My thoughtful read on this topic is that a security strategy for federal agencies must include three crucial components. 1) Formalization of the roles, duties, and behaviors associated with information systems security planning, as well as the behaviors that each function is required to fulfill in the creation of security plans. 2) Scope of the security plan- this is an important part to aid in evaluating how an information system will affect an agency. 3) Planning. The system security plan’s goal is to give a summary of the security requirements for the system and explain the measures that are planned to meet those criteria. In order to provide information and support information systems that support the operations of the agency, the Federal Information Security Management Act (FISMA) mandates that all federal agencies design, publish, and implement information security programs.
Hi Marylyn,
It’s important that you pointed out the fact that the Federal Information Security Management Act (FISMA) mandates that all federal agencies design, publish, and implement information security programs. The reason for this is to enforce accountability and responsibility.
Guide for Developing Security Plans for Federal Information Systems highlights that the System security plans are living documents that require periodic review, modification, plan of action and milestones for implementing security controls. Hence it is very important to have system security plan responsibilities defined which should indicate who reviews the plans, keeps the plan current, and follows up on planned security controls.
-> Chief Information Officer is the official responsible for developing and maintaining an agency-wide information security program.
-> The information system owner is the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
-> The information owner is the official with statutory or operational authority for establishing the controls for information generation, collection, processing, dissemination, and disposal.
-> The information system security officer is the official assigned responsibility for ensuring that the appropriate operational security posture is maintained for an information system or program.
-> The authorizing official is a senior management official or executive with responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.
I think it’s important that you pointed out the fact that the system security plan is a living document and needs to be reviewed and updated (if needed) periodically. This includes owners of responsibility. Not only should a plan have owners of responsibility, but also have a back up owner for each owner of responsibility. This is important because if there is turnover, some one needs to be the owner.
Both FIPS 199 and 200 are mandatory for FISMA. FISMA requires that organization to have information security inventory in place with categorization of all information and information system including the impact level on it. FIPS 199 is basically defines the security categories, objectives, and impact level likewise FIPS 200 specifies the minimum-security requirement and risk-based process for selecting necessary security control to maintain minimum requirements. And then the common and necessary security control can be incorporated into the system security plan by reference.
You’re right Sunam! Also, FIPS 200 refers to the NIST SP 800-53 control catalog to select controls for the required areas. What surprised me is that the SP 800-53 has 20 control families while FIPS 200 has 17. I wonder if the additional control families in SP 800-53 are not applicable to the federal agencies or if FIPS 200 has not been updated.
Hi Nishant,
Yes, you are right there are 17 controls in FIPS 200 whereas NIST SP 800-53 mentioned 20. Program Management, Personally Identifiable Information Processing and Transparency and Supply chain risk management are three controls not listed on FIPS 200.
I think, FIPS 200 is the minimum security requirement for federal information and information systems. However, those sections that are not listed on FIPS 200 are also important. but FIPS may consider them for additional security requirement so maybe because of it, those sections are not mentioned in minimum security requirement document.
The Plan Development section is designed to guide people in writing a system security plan, including logical steps to follow, recommended structure and content, and how to maximize the use of current NIST to effectively support system security plan activities. The items of the System Security Plan contain the system name and a unique identifier, System Categorization of information types and information systems under FIPS 199, the key point of contact—System Owner, Authorizing Official, Other Designated Contacts, System Operational Status, System Environment, and so on. Among them, the system environment is also required to be listed in the system security plan because it may become a factor that brings threats or vulnerabilities. For example, a centrally managed system, consisting of a central workstation and server, avoids the pitfalls of networking.
Another point worthy of note is to list all applications supported by the general
support system if the system is a general support system as stipulated by the Plan Development section.
FISMA requires federal agencies to develop and implement an agency-wide information security program to protect information and information systems used for business operations and assets. The program must include security requirements, controls, and procedures for reviewing, updating, and following up on the established controls. The program must be accredited and certified in line with FIPS 199 and must include a risk assessment, ongoing monitoring, point of action and milestones, configuration management, and a process to ensure completeness and accuracy.
FISMA requires that agencies have in place an information systems inventory.
All information systems in the inventory should be categorized using FIPS 199 as a first step in the system security planning activity.
FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to impact.
Good Point Frank! Furthermore, FISMA, FIPS 199 and FIPS 200 are obligatory security requirements. FIPS 199 defines criteria for classifying data and information systems. The Confidentiality, Integrity, and Availability (CIA) triad is referenced by the security categories. These security areas are ranked according to their possible impact, which ranges from Low to High.
As you mentioned that FISMA requires that agencies must have in place an information systems inventory. It is key for every organization to know the inventory of the systems/devices they have in their network, what purpose do they save, what assets do they carry, e.t.c. This helps during the risk management process to determine which systems require higher priority, accept, transfer, or mitigate the risk.
A section that caught my attention in this reading was System Boundary Analysis and Security Controls. It indicates that FIPS 199 impact analysis must be utilized before any system security plan can be developed. This helps because at this stage a risk has been assessed, local conditions including organization-specific security requirement, specific threat identification, cost-benefit analyses, the availability of compensating controls, or special circumstances all has been assessed. It is key because you now know every element that must be covered within the security plan and also being able to manage the prioritization plan.
Hi Sheperd ,It is a good point to know FIPS 199 impact analysis must be used before any security plan can be developed because it has most elements that was covered in the SSP
I agree with you that impact analysis is key before a system security plan can be developed. All of the things you listed at that stage of a risk and the impact that it could have without one of those factors not being assessed.
SP 800-18 provides guidance for federal agencies for developing system security plans for federal information systems as FISMA mandates federal agencies to develop, document and maintain information security program at the agency level. The guidance describes the requirement for security categorization through FIPS 199 for information types and information systems. Senior management under the CISO is responsible for developing and maintaining an SSP. The guide suggests defining various roles for people involved in developing the security plans, identifying security boundaries by grouping information resource types (ex. major application, general support system, etc) and a designated authority to approve the security plan. Controls are selected from the SP 800-53 baseline and tailored to the systems as applicable. The SSP allows the authorized personnel to make a risk based informed decision on approving a system to operate and during its lifecycle what are the possible risks associated with its use as well as potential impacts of risk realization.
One key takeaway I thought was important to note is that system security plans are ongoing and a living document. They need to be reviewed on an on-going basis to reflect changes. For example, if there is turnover, there will be a change in the system owner. Additionally, more than just the IT department needs to be involved in the security plan. For example, the business owners would need to provide input on what systems/applications are used, what type of data and the importance of the data.
Hi Jill,
I agree with you that the system security plan is a living document. And it’s not just the movement of people, the safety standard FIPS 199 is also likely to be updated. In addition, your response to Aayush that a backup person should be prepared for each responsibility was great.
Hi Jill! The system security plan is indeed a living document as you already mentioned. The SSP should be part of the security authorization package, and it must outline the roles and responsibilities of security personnel.
Plans for system security are not static records. Periodically, they should be examined and changed. Given their significance and necessity, no single person is solely responsible for these texts. Numerous tasks and responsibilities related to creating and maintaining a system security plan are defined in Nist SP 800-18.
The CIO establishes the guidelines for system security plans and makes ensuring that people creating them are properly trained. The owner of the information system is responsible for maintaining the plan, making sure it is carried out, and updating it if there is a change to the system. The owner of the information determines who gets access to it and sets the guidelines for its appropriate usage. An authorized official, an information system security officer, and a senior agency information security officer should also be involved. The plan is given the official’s approval, and the information system is given permission to run.
A key point I took notice to in the reading was that there are more than double the amount of Operational security control classes in comparison to Management and Technical. The security control classes for Operations consist of 9 different families. Meanwhile Management and Technical only have 4 families a piece. That goes to show how important security methods focusing on mechanisms primarily implemented and executed by people are, as opposed to systems (technical) or management.
Great point about operational security control. Operational security controls cover a wide range of activities and procedures. Operational controls are focused on the day-to-day activities and procedures that are used to protect an organization’s assets, which are also more numerous because they are the most people-dependent controls, they are subject to human error and need constant monitoring, training, and reinforcement.
A key point I took from this was impact ratings and how crucial they are in determining controls. Once you are able to determine them, it shows what to attack first. I think this a vital step and if it is not done, it can cause a lot of issues.
Today’s rapidly changing technological environment requires federal agencies to adopt minimum security controls to protect their information and information systems.FIPS 199 helps organizations determine the security category of their information systems, and Federal Information Processing Standards (FIPS) 200 establishes minimum security requirements for federal information and information systems in security-related areas. The goal of system security planning is to improve the protection of information system resources and to ensure the confidentiality and integrity of information, as well as user control over information data. Any laws, actions, or procedures that affect the confidentiality, integrity, and availability of the system should be noted in the security plan.
One example that quickly comes to my mind is HIPAA, which requires covered entities to implement technical safeguards to protect all electronically protected healthcare information. Sensitive patient health information should not be disclosed without the patient’s consent or knowledge. Covered entities must establish and implement policies and procedures to handle routine disclosures or related requests to limit the disclosure of protected health information to the minimum amount necessary to achieve the purpose of the disclosure.
Hi Mengqi,
I agree with you with the HIPAA. It’s a requirement that covered entities implement technical safeguards to protect all electronically protected healthcare information. Sensitive patient health information should not be disclosed without the patient’s consent or knowledge. Also, there are certain limitations to what records can be retained, the duration and also how they are discarded especially if they are in print form.
One key aspect that i found interesting is the rules of behavior which are required in OMB Circular A-130, Appendix III, and is a security control contained in NIST SP 800-53, it clearly states the roles, responsibilities and expected behaviors of individuals that have access to the system. It goes further by stating the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. It is required that the
rules contain a signature page for each user to acknowledge receipt, indicating that they
have read, understand, and agree to abide by the rules of behavior. The reason for the rules of behavior is to enforce accountability and responsibility.
Hi Abayomi ,
Yes , rules of behavior in OMB plays a important role in the overall risk management strategy of an organization. They provide clear guidelines for the roles, responsibilities, and expected behaviors of individuals who have access to sensitive information systems. By outlining the consequences of inconsistent behavior or noncompliance, the rules of behavior help to enforce accountability and responsibility among users.
My takeaway from this document is an appreciation of the way this template is prepared. It provides a clear flow to collect and enter data as well as clear instructions with explanation of the type of data to be collected and how to evaluate the data to ensure that the form is filled out properly in order to maximize the utility of the form and outputs. For example, section 8.1 provides a clear set of questions and explanation to determine if a system is considered a cloud. In section 9.2, the directions provide clear explanation of what is needed as well as links to more information and explanation.
I want to talk about FIPS and FISMA as they are also valuable for the private sector aswell. FIPS 199 and FIPS 200 are federal standards that outline the requirements for information security management in the United States, while FISMA is the legislation that mandates their implementation. Here’s a brief overview of each:
FIPS 199:
The “Standards for Security Categorization of Federal Information and Information Systems” offers a methodology for classifying federal data and systems based on their confidentiality, integrity, and availability requirements.
This standard aids in determining the appropriate security controls needed to protect the information, which ultimately helps organizations meet FISMA requirements.
FIPS 200:
Termed “Minimum Security Requirements for Federal Information and Information Systems,” this standard provides a baseline set of security controls for federal systems.
It establishes a comprehensive framework for selecting and specifying security controls to protect information systems and meet FISMA requirements.
FISMA:
The Federal Information Security Management Act (FISMA) is a key piece of legislation that mandates implementing information security standards and guidelines for federal agencies.
It requires federal agencies to develop, document, and implement security programs to safeguard their information systems, conduct regular risk assessments, and report their compliance status.
In summary, FIPS 199 and FIPS 200 are essential standards that help organizations ensure the security of federal information systems under FISMA legislation. They provide a structured approach to categorizing and protecting sensitive data, contributing to the U.S. government’s robust information security ecosystem.
A key takeaway is considering information system boundaries and it should not be used as limiting factor. It is good to decide now so you can do careful negotiation among everyone, also taking into account the mission and what the purpose of the business is. There should be shared resources to secure many applications and systems that do not require level of security.
My thoughtful read on this topic is that a security strategy for federal agencies must include three crucial components. 1) Formalization of the roles, duties, and behaviors associated with information systems security planning, as well as the behaviors that each function is required to fulfill in the creation of security plans. 2) Scope of the security plan- this is an important part to aid in evaluating how an information system will affect an agency. 3) Planning. The system security plan’s goal is to give a summary of the security requirements for the system and explain the measures that are planned to meet those criteria. In order to provide information and support information systems that support the operations of the agency, the Federal Information Security Management Act (FISMA) mandates that all federal agencies design, publish, and implement information security programs.
Hi Marylyn,
It’s important that you pointed out the fact that the Federal Information Security Management Act (FISMA) mandates that all federal agencies design, publish, and implement information security programs. The reason for this is to enforce accountability and responsibility.
Guide for Developing Security Plans for Federal Information Systems highlights that the System security plans are living documents that require periodic review, modification, plan of action and milestones for implementing security controls. Hence it is very important to have system security plan responsibilities defined which should indicate who reviews the plans, keeps the plan current, and follows up on planned security controls.
-> Chief Information Officer is the official responsible for developing and maintaining an agency-wide information security program.
-> The information system owner is the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
-> The information owner is the official with statutory or operational authority for establishing the controls for information generation, collection, processing, dissemination, and disposal.
-> The information system security officer is the official assigned responsibility for ensuring that the appropriate operational security posture is maintained for an information system or program.
-> The authorizing official is a senior management official or executive with responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.
I think it’s important that you pointed out the fact that the system security plan is a living document and needs to be reviewed and updated (if needed) periodically. This includes owners of responsibility. Not only should a plan have owners of responsibility, but also have a back up owner for each owner of responsibility. This is important because if there is turnover, some one needs to be the owner.
Both FIPS 199 and 200 are mandatory for FISMA. FISMA requires that organization to have information security inventory in place with categorization of all information and information system including the impact level on it. FIPS 199 is basically defines the security categories, objectives, and impact level likewise FIPS 200 specifies the minimum-security requirement and risk-based process for selecting necessary security control to maintain minimum requirements. And then the common and necessary security control can be incorporated into the system security plan by reference.
You’re right Sunam! Also, FIPS 200 refers to the NIST SP 800-53 control catalog to select controls for the required areas. What surprised me is that the SP 800-53 has 20 control families while FIPS 200 has 17. I wonder if the additional control families in SP 800-53 are not applicable to the federal agencies or if FIPS 200 has not been updated.
Hi Nishant,
Yes, you are right there are 17 controls in FIPS 200 whereas NIST SP 800-53 mentioned 20. Program Management, Personally Identifiable Information Processing and Transparency and Supply chain risk management are three controls not listed on FIPS 200.
I think, FIPS 200 is the minimum security requirement for federal information and information systems. However, those sections that are not listed on FIPS 200 are also important. but FIPS may consider them for additional security requirement so maybe because of it, those sections are not mentioned in minimum security requirement document.
The Plan Development section is designed to guide people in writing a system security plan, including logical steps to follow, recommended structure and content, and how to maximize the use of current NIST to effectively support system security plan activities. The items of the System Security Plan contain the system name and a unique identifier, System Categorization of information types and information systems under FIPS 199, the key point of contact—System Owner, Authorizing Official, Other Designated Contacts, System Operational Status, System Environment, and so on. Among them, the system environment is also required to be listed in the system security plan because it may become a factor that brings threats or vulnerabilities. For example, a centrally managed system, consisting of a central workstation and server, avoids the pitfalls of networking.
Another point worthy of note is to list all applications supported by the general
support system if the system is a general support system as stipulated by the Plan Development section.
FISMA requires federal agencies to develop and implement an agency-wide information security program to protect information and information systems used for business operations and assets. The program must include security requirements, controls, and procedures for reviewing, updating, and following up on the established controls. The program must be accredited and certified in line with FIPS 199 and must include a risk assessment, ongoing monitoring, point of action and milestones, configuration management, and a process to ensure completeness and accuracy.
FISMA requires that agencies have in place an information systems inventory.
All information systems in the inventory should be categorized using FIPS 199 as a first step in the system security planning activity.
FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to impact.
Good Point Frank! Furthermore, FISMA, FIPS 199 and FIPS 200 are obligatory security requirements. FIPS 199 defines criteria for classifying data and information systems. The Confidentiality, Integrity, and Availability (CIA) triad is referenced by the security categories. These security areas are ranked according to their possible impact, which ranges from Low to High.
Hello Frank,
As you mentioned that FISMA requires that agencies must have in place an information systems inventory. It is key for every organization to know the inventory of the systems/devices they have in their network, what purpose do they save, what assets do they carry, e.t.c. This helps during the risk management process to determine which systems require higher priority, accept, transfer, or mitigate the risk.
A section that caught my attention in this reading was System Boundary Analysis and Security Controls. It indicates that FIPS 199 impact analysis must be utilized before any system security plan can be developed. This helps because at this stage a risk has been assessed, local conditions including organization-specific security requirement, specific threat identification, cost-benefit analyses, the availability of compensating controls, or special circumstances all has been assessed. It is key because you now know every element that must be covered within the security plan and also being able to manage the prioritization plan.
Hi Sheperd ,It is a good point to know FIPS 199 impact analysis must be used before any security plan can be developed because it has most elements that was covered in the SSP
Hi Shepherd,
I agree with you that impact analysis is key before a system security plan can be developed. All of the things you listed at that stage of a risk and the impact that it could have without one of those factors not being assessed.
SP 800-18 provides guidance for federal agencies for developing system security plans for federal information systems as FISMA mandates federal agencies to develop, document and maintain information security program at the agency level. The guidance describes the requirement for security categorization through FIPS 199 for information types and information systems. Senior management under the CISO is responsible for developing and maintaining an SSP. The guide suggests defining various roles for people involved in developing the security plans, identifying security boundaries by grouping information resource types (ex. major application, general support system, etc) and a designated authority to approve the security plan. Controls are selected from the SP 800-53 baseline and tailored to the systems as applicable. The SSP allows the authorized personnel to make a risk based informed decision on approving a system to operate and during its lifecycle what are the possible risks associated with its use as well as potential impacts of risk realization.
One key takeaway I thought was important to note is that system security plans are ongoing and a living document. They need to be reviewed on an on-going basis to reflect changes. For example, if there is turnover, there will be a change in the system owner. Additionally, more than just the IT department needs to be involved in the security plan. For example, the business owners would need to provide input on what systems/applications are used, what type of data and the importance of the data.
Hi Jill,
I agree with you that the system security plan is a living document. And it’s not just the movement of people, the safety standard FIPS 199 is also likely to be updated. In addition, your response to Aayush that a backup person should be prepared for each responsibility was great.
Hi Jill! The system security plan is indeed a living document as you already mentioned. The SSP should be part of the security authorization package, and it must outline the roles and responsibilities of security personnel.
Plans for system security are not static records. Periodically, they should be examined and changed. Given their significance and necessity, no single person is solely responsible for these texts. Numerous tasks and responsibilities related to creating and maintaining a system security plan are defined in Nist SP 800-18.
The CIO establishes the guidelines for system security plans and makes ensuring that people creating them are properly trained. The owner of the information system is responsible for maintaining the plan, making sure it is carried out, and updating it if there is a change to the system. The owner of the information determines who gets access to it and sets the guidelines for its appropriate usage. An authorized official, an information system security officer, and a senior agency information security officer should also be involved. The plan is given the official’s approval, and the information system is given permission to run.
A key point I took notice to in the reading was that there are more than double the amount of Operational security control classes in comparison to Management and Technical. The security control classes for Operations consist of 9 different families. Meanwhile Management and Technical only have 4 families a piece. That goes to show how important security methods focusing on mechanisms primarily implemented and executed by people are, as opposed to systems (technical) or management.
Hi Nicholas,
Great point about operational security control. Operational security controls cover a wide range of activities and procedures. Operational controls are focused on the day-to-day activities and procedures that are used to protect an organization’s assets, which are also more numerous because they are the most people-dependent controls, they are subject to human error and need constant monitoring, training, and reinforcement.
A key point I took from this was impact ratings and how crucial they are in determining controls. Once you are able to determine them, it shows what to attack first. I think this a vital step and if it is not done, it can cause a lot of issues.
Today’s rapidly changing technological environment requires federal agencies to adopt minimum security controls to protect their information and information systems.FIPS 199 helps organizations determine the security category of their information systems, and Federal Information Processing Standards (FIPS) 200 establishes minimum security requirements for federal information and information systems in security-related areas. The goal of system security planning is to improve the protection of information system resources and to ensure the confidentiality and integrity of information, as well as user control over information data. Any laws, actions, or procedures that affect the confidentiality, integrity, and availability of the system should be noted in the security plan.
One example that quickly comes to my mind is HIPAA, which requires covered entities to implement technical safeguards to protect all electronically protected healthcare information. Sensitive patient health information should not be disclosed without the patient’s consent or knowledge. Covered entities must establish and implement policies and procedures to handle routine disclosures or related requests to limit the disclosure of protected health information to the minimum amount necessary to achieve the purpose of the disclosure.
Hi Mengqi,
I agree with you with the HIPAA. It’s a requirement that covered entities implement technical safeguards to protect all electronically protected healthcare information. Sensitive patient health information should not be disclosed without the patient’s consent or knowledge. Also, there are certain limitations to what records can be retained, the duration and also how they are discarded especially if they are in print form.
One key aspect that i found interesting is the rules of behavior which are required in OMB Circular A-130, Appendix III, and is a security control contained in NIST SP 800-53, it clearly states the roles, responsibilities and expected behaviors of individuals that have access to the system. It goes further by stating the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. It is required that the
rules contain a signature page for each user to acknowledge receipt, indicating that they
have read, understand, and agree to abide by the rules of behavior. The reason for the rules of behavior is to enforce accountability and responsibility.
Hi Abayomi ,
Yes , rules of behavior in OMB plays a important role in the overall risk management strategy of an organization. They provide clear guidelines for the roles, responsibilities, and expected behaviors of individuals who have access to sensitive information systems. By outlining the consequences of inconsistent behavior or noncompliance, the rules of behavior help to enforce accountability and responsibility among users.
My takeaway from this document is an appreciation of the way this template is prepared. It provides a clear flow to collect and enter data as well as clear instructions with explanation of the type of data to be collected and how to evaluate the data to ensure that the form is filled out properly in order to maximize the utility of the form and outputs. For example, section 8.1 provides a clear set of questions and explanation to determine if a system is considered a cloud. In section 9.2, the directions provide clear explanation of what is needed as well as links to more information and explanation.
I want to talk about FIPS and FISMA as they are also valuable for the private sector aswell. FIPS 199 and FIPS 200 are federal standards that outline the requirements for information security management in the United States, while FISMA is the legislation that mandates their implementation. Here’s a brief overview of each:
FIPS 199:
The “Standards for Security Categorization of Federal Information and Information Systems” offers a methodology for classifying federal data and systems based on their confidentiality, integrity, and availability requirements.
This standard aids in determining the appropriate security controls needed to protect the information, which ultimately helps organizations meet FISMA requirements.
FIPS 200:
Termed “Minimum Security Requirements for Federal Information and Information Systems,” this standard provides a baseline set of security controls for federal systems.
It establishes a comprehensive framework for selecting and specifying security controls to protect information systems and meet FISMA requirements.
FISMA:
The Federal Information Security Management Act (FISMA) is a key piece of legislation that mandates implementing information security standards and guidelines for federal agencies.
It requires federal agencies to develop, document, and implement security programs to safeguard their information systems, conduct regular risk assessments, and report their compliance status.
In summary, FIPS 199 and FIPS 200 are essential standards that help organizations ensure the security of federal information systems under FISMA legislation. They provide a structured approach to categorizing and protecting sensitive data, contributing to the U.S. government’s robust information security ecosystem.
A key takeaway is considering information system boundaries and it should not be used as limiting factor. It is good to decide now so you can do careful negotiation among everyone, also taking into account the mission and what the purpose of the business is. There should be shared resources to secure many applications and systems that do not require level of security.