copy Editor: Adrienne Rebello

Technical Editor: Matthew Shepherd Indexer: Richard Carlson

Cover Designer: Michael Kavish

The incredibly hardworking team at Elsevier Science, including JonathanBunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, KristaLeppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, DavidLockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and ChrisReinders for making certain that our vision remains worldwide in scope.David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang AiHua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributorsfor the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslanefor distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji,Tonga, Solomon Islands, and the Cook Islands

Author

Laura Tayloris Director of Security Certification andAccreditation at COACT, Inc, a leading provider of security compli-ance solutions Additionally, Ms.Taylor is the Founder of RelevantTechnologies, a security research and advisory firm Her securityresearch has been used by the FDIC, the FBI, the IRS, various U.S.Federal Reserve Banks, U.S Customs, the U.S.Treasury, the WhiteHouse, and many publicly held Fortune 500 companies Ms.Taylorspecializes in security audits of financial institutions and has pro-vided information security consulting services to some of the largestfinancial institutions in the world, including the U.S Internal

Revenue Service, the U.S.Treasury, the U.S GovernmentwideAccounting System, and National Westminster Bank, a division ofthe Royal Bank of Scotland

Formerly, Ms.Taylor was Director of Security Research at TEC.Ms.Taylor also served as CIO of Schafer Corporation and Director

of Information Security at Navisite Earlier in her career, Ms.Taylorheld various positions at Sun Microsystems, where she was awardedseveral Outstanding Performance awards, and a CIS Security Award.Ms.Taylor has also received awards from a division of the U.S.Financial Management Services commissioner for her assistancewith FISMA-compliant Security C&A of highly sensitive systems.Ms.Taylor is a Certified Information Security Manager (CISM).Ms.Taylor has been featured in many media forums, including

ABC-TV Business Now, CNET Radio, the Boston Business Journal, Computerworld, and The Montreal Gazette Her research and popular

security columns have been published on Web sites and in

maga-zines, including Business Security Advisor, Forbes, SecurityWatch,

eSecurityOnline, SecurityFocus, NetworkStorageForum, ZDNet,

Datamation, MidRangeComputing, and Securify Ms.Taylor has

authored hundreds of research articles and papers on informationsecurity topics and has contributed to multiple books Ms.Taylor

graduated from Skidmore College with honors, and is a member ofthe Society of Professional Journalists, the IEEE Standards

Association, and the National Security Agency’s IATFF Forum

Glenn Jacobson is a Senior Certification and Accreditation (C&A)Engineer with COACT Inc Prior to working for COACT, Mr.Jacobson worked for SysNet Technologies Inc, where he worked onvarious C&A activities for the FAA Mr Jacobson’s FAA projectsincluded security testing and planning, vulnerability analysis, reme-diation identification, and risk management Prior to SysNetTechnologies, Mr Jacobson worked as a consultant for both govern-ment and civilian organizations, specializing in network and securitysolutions development and implementation Currently, Mr Jacobson

is working on developing a C&A training class

Contributing Author

a network administrator, IT manager, and security architect todeliver high-quality solutions for Project Performance Corporation’sclients Currently, he is supporting the US Patent and TrademarkOffice’s Certification and Accreditation program.

Matt holds bachelor’s degrees from St Mary’s College ofMaryland and is currently working on his Master’s of Science inInformation Assurance Matt would like to thank his wife, Leena, forher invaluable support and guidance throughout his career, hisfamily for their love and support, and Olive for making every dayspecial

Technical Editor

Contents

Foreword xxiii

Preface xxv

Chapter 1 What Is Certification and Accreditation? 1

Introduction 2

Terminology 3

Audit and Report Cards 6

A Standardized Process 7

Templates, Documents, and Paperwork 8

Certification and Accreditation Laws Summarized 9

Summary 10

Notes 11

Chapter 2 Types of Certification and Accreditation 13

Introduction 14

The NIACAP Process 15

The NIST Process 16

NIACAP and NIST Phases, Differences, and Similarities 16 NIACAP and NIST Compared 17

DITSCAP 18

DCID 6/3 19

The Common Denominator of All C&A Methodologies 20

C&A for Private Enterprises 21

Summary 23

Notes 23

Chapter 3 Understanding the Certification and Accreditation Process 25

Introduction 26

Recognizing the Need for C&A 26

Roles and Responsibilities 27

Chief Information Officer 27

Authorizing Official 29

Senior Agency Information Security Officer 30

Senior Agency Privacy Official 31

Certification Agent/Evaluation Team 31

Business Owner 33

System Owner 33

Information Owner 33

Information System Security Officer 34

C&A Preparers 35

Agency Inspectors 35

GAO Inspectors 36

Levels of Audit 36

Stepping through the Process 37

The Initiation Phase 37

The Certification Phase 40

The Accreditation Phase 41

The Continuous Monitoring Phase 42

Summary 44

Chapter 4 Establishing a C&A Program 45

Introduction 46

C&A Handbook Development 46

What to Include in Your Handbook 47

Who Should Write the Handbook? 48

Template Development 48

Provide Package Delivery Instructions 50

Create an Evaluation Process 51

Authority and Endorsement 51

Improve Your C&A Program Each Year 52

Problems of Not Having a C&A Program 52

Missing Information 52

Lack of Organization 53

Inconsistencies in the Evaluation Process 53

Unknown Security Architecture and Configuration 53

Unknown Risks 54

Laws and Report Cards 54

Summary 55

Chapter 5 Developing a Certification Package 57

Introduction 58

Initiating Your C&A Project 58

Put Together a Contact List 58

Hold a Kick-Off Meeting 59

Obtain Any Existing Agency Guidelines 60

Analyze Your Research 61

Preparing the Documents 61

It’s Okay to Be Redundant 62

Different Agencies Have Different Requirements 62

Including Multiple Applications and Systems in One Package 63

Verify Your Information 64

Retain Your Ethics 64

Summary 66

Chapter 6 Preparing the Hardware and Software Inventory 67

Introduction 68

Determining the Accreditation Boundaries 68

Collecting the Inventory Information 70

Structure of Inventory Information 71

Delivery of Inventory Document 72

Summary 74

Chapter 7 Determining the Certification Level 75

Introduction 76

What Are the C&A Levels? 76

Level 1 76

Level 2 77

Level 3 77

Level 4 78

Importance of Determining the C&A Level 79

Don’t Make This Mistake 79

Criteria to Use for Determining the Levels 81

Confidentiality, Integrity, and Availability 81

Confidentiality 82

Determining the Confidentiality Level 83

Integrity 84

Determining the Integrity Level 84

Availability 85

Determining the Availability Level 86

How to Categorize Multiple Data Sets 86

Impact Levels and System Criticality 87

System Attribute Characteristics 89

Interconnection State (Interfacing Mode) 89

Access State (Processing Mode) 90

Accountability State (Attribution Mode) 91

Mission Criticality 92

Determining Level of Certification 93

Template for Levels of Determination 94

Rationale for the Security Level Recommendation 97

Process and Rationale for the C&A Level Recommendation 99 The Explanatory Memo 102

Template for Explanatory Memo 103

Summary 105

Chapter 8 Performing and Preparing the Self-Assessment 107

Introduction 108

Objectives 108

Designing the Survey 109

Levels of Compliance 109

Management Controls 111

Operational Controls 112

Technical Controls 113

Correlation with Security Policies and Laws 113

Answering the Questions 114

Questions for Self-Assessment Survey 116

Summary 137

Notes 138

Chapter 9 Addressing Security Awareness and Training Requirements 139

Introduction 140

Purpose of Security Awareness and Training 140

Security Training 141

Security Awareness 142

The Awareness and Training Message 142

Online Training Makes It Easy 144

Document Your Plan 144

Security Awareness and Training Checklist 145

Security Awareness Material Evaluation 145

Security Awareness Class Evaluation 147

Summary 148

Notes 148

Chapter 10 Addressing End-User Rules of Behavior 149

Introduction 150

Implementing Rules of Behavior 150

What Rules to Include 151

Rules for Applications, Servers, and Databases 151

Additional Rules for Handhelds 152

Additional Rules for Laptops and Desktop Systems 153

Additional Rules for Privileged Users 154

Consequences of Noncompliance 155

Rules of Behavior Checklist 155

Summary 156

Chapter 11 Addressing Incident Response 157

Introduction 158

Purpose and Applicability 158

Policies and Guidelines 159

Reporting Framework 160

Roles and Responsibilities 162

Agency CSIRC 162

Information System Owner and ISSO 163

Incident Response Manager 164

Definitions 165

Incident 165

Impact, Notification, and Escalation 166

Incident Handling 168

Detecting an Incident 169

Containment and Eradication 171

Recovery and Closure 172

Forensic Investigations 173

Incident Types 176

Incident Response Plan Checklist 180

Security Incident Reporting Form 181

Summary 183

Additional Resources 183

Incident Response Organizations 183

Additional Resources 184

Articles and Papers on Incident Response 185

Notes 186

Chapter 12 Performing the Security Tests and Evaluation 187

Introduction 188

Types of Security Tests 188

Confidentiality Tests 189

Integrity Tests 191

Availability Tests 192

Types of Security Controls 193

Management Controls 193

Operational Controls 194

Technical Controls 194

Testing Methodology and Tools 194

Algorithm Testing 197

Code and Memory Analyzers 198

Network and Application Scanners 199

Port Scanners 200

Port Listeners 201

Modem Scanners .201

Wireless Network Scanner 202

Wireless Intrusion Detection Systems 202

Wireless Key Recovery 203

Password Auditing Tools 203

Database Vulnerability Testing Tools 204

Test Management Packages 204

Who Should Perform the Tests? 205

Documenting the Tests 205

Analyzing the Tests and Their Results 205

Summary 207

Additional Resources 207

Books Related to Security Testing 207

Articles and Papers Related to Security Testing 208

Notes 209

Chapter 13 Conducting a Privacy Impact Assessment 211 Introduction 212

Privacy Laws, Regulations, and Rights 212

OMB Memoranda 213

Laws and Regulations 213

PIA Answers Questions 214

Personally Identifiable Information (PII) 215

Persistent Tracking Technologies 217

Determine Privacy Threats and Safeguards 218

Decommissioning of PII 219

System of Record Notice (SORN) 220

Posting the Privacy Policy 220

PIA Checklist 220

Summary 222

Books on Privacy 222

Notes 222

Chapter 14 Performing the Business Risk Assessment 225 Introduction 226

Determine the Mission 227

Create a Mission Map 229

Construct Risk Statements 230

Describe the Sensitivity Model 232

Impact Scale 233

Likelihood Scale 234

Calculating Risk Exposure 234

Lead the Team to Obtain the Metrics 235

Analyze the Risks 235

Make an Informed Decision 237

Accept the Risk 237

Transfer the Risk 238

Mitigate the Risk .238

Summary 241

Books and Articles on Risk Assessment 241

Notes 242

Chapter 15 Preparing the Business Impact Assessment 243

Introduction 244

Document Recovery Times 244

Establish Relative Recovery Priorities 245

Telecommunications 246

Infrastructure Systems 247

Secondary Systems 247

Define Escalation Thresholds 248

Record License Keys 249

BIA Organization 250

Summary 252

Additional Resources 252

Chapter 16 Developing the Contingency Plan 253

Introduction 254

List Assumptions 255

Concept of Operations 255

System Description 255

Network Diagrams and Maps 256

Data Sources and Destinations 256

Roles and Responsibilities 257

Contingency Planning Coordinator 258

Damage Assessment Coordinator 259

Emergency Relocation Site Adviser and Coordinator 260 Information Systems Operations Coordinator 260

Logistics Coordinator 260

Security Coordinator 261

Telecommunications Coordinator 261

Levels of Disruption 262

Procedures 263

Backup and Restoration Procedures 263

Procedures to Access Off-site Storage 264

Operating System Recovery Procedures 264

Application Recovery Procedures 265

Connectivity Recovery Procedures 265

Key Recovery Procedures 266

Power Recovery Procedures 266

Recovering and Assisting Personnel 267

Notification and Activation 267

Line of Succession 269

Service Level Agreements 269

Contact Lists 270

Testing the Contingency Plan 270

Appendices 271

Contingency Plan Checklist 271

Additional Resources 272

Chapter 17 Performing a System Risk Assessment 275

Introduction 276

Risk Assessment Creates Focus 276

Determine Vulnerabilities 278

Threats 280

Threats Initiated by People 280

Threats Initiated by Computers or Devices 280

Threats from Natural Disasters 281

Qualitative Risk Assessment 282

Quantitative Risk Assessment 283

Qualitative versus Quantitative Risk Assessment 287

Present the Risks 288

Make Decisions 291

Checklist 291

Summary 293

Additional Resources 293

Notes 294

Chapter 18 Developing a Configuration Management Plan 295

Introduction 296Establish Definitions 296Describe Assets Controlled by the Plan 297Describe the Configuration Management System 298Define Roles and Responsibilities 299Establish Baselines 301Change Control Process 302Change Request Procedures 303Emergency Change Request Procedures 303Change Request Parameters 304Configuration Control Board 304Configuration Management Audit 306Configuration and Change Management Tools 307Configuration Management Plan Checklist 308Summary 309Additional Resources .309

Chapter 19 Preparing the System Security Plan 311

Introduction 312Laws, Regulations, and Policies 312The System Description 313System Boundaries 315System Mission 316Data Flows 318Security Requirements and Controls 318Management Controls 325Risk Mitigation 325Reporting and Review by Management 326System Lifecycle Requirements 328Security Planning 329Documentation for Managers 329Operational Controls 330Personnel Security 330Physical and Environmental Controls and Safeguards 331Administration and Implementation 332

Preventative Maintenance 333Contingency and Disaster Recovery Planning 334Training and Security Awareness 334Incident Response Procedures 335Preservation of Data Integrity 335Network and System Security Operations 336Technical Controls 338Authentication and Identity Verification 338Logical Access Controls 341Secure Configurations 341Interconnectivity Security 344Audit Mechanisms 346ISSO Appointment Letter 349System Security Plan Checklist 351Summary 353Additional Resources 353Notes 354

Chapter 20 Submitting the C&A Package 355

Introduction 356Structure of Documents 356Who Puts the Package Together? 357Markings and Format 357Signature Pages 358

A Word About “Not Applicable” Information 359Submission and Revision 360Defending the Certification Package 360Checklist 362Summary 363Additional Resources 363

Chapter 21 Evaluating the Certification Package for Accreditation 365

Introduction 366The Security Assessment Report 366Checklists for Compliance 366Compliance Checklist for Management Controls 368

Compliance Checklist for Operational Controls 380Compliance Checklist for Technical Controls 392Recommendation to Accredit or Not 404Accreditation and Authority to Operate 405Interim Authority to Operate 405Evaluations by an OIG 407Evaluations by the GAO 408Checklist 409Summary 410

Chapter 22 Addressing C&A Findings 411

Introduction 412POA&Ms 412Development and Approval 412POA&M Elements 413

A Word to the Wise 416Checklist 416Summary 417

Chapter 23 Improving Your Federal Computer Security Report Card Scores 419

Introduction 420Elements of the Report Card 420Actions for Improvement 421Trends 422Summary 423

Chapter 24 Resources 425

Acronyms 428

Appendix A FISMA 431 Appendix B OMB Circular A-130: Appendix III 453 Appendix C FIPS 199 473 Index 485

When I was the Security Staff Director of the Federal Deposit InsuranceCorporation (FDIC), the Federal Information Security Management Act of

2002 (FISMA) was not yet in existence; however, the Government InformationSecurity Reform Act (GISRA) was Since GISRA was signed into law onOctober 30, 2000, U.S federal agencies have been paying far more attention toinformation security than they did previously

In 2002, FISMA was signed into law, creating more specific regulations forU.S federal agencies than those established by GISRA.Today, with FISMA, andthe process known to support FISMA, Certification and Accreditation (C&A),agencies are far more diligent about assessing their security controls and vulner-abilities Despite what you may read in the news, however, many federal agen-cies are far more secure than their commercial counterparts in the privatesector

C&A is still a nascent science, and although excellent guidance exists onhow to evaluate the risk exposure of federal information systems, agencies arestill working on improving their C&A programs C&A is, however, a largeendeavor Although the process has been proven to reduce risk to federal infor-mation systems, many people new to C&A don’t know where to start or how

to get going on their C&A projects Seasoned C&A experts continue to lookfor new ideas on how to improve their existing processes.This book is the firstpublication with numerous practical examples that can help you step throughthe C&A process from beginning to end I wish this book had existed while Iwas the Security Staff Director of the FDIC so that I could have providedcopies to my staff

xxiii

Foreword

Federal agencies aside, the principles discussed in this book can be applied

to almost any organization that cares about the security of its information nology systems and infrastructure Cyber criminals, identity thieves, and terror-ists have made information security assessments a requisite fundamental part ofdoing business today Laws mandate information security compliance, and fed-eral and private organizations are allocating budgets to ensure that their confi-dential information remains private and secure Although the C&A process wasfirst rolled out by federal agencies, I anticipate that private industry organiza-tions will adopt C&A principles to assess their own systems going forward.There is a lot more to securing an infrastructure of systems and applicationsthan simply performing penetration tests and security scans.This book waswritten so that almost anyone can understand it If you’re interested in learninghow to assess all the different security aspects of your systems, networks, andapplications, this book is for you.With an abundance of pointers to outside ref-erences, this book includes almost all the resources you need to learn C&A Ihope you’ll find it as easy to follow as I have

tech-—Sunil J Porter Former Security Staff Director of the FDIC

As the federal regulators have come to understand the risks to the U.S nationalinfrastructure, regulations and laws have been written to ensure that due dili-gence occurs in securing critical applications and systems An outcome of thelaws and regulations is a formalized process for reviewing, documenting, ana-lyzing, and evaluating information security requirements and controls.The pro-cess described in this book, known as C&A, will assist government agencies incomplying with the Federal Information Security Management Act of 2002.

Audience

The audience for this book includes those individuals currently performinginformation security support at U.S Federal agencies, defense contractors thatneed to comply with FISMA to support government task orders, informationsecurity consultants, and anyone else who would like to learn a very thoroughmethodology for conducting information security audits to safeguard sensitiveinformation, mission-critical applications, and their underlying infrastructure.While much of the discussion in this book is geared to U.S federal agen-cies, this book describes a process that can essentially be applied to any infor-mation technology organizations or infrastructure.This book does not describethe only way to perform C&A; however, it does describe a methodology thathas been proven successful in assisting U.S government agencies in obtainingnear-perfect scores on the annual Federal Computer Security Report Card Allkinds of variations for performing C&A exist.This book describes one way

xxv

Preface

Organization of This Book

This book contains 24 chapters

Chapter 1 (What Is Certification and Accreditation?) explains what is meant by

Certification and Accreditation and why the process is mandated by federal law.The different Certification and Accreditation laws will be cited and discussed Abrief history and chronology of the mandated laws will be included in the dis-cussion

Chapter 2 (Types of Certification and Accreditation) includes descriptions of the

four primary different types of C&A: NIST, NIACAP, DITSCAP, and DCID6/3

Chapter 3 (Understanding the Certification and Accreditation Process) explains

the logical steps that one goes through to prepare for a C&A audit/review Italso explains the roles and responsibilities of the audit/review team, includingthe role of the reviewers, the accrediting authority, and the federal

auditors/inspectors

Chapter 4 (Establishing a Certification and Accreditation Program) includes

information on what types of tasks you’ll need to do to put a C&A Programinto place.This chapter explains what types of documents and guidelines you’llneed to establish a C&A Program If you already have a C&A Program, youcan always make it better and refine it.You’ll want to improve your C&AProgram and revise it periodically as you notice what items are missing andwhat areas need more clarification

Chapter 5 (Developing a Certification Package) includes information on what

you need to do to prepare for an upcoming C&A project.This chapter tells youwhat documents you need to collect and have on hand in order to prepareyour C&A review (e.g., the organizational security policies and procedures andthe security organization structure) Information on whether to outsource theC&A review or do it in-house is also provided

Chapter 6 (Preparing the Hardware and Software Inventory) includes a sample

of a C&A asset inventory and how one should go about developing it andputting it together

Chapter 7 (Determining the Certification Level) includes information on how

to put together the Security Categorization and Certification Level approval letter and the Determination Level Profile documents.

Chapter 8 (Performing and Preparing the Self-Assessment) includes information

on how to perform and document a Self-Assessment.The differences betweenmanagement, operational, and technical security controls are explained

Chapter 9 (Addressing Security Awareness and Training Requirements) includes

information on how to review, analyze, and document Security Awareness,Training, and Education

Chapter 10 (Addressing End-User Rules of Behavior) advises you on how to review, analyze, and document C&A requirements for End-User Rules of Behavior.

Chapter 11 (Addressing Incident Response) includes information on how to

address and document Incident Response requirements.The role of the dent response manager and different incident types are discussed

inci-Chapter 12 (Performing the Security Tests and Evaluation) includes information

on how to perform and document the required security tests and evaluation(ST&E).This chapter also addresses whether or not a penetration test isrequired Information about how to execute a penetration test will be dis-cussed

Chapter 13 (Conducting a Privacy Impact Assessment) helps you understand

under what circumstances you’ll need to develop one of these types of ments and what to include in one Individual privacy rights and responsibilities

docu-of the Senior Agency Official for Privacy are discussed

Chapter 14 (Performing the Business Risk Assessment) includes information on how to perform a Business Risk Assessment and what types of information should be included in a Business Risk Assessment.

Chapter 15 (Preparing the Business Impact Assessment) includes information on how to prepare and perform the Business Impact Assessment and what types of

information should be included in such an assessment

Chapter 16 (Developing the Contingency Plan) includes information on how

to prepare a Contingency Plan and what types of information should be included

in a Contingency Plan.

Chapter 17 (Performing a System Risk Assessment) includes information on how to prepare and perform the System Risk Assessment.

Chapter 18 (Developing a Configuration Management Plan) explains what

you’ll want to include in this plan, and how to go about accumulating theinformation

Chapter 19 (Preparing the System Security Plan) includes how to prepare and document a System Security Plan.

Chapter 20 (Submitting the C&A Package) includes information on how to put together the final Certification Package Information on the Security

Assessment Report prepared by the Certifying Agent is also included in this

chapter

Chapter 21 (Evaluating the Certification Package for Accreditation) includes

information on how to evaluate a Certification Package to determine if itshould be accredited.This chapter includes information on how the evaluatorsdetermine whether the package should pass or fail Checklists and how to use

them to produce the Security Assessment Report are discussed.

Chapter 22 (Addressing C&A Findings) includes information on strategies for

defending your C&A review, as well as how to address any failures cited by the

evaluation team.The evaluators typically require a document known as a Plan of Action & Milestones (POA&M) to be drafted and adhered to for the purpose of addressing failures A sample POA&M is included along with recommendations

on how to write one

Chapter 23 (Improving Your Federal Computer Security Report Card Scores)

explains what shows up in the FISMA Report Cards and how to go aboutimproving your agency’s scores

Chapter 24 (Resources) includes a list of recommended resources that C&A

teams can use to help understand the C&A process A list of acromyns is alsoincluded

Conventions Used in This Book

The following typographical conventions are used in this book:

Italic is used for commands, directory names, filenames, scripts,

emphasis, and the first use of technical terms

Arrow < brackets > are used for user input

We’d Like to Hear From You

We have reviewed and verified all of the information in this book to the best

of our ability, but you may find that certain references to federal regulationshave changed

For more information about this book and others, see the Syngress Website: www.syngress.com/solutions.com

Author Acknowledgments

Without the help and support of many individuals, this book would not havebeen possible I’d like to thank my editors, Gary Byrne and Matthew Shepherd,who helped keep me on track and polished up the rough edges I’d also like tothank Andrew Williams for giving me the opportunity to write for Syngress

The entire Syngress team is a world-class publishing organization I’d also like

to thank my former editors at O’Reilly Media, Allison Randal and TatianaApandi Diaz, who helped me refine some of the earlier drafts of this book

Thank you also to Nathan Torkington of O’Reilly, who was one of the earlybelievers in this book

Thank you to Stephen Northcutt of SANS, who was instrumental inhelping this book get off the ground

Various C&A and security professionals whom I have worked with over theyears have all contributed to my knowledge of C&A, which likely resulted in abetter book.Various people provided research for this book, and some evenallowed me to C&A their mission-critical systems, which no matter how manytimes I do it, never fails to add new learning experiences Alphabetically by lastname, I’d like to thank John Alger, Gwen Bryant-Hill, Chris Buehler, JohnCowan,Tamiiko Emery,Whitney Goss, Sheila Higgs, Cindi Jansohn,Yi-FangKoh, Dave Metler, Angela Rivera, and Angela Vessels

Thank you to Wanda Headley at the Natural Hazards Center at theUniversity of Colorado, Boulder, for help with research on natural hazards I’dalso like to thank Eileen McVey, of the National Oceanic & AtmosphericAdministration, who contributed information on natural hazard probabilities

Thank you to the staff at COACT for all the support and words of agement In particular, I’d like to thank Jim McGehee, Lou Lauer, RandyWilliams, and Glenn Jacoboson, who made contributions to Chapter 22

encour-Thank you to Micah Tapman of SAIC, who provided research and mendations for Chapter 23.

recom-Thank you to Brien Posey, Shaam Rodrigo, and Troy Thompson of

Relevant Technologies.They are consistently always there when I need an extrahelping hand

Much thanks to my parents, Barbara and Robert Taylor, who made manysacrifices to help me receive the education that gave me a foundation for

writing

Last, and most of all, I’d like to thank my 13-year-old son, Sammy, whogave up numerous hours of family time with Mom to make this book possible

—Laura Taylor Columbia, MD October 2006

What Is Certification and Accreditation?

“The law cannot be enforced when everyone is

■ Templates, Documents, and Paperwork

■ Certification and Accreditation Laws Summarized

Chapter 1

1

Certification and Accreditation is a process that ensures that systems andmajor applications adhere to formal and established security requirements that

are well documented and authorized Informally known as C&A,

Certification and Accreditation is required by the Federal Information

Security Management Act (FISMA) of 2002 All systems and applications thatreside on U.S government networks must go through a formal C&A beforebeing put into production, and every three years thereafter Since accredita-tion is the ultimate output of a C&A initiative, and a system or applicationcannot be accredited unless it meets specific security guidelines, clearly thegoal of C&A is to force federal agencies to put into production systems andapplications that are secure

FISMA, also known as Title III of the E-Government Act (Public Law107-347), mandates that all U.S federal agencies develop and implement anagency-wide information security program that explains its security require-ments, security policies, security controls, and risks to the agency.The require-ments, policies, controls, and risks are explained formally in a collection ofdocuments known as a Certification Package.The Certification Package con-sists of a review and analysis of applications, systems, or a site—basically what-ever it is that the agency wants accredited New applications and systemsrequire accreditation before they can be put into production, and existingapplications and systems require accreditation every three years

Each agency shall develop, document, and implement anagency-wide information security program to provide infor-mation security for the information and information systemsthat support the operations and assets of the agency,

including those provided or managed by another agency,contractor, or other source…

—Federal Information Security Management Act of 2002Laws for U.S federal departments and agencies mandate C&A; however,private organizations can also take advantage of C&A methodologies to helpmitigate risks on their own information systems and networks In fact, about

not part of any U.S federal department or agency.The nation’s critical

infras-tructure includes those information technology systems that run electrical

sys-tems, chemical syssys-tems, nuclear syssys-tems, transportation syssys-tems,

telecommunication systems, banking and financial systems, and agricultural

and food and water supply systems to name only a few

The entire C&A process is really nothing more than a standardized rity audit, albeit a very complete standardized security audit Having worked

secu-in both private secu-industry and on government networks, my experience secu-

indi-cates that contrary to what you read in the news, most private and public

companies do not put nearly as much time, effort, and resources into

docu-menting their security as government agencies do All the C&A

methodolo-gies described in this book can be adopted and used by private industry

Though federal departments and agencies seem to get repeated criticisms

belittling their security initiatives, it’s my experience and belief that the

criti-cisms are largely exaggerated and that their security conscientiousness far

exceeds that of private industry

The C&A model is a methodology for demonstrating due-diligence inmitigating risks and maintaining appropriate security controls Any enterprise

organization can adopt best practice C&A methodologies A special license is

not required, and no special tools are required to make use of the model—it

is simply a way of doing things related to security

Terminology

Certification refers to the preparation and review of an application’s, or

system’s, security controls and capabilities for the purpose of establishing

whether the design or implementation meets appropriate security

require-ments Accreditation refers to the positive evaluation made on the Certification

and Accreditation Package by the evaluation team.

Different documents written by different federal agencies have their owndefinitions of certification and accreditation, and though the definitions are

defines certification as:

A comprehensive assessment of the management, tional, and technical security controls in an informationsystem, made in support of security accreditation, to deter-mine the extent to which the controls are implemented cor-rectly, operating as intended, and producing the desiredoutcome with respect to meeting the security requirementsfor the system

opera-The guidance written by NIST is intended for information systems thatprocess unclassified data, more commonly known as SBU data—Sensitive ButUnclassified.The Committee on National Security Systems, Chaired by theDepartment of Defense, defines certification in the National Information

A comprehensive evaluation of the technical and nical security safeguards of an IS to support the accreditationprocess that establishes the extent to which a particulardesign and implementation meets a set of specified securityrequirements

nontech-You can see that even experts among us don’t necessarily agree on a crete definition However, since experts in most professions typically bringtheir own uniqueness to the table, I don’t see the differences in definitions asbeing a show stopper for getting the job done.The definitions are similarenough

con-An evaluation team reviews a suite of documents known as a CertificationPackage and makes recommendations on whether it should be accredited.Theevaluation team may be referred to by different names in different agencies.You should think of the evaluators as specialized information security audi-tors; often they are referred to as certifying agents Each agency may refer totheir own auditors with slightly different names, so you shouldn’t get hung up

on what to call these folks.The main thing to know is that each agency hastheir own set of auditors that have the power either to pass or fail the dif-ferent elements of a Certification Package, and provide a recommendationeither to accredit the package or not

The term “Certification” can be confusing because a Certification

Package does not mean that any part of the infrastructure described in the

package has been certified by anyone for anything.The Certification Package

itself is not, and does not, get certified However, it does get reviewed by

cer-tifying agents A more apropos name might have been a Security Package but

that isn’t the name our friendly federal regulators wanted to use so we won’t

be using it here

Once a Certification Package has been evaluated, a positive accreditationindicates that a senior agency official has formally made the decision that the

documented risks to the agency, assets, and individuals are acceptable Senior

agency officials employ large teams of information assurance oversight staff

that go over the Certification Packages with fine-toothed combs

Accreditation does not come lightly, and occurs only after each Certification

Package has undergone a scrupulous review By accrediting an information

system, the senior agency official agrees to take responsibility for the accuracy

of the information in the certification package and consents to be held

accountable for any security incidents that may arise related to the system

NIST Special Publication 800-37 refers to accreditation as:

The official management decision given by a senior agencyofficial to authorize operation of an information system and

to explicitly accept the risk to agency operations (includingmission, functions, image, or reputation), agency assets, orindividuals, based on the implementation of an agreed-uponset of security controls

And the National Information Assurance Glossary refers to accreditation

as a:

Formal declaration by a Designated Accrediting Authority(DAA) that an IS is approved to operation at an acceptablelevel of risk, based on the implementation of an approved set

of technical, managerial, and procedural safeguards

Much of the terminology that federal agencies use in developing C&Aprograms and processes comes from the Office of Management and Budget

(OMB) Circular A-130, Appendix III (listed in Appendix B).To view this

document, go to www.syngress.com.The OMB is part of the Executive

Office of the President of the United States Aside from assisting the president

with the budget, the OMB’s mission is also to create and oversee information

and regulatory policies.The OMB was created in 1970, and essentially

replaced the Bureau of Budget.The fact that the OMB plays a significant ulatory role in C&A shows just how important information security hasbecome to our national infrastructure It also means that C&A initiatives willhave a budget and are clearly a priority to the Executive Office of the

reg-President of the United States—and that’s a good thing

Audit and Report Cards

Some agencies have two sets of auditors and a Certification Package mayunder go review by one evaluation team first, and another evaluation teamsecond.The first group of evaluators ensures that the Certification and

Accreditation package was prepared correctly, according to agency guidelines.The second set ensures that the first set evaluated the C&A package correctly,according to agency guidelines Sometimes the two sets of evaluators do notalways agree on whether or not certain parts of the Certification Package areacceptable If this happens the evaluators need to discuss the discordanceamong each other until they reach agreement

Once a package has been accredited, auditors from outside the agency,from the Government Accountability Office (GAO), come on site and reviewthe Certification Packages and write up reports on how well the agency’sC&A program is working.The GAO auditors are known as Inspector

Generals (IGs) If the IGs find deficiencies in any accredited packages, theagency will receive unsatisfactory ratings by the GAO (I will discuss more ofhow these packages are audited and reviewed in Chapter 21.) A goal for anyagency is to make sure that all Certification Packages were properly evaluatedand accredited so that the GAO does not find any deficiencies

After the GAO documents its findings, these findings get reviewed by theU.S Government House of Representatives Government Reform

Subcommittee on Technology and Information Policy When former Rep

Stephen Horn (R-CA) chaired the House Subcommittee on Government

Management, Information and Technology, Intergovernmental Relations and the

Census, he came up with the idea of issuing federal computer security report

cards and the first report card was issued in 2000 Originally these reportcards were dubbed the Horn Report, however, today the report cards are

known as the annual Federal Computer Security Report Cards Although Stephen

Horn no longer chairs the subcommittee, these report cards are still often

referred to as the Horn Reports, and they are based entirely on how well an

agency performs C&A

The subcommittee is now known as the Subcommittee on Government Management, Finance and Accountability and is part of the Committee on

Government Reform As of this writing, the URL of its Web site is

http://reform.house.gov/GMFA/

The most current Federal Computer Security Report Cards as of this writing

can be found at http://reform.house.gov/UploadedFiles/2004%

20Computer%20Security%20Report%20card%202%20years.pdf

A Standardized Process

C&A is standardized process Each agency decides what their standardized

security C&A process consists of, and documents it.The different U.S federal

departments and agencies develop their own unique standardized process

based on guidance it has used from one of the following three organizations:

the National Institute of Standards (NIST), the Committee on National

Security Systems (CNSS), or the Department of Defense (DoD)

For agencies that are doing their C&A the right way, their own internalguidance that describes their repeatable process likely consists of as much

material as you will find in this book C&A is a voluminous process, and the

documentation that exists to describe any one agency’s C&A process can be

daunting.The documentation that goes into writing and putting together a

Certification Package is also daunting.The amount of security documentation

that you will find in one Certification Package is easily more extensive than

all the tips, suggestions, and guidance that you’ll find in this book

Typically, a well-documented C&A process consists of not just one ment, but a set of documents Of primary importance in this set of docu-

docu-ments is the C&A handbook that describes the agency’s overall C&A process

The title of the handbook varies from agency to agency, but will most likely

sport a name akin to The <Name> Agency Certification and Accreditation Process

and Handbook Without a handbook to standardize the process, there would be

a lack of cohesiveness in the different Certification Packages published by the

agency

When putting together a Certification Package for a particular agency,you will continually need to go back to the handbook and reference it.Thehandbook will have way too much information in it for you to read andabsorb and remember in one fell swoop However, if you are about to under-take a C&A initiative, you should try to read the handbook from front toback at least once, knowing that you won’t remember everything, but youmay remember better where to look to find the information you’ll needwhen the time comes.

Templates, Documents, and Paperwork

C&A is essentially a documentation and paperwork nightmare If you’re justembarking on C&A for the first time, be prepared for that.To create someorder out of the paper work nightmare, aside from a handbook, most agenciesnow have templates that they use for all the different types of documents that

go into the Certification Package Agencies that don’t have templates shouldcertainly strive to develop some

Templates ensure that all the different types of documents that go into theagency-wide Certification Packages have the same look and feel, and theystandardize the documentation A good template helps to ensure that all keyinformation is included in the Certification Package Well-written templatesalso assist the auditors in finding the information that they are looking forbecause they will know exactly in which section of the package to find theinformation they are looking for.The amount of information that is required

in any one Certification Package is so great, that if each Certification Packagehad a different format, it would be nearly impossible for the auditors to eval-uate the package When the auditors evaluate a Certification Package, theywant to know where to look to find key information and they don’t want tohave to hunt for it I have seen Certification Packages receive failures notbecause the right information wasn’t in the Certification Package, but becausethe right information was not where it was supposed to be

Preparing a Certification Package is very documentation intensive If youhave just gotten yourself into the C&A business for the first time, and areabout to start helping an agency prepare a Certification Package, prepareyourself to write, write, and write some more If you detest writing, you’re in