FITSI Dog Ears
Levels of Potential Impact
Impact on organizations, operations, assets, or individuals
OMB A-130 risk management framework (appendix I)
Implement a risk management framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems
RMF IMPLEMENT Security Controls SP 800-70/ 800-18/800-34
Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Implement the security controls in the information system.
RMF - Implement 3
Implement the security controls and describe how the controls are employed within the information system
Tier 2 Mission/Business Process Role - RM Strategy
Information Security Architect
SP 800-137
Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
Tier 3 Information Systems Role - Risk Management Strategy
Information System Security Engineer
Tier 3 Risk
Information Systems Perspective impact the ultimate selection and deployment of needed safeguards and countermeasures
SDLC Lifecycle
Initiation Development/Acquisition Implementation Operation/Maintenance Disposal
Integrity
Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542]
E-Authentication
Level 1 - No identity proofing Level 2 - single factor authentication, identity proofing requiremens (passwords0 Level 3 multi factor authentication level 4 multi factor using hard token (PIV card)
Impact - High-severe of catastrophic adverse effect
Loss of life Loss of mission capability
FIPS 200
Minimum Security Requirements for Federal Information and Information Systems FIPS Publication 200, the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.
Tier 2 Risk
Mission and business processes Enterprise Architecture (RMF)
RMF - Monitor - 6
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changing, conducting security impact analyses.
SP
NIST Special Publication
SCAP sp800-53a
NIST initiated the Security Content Automation Protocol (SCAP)2 project that supports the approach for achieving consistent, cost-effective security control assessments. The primary purpose of SCAP is to standardize the format and nomenclature used for communicating information about configurations and security flaws. This standardization enables automated system configuration assessment, vulnerability assessment, patch checking, as well as report aggregation and interoperability between SCAP-enabled security products. As a result, SCAP enables organizations to identify and reduce vulnerabilities associated with products that are not patched or insecurely configured. SCAP also includes the Open Checklist Interactive Language (OCIL)3 specification that provides the capability to express the determination statements in the assessment procedures in Appendix F in a framework that will establish interoperability with the SCAP-enabled tools.
IPSec (Internet Protocol Security)
Network Layer- standard platform for creating secure networks and electronic tunnels. Verifies and encrypts each packet of data at the network layer to ensure maximum protection. Public key, private key, and session key 1. AH Authentication Header & ESP - encapsulating security payload protocol 2. IKE - Internet Key Exchange 3. IPComp - IP Payload Compression protocol
MD5
Not FIPS approved
Security Assessment Plan
Not part of System Owner Package Not updated regularly since it is done at the beginning
OCIL
Open Checklist Interactive Language OCIL is a framework for expressing security checks that cannot be evaluated without some human interaction or feedback. It is used to determine the state of a system by presenting one or more questionnaires to its intended users. The language includes constructs for questions, instructions for guiding users towards an answer, responses to questions, artifacts, and evaluation results. 800-53a
OVAL (Automated)
Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. See About OVAL for additional information
SDLC
Phases of SDLC: - Initiation - Development/Aquisition - Implementation - Operation/Maintenance - Disposal Security Requirements Integrated Project Teams Reusing Information
POAMS
Plan of action and milestones - risks that I'm going to remediate/fix created by system owner in response to SAR
The RMF steps include:
Prepare to execute the RMF from an organization- and a system-level perspective by establishing a context and priorities for managing security and privacy risk. • Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. • Implement the controls and describe how the controls are employed within the system and its environment of operation. • Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. • Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable. • Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system
Security Control - Hybrid
Provide security for BOTH individual systems and multiple systems can inherit, but can also add data
Security Control - Common
Provide security for MULTIPLE Information systems - fully inheritable - you don't get to change
Security Control - System-Specific
Provide security for a particular information system Just for your system
RMF Note
RMF operates primarily at Tier 3 in the risk management hierarchy.
PDD21
Replaced HSPD7 (Presidential Policy Directive)
OMB A-130 Appendix II
Responsibilities for Managing Personally Identifiable Information 1. Purpose This Appendix outlines some of the general responsibilities for Federal agencies managing information resources that involve personally identifiable information (PII) and summarizes the key privacy requirements included in other sections of this Circular. The requirements included in this Appendix apply to PII in any form or medium, including paper and electronic media
RMF Prepare
Risk Assessment, Identify Common Controls
Tier 1 Organization Role - RM Strategy
Risk Executive (function)
SP 800-37R2
Risk Management Framework (RMF) Information Systems: A security Life Cycle Approach to Risk Management Framework for Information Systems Organization.
RMF
Risk Management Framework (SP 800-37R2) 0 Prepare 1. Categorization 2. Selection 3. Implementation 4. Assessment 5. Authorization 6. Monitoring
FIPS 140-2
SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. Level 1 - basic security Level 2 - role based authentication, tamper evident coatings Level 3 - identity based authentication, intrusion detection, critical access parameters Level 4 any tampering requires module to erase all critical security information
Security Content Automation Protocol (SCAP)
SP 800-126
OMB A-130 - Appendix I
Security Categorization Planning, Budgeting, and Enterprise Architecture Plans, Controls, and Assessments Authorization to Operate and Continuous Monitoring Privacy Controls for Federal Information Systems and Programs Incident Detection, Response, and Recovery Contingency Planning Awareness and Training Specific Safeguarding Measures to Reinforce the Protection of Federal Information and Information Systems Non-Federal Entities Mitigation of Deficiencies and Issuance of Status Reports Reporting Independent Evaluations
OMB A-130 - Specific Requirements - Security Categorization
Security Categorization Agencies shall: 1) Identify authorization boundaries for information systems in accordance with NIST SPs 800-18 and 800-37; and 2) Categorize information and information systems, in accordance with FIPS Publication 199 and NIST SP 800-60, considering potential adverse security and privacy impacts to organizational operations and assets, individuals, other organizations, and the Nation.
SP 800-53
Security and Privacy Controls for Federal Information Systems and Organizations
Investment Lifecycle Model
Select Control Evaluate
RMF - Select 2
Select an initial set of baseline security controls for the information system based on teh security categorization. Based on organizational assessment of risk.
RMF SELECT Security Controls (FIPS 200/SP 800-53) 800-30
Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment Select an initial baseline of security controls, and tailor and supplement as needed based on risk and local conditions Deliverable is your PLAN.
SAOP
Senior Agency Official for Privacy
FIPS 181
- Automated Password Generator Specifies a routine for an automated password generator. Three basic parts: • Unit Table: defines the alphabetic characters and specific rules • Diagram Table: defines the rules of all possible pairs of units and juxtaposition of units • Random Number Generator: uses a DES subroutine to produce double precision floating point values
FIPS 180-2
- Secure Hash Standard Defines four hash algorithms: • SHA-1 • SHA-256 • SHA-384 • SHA-512 This Standard specifies four secure hash algorithms - SHA-1, SHA-256, SHA-384, and SHA-512 - for computing a condensed representation of electronic data (message). When a message of any length < 264 bits (for SHA-1 and SHA-256) or < 2128 bits (for SHA-384 and SHA-512) is input to an algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits) Replaced by 180-4!
F.A.R.M
1. Frame Risk 2. Assess Risk 3. Respond to Risk 4. Monitor Risk on ongoing basis. (NIST SP 800-39)
NIST Cybersecurity Framework Steps
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
Message digest Length for use in Government
160, 256, 384, 512 bits
CVSS (Common Vulnerability Scoring System)
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information. The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental.
SP 800-160v1
Addresses integration of essential security activites into established system development life-cycle (SDLC) guidelines
Tier 1 Risk
Addresses risk from an AGENCY level Strategic Risk Governance Methodologies Techniques and Procedures Mitigation Methods Risk Tolerance Ongoing Monitoring (RMF)
FIPS 197
Advanced Encryption Standard (AES) • Specifies the Rijndael algorithm • Block and key size can be changed (variable) • Cipher key lengths of 128, 192 and 256 bits • Algorithm may be implemented in software, firmware, hardware or a combination thereof
OMB A-130
Agencies shall implement an agency-wide risk management process that frames, assesses, responds to, and monitors information security and privacy risk on an ongoing basis across the three organizational tiers (i.e., organization level, mission or business process level, and information system level).
OMB A-130 - Specific Requirements - Planning, Budgeting, and Enterprise Architecture
Agencies shall: 1) Identify and plan for the resources needed to implement information security and privacy programs; 2) Ensure that information security and privacy are addressed throughout the life cycle of each agency information system, and that security and privacy activities and costs are identified and included in IT investment capital plans and budgetary requests; 3) Plan and budget to upgrade, replace, or retire any information systems for which security and privacy protections commensurate with risk cannot be effectively implemented;Ensure that investment plans submitted to OMB as part of the budget process meet the information security and privacy requirements appropriate for the life cycle stage of the investment; and 5) Incorporate Federal information security and privacy requirements into the agency's enterprise architecture to ensure that risk is addressed and information systems achieve the necessary levels of trustworthiness, protection, and resilience.
Encapsulating Security Payload (ESP)
An IPsec protocol that provides authentication, integrity, and encryption services.
US-CERT Reporting
Any incident that involves compromised PII must be reported to US Cert within one hour of detection regardless of the incident category reporting time frame.
RMF - Asses - 4
Assess the security controls using the appropriate assessment procedures, determine to what extend the controls are implemented correctly
SP 800-53a
Assessing Security and Privacy Controls in Federal Information Systems and Organizations "Determine if your organization does that..."
Special Publication 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations,
SP - Special Publications
Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a Federal Information Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA and Agency Privacy Management) state that for other than national security programs and systems, federal agencies must follow certain specific NIST Special Publications.3
FIPS 199
Standards for Security Categorization of Federal Information and Information Systems FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.
RMF - Authorize - 5
Authorize information system operation based on a determination of the risks to the organizational operations and assets.
Availability
Availability Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]
Impact high water mark
Back in the Prepare Step Know data types by going into 800-60 and looking up data types and NIST recommended values to come out with a high water mark= highest value level of any data type you have. That's the data categorization of your system.
Recovery - High (hot site)
Backup: Mirrored systems and disk replication Strategy: Hot site
Rocovery - Moderate (Optical and cold)
Backup: Optical Backup Wan/VLAN Replication Strategy: Cold or Warm Site
Recovery - Low
Backup: Tape backup Strategy: Relocate or Cold site
NIST Cybersecurity Framework
Basis for FISMA Metrics/Reporting
Federal Agency Incident Repor0ting Categories
CAT 0 - Exercise/Network Defense Testing CAT 1- Unauthorized Access CAT2 - Denial of Service CAT3 - Malicious Code CAT4 - Inapprpriate Usage CAT5 - Scans/Probes/Attempted Access CAT6 - Investigation
RMF - Categorize 1
Categorize the information system and the information processed, stored, and transmitted based on impact analysis
CCEVS
Common Criteria Evaluation and Validation Scheme is a United States Government program administered by the National Information Assurance Partnership to evaluate security functionality of an information technology with conformance to the Common Criteria international standard
Common Platform Enumeration (CPE)
Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE does not identify unique instantiations of products on systems, such as the installation of XYZ Visualizer Enterprise Suite 4.2.3 with serial number Q472B987P113. Rather, CPE identifies abstract classes of products, such as XYZ Visualizer Enterprise Suite 4.2.3, XYZ Visualizer Enterprise Suite (all versions), or XYZ Visualizer (all variations)
Compensating Security Controls
Compensating controls are operational, management, and technical controls employed in liue of recommended controls that provide equivalent or comparable protection for a system. It's the same level of control, but you just don't do it the way NIST says. Typically it is an enhanced physical control, instead of a technical control.
Building an effective assurance case
Compiling an presenting evidence basis for determining effectiveness of control product assessments system assessments risk determination (RMF Step 4 - Assess security controls)
IP Payload Compression Protocol (IPComp)
Compress payload; reduce the amount of data sent
Confidentiality
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]
SP 800-34
Contingency Planning Guide for Federal Information Systems *Contingency Planning*
RMF MONITOR Security State SP 800-37/SP 800-53A
Continuously track changes to the information system that may affect security controls and reassess control effectiveness Monitor and assess the security controls in the information system
CMVP
Cryptographic Module Validation Program The Cryptographic Module Validation Program is a joint American and Canadian security accreditation program for cryptographic modules. The program is available to any vendors who seek to have their products certified for use by the U.S
RMF CATEGORIZE IS (FIPS 199/SP 800-60)
Define criticality/sensitivity of information system according to potential worst -case, adverse impact to mission/business Categorize the information and information system
CAESARS Framework
Descripbed in NIST IR 77556 provides a foundation for continuous monitoring reference model
RMF AUTHORIZE Information System SP 800-37
Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation Authorize with a POA&M because we're going to continually monitor the system and make sure the controls stay in place. Deliverable is POA&M
RMF ASSESS Security Controls SP 800-53A
Determine security control effectiveness (i.e ., controls implemented correctly, operating as intended, meeting security requirements for information system) Assess the security controls in the information system Deliverable is an assessment report
OMB A-130 - Specific Requirements - Plans, Controls and Assessments
Develop and maintain an information security program plan that provides an overview of the organization-wide information security requirements and documents the program management controls and common controls in place or planned for meeting those requirements;
FIPS 186
Digital signature standard; performs integrity by SHA; uses DSA; RSA;Elyp CurveDSA
HSPD12
Directs a "secure and reliable" common identification standard for verifying employee identity.
Security Assessment Plan (SP-800-53a)
Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). A finding of satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result. A finding of other than satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization.
Impact - Low-limited adverse effect
Effectiveness Reduces Minor damage/loss/harm
The authorization package includes the following:
Executive summary; • Security and privacy plans; Security and privacy assessment reports;and • Plans of action and milestones
Risk Management Model or Process
F.A.R.M (If you see model or process it is FARM) Frame, Assess, Respond, Monitor
TLS
Federal Agencies must use TLS 1.2 or 1.3
FIPS
Federal Information Processing Standards (FIPS) are approved by the Secretary of Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and binding for federal agencies. 2 FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use.
FEDRAMP
Federal Risk and Authorization Management Program FedRAMP is mandatory for Federal Agency cloud deployments and service models at all levels of impact.
Multi level approach to risk management (in SP 800-37r2)
Figure 1 illustrates a multi-level approach to risk management described in [SP 800-39] that addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization.
Impact - Moderate - Serious adverse effect
Financial loss Harm to individuals
Security Assessment Report (SAR)
Findings Prioritize findings, provide cost benefit represents risks to the Authorizing Official Assessment results are satisfied or other than satisfied
High Water Mark
For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system
Gap Analysis
Gap analysis of legacy systems see where you are, know where acceptable level is, do what you need to get there.
IPSec VPN
Gateway to Gateway Host to Gateway Host to Host
SP 800-37
Guide for Applying the Risk Management Framework to Federal Information Systems *RMF Roles and Process*
SP800-30
Guide for Conducting Risk Assessments (superseded by 800-39) - provide management overview of risk assessment guidance
SP 800-40
Guide to Enterprise Patch Management Technologies *Patch and Vulnerability Management Program*
SP 800-122
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
PIV cards and DOD CAC
HSPD12 driven
HSPD7
Homeland Security Directive 7 (2003) (Directs the identification and prioritization of key resources to protect them from terrorist attacks) - Replaced with PDD 21
Internet Key Exchange (IKE)
IKE is used to provide a secure mechanism for establishing IPsec-protected connections. Negotiate, create, and manage security associations.
Steps of the RMF
Step 0 - Prepare Step 1 - Categorize Information System Step 2 - Select Security Controls Step 3 - Implement Security Controls Step 4 - Assess Security Controls Step 5 - Authorize Information System Step 6 - Monitor Security Controls
sp800-53 Risk Management Framework Steps
Step 0 - Prepare Step 1 - Categorize Information System Step 2 - Select Security Controls Step 3 - Implement Security Controls Step 4 - Assess Security Controls Step 5 - Authorize Information System Step 6 - Monitor Security Controls
Gap Analysis in RMF
Step 1 to Step three on a legacy system can be viewed as a Gap Analysis to determine if the necessary and sufficient security controls have been selected and allocated
Software Assurance Technologies
SwAAP (software assurance automation protocol) CWE - Common Weakness Enumeration - dictionary of weaknesses taht can lead to exploitable vulnerabilities. CWSS - Common Weakness Scoring System - Assigning risk scores to weaknesses CAPEC - Common Attack Pattern enumeration and classification - catalog of attack patterns MAEC - Malware Attribute Enumeration and Characterization- standardized language about malware, based on attributes such as behaviors or attack pattersn
SDLC
System Development Life Cycle
System Owner Creates a Package (3 documents)
System Security Plan POAMS SAR - Security Assessment Report These documents are updated routinely Gives them to the Authorizing Official or Designated Representative
Methods of Assessment
Testing Examination Interviewing TIE
Common Configuration Enumeration (CCE)
The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.
Cybersecurity Framework
The Cybersecurity Framework was developed by NIST in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The Framework describes five core cybersecurity functions (i.e., Identify, Protect, Detect, Respond, and Recover) that may be helpful in raising awareness and facilitating communication among agency stakeholders, including executive leadership. The Cybersecurity Framework may also be helpful in improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. The Framework is not intended to duplicate the current information security and risk management practices in place within the Federal Government.
FISMA
The FISMA defines three security objectives for information and information systems: CONFIDENTIALITY "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information..." [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity..." [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY "Ensuring timely and reliable access to and use of information..." [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.
FIPS 198-1 title
The Keyed-Hash Message Authentication Code (HMAC) identifier
OCIL Interactive means human interaction
The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Although the OCIL specification was developed for use with IT security checklists, the uses of OCIL are by no means confined to IT security. Other possible use cases include research surveys, academic course exams, and instructional walkthroughs
OMB A-130 - Risk Management Framework
The Risk Management Framework, as described in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The Risk Management Framework requires agencies to categorize each information system and the information processed, stored, and transmitted by each system based on a mission or business impact analysis. Agencies select an initial set of baseline security controls for the information system based on the security categorization and then tailor the security control baseline as needed, based on an organizational assessment of risk and local conditions, as described in NIST SP 800-53. After implementing the security controls, agencies assess the controls using appropriate assessment methods as described in NIST SP 800-53A to determine whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
FIPS 199 - Security Categorization
The generalized format for expressing the security category, SC, of an information type is: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE.
Recovery Time Objective (RTO)
The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.
Maximum Tolerable Downtime (MTD)
The maximum period of time that a business process can be down before the survival of the organization is at risk.
Recovery Point Objective (RPO)
The point in time to which data must be restored in order to successfully resume processing.
FIPS 199 - Potential Impact - High
The potential impact is HIGH if— − The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FIPS 199 - Potential Impact - Low
The potential impact is LOW if— − The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
FIPS 199 - Potential Impact - Medium
The potential impact is MODERATE if— − The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
Assessment procedure selection
The selection of appropriate assessment procedures and the rigor, intensity, and scope of the assessment depend on three factors: The security categorization of the information system;9 • The assurance requirements that the organization intends to meet in determining the overall effectiveness of the security and privacy controls; and • The security and privacy controls from Special Publication 800-53 as identified in the approved security plans and privacy plans
Authentication Header (AH)
This provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks.
Integrated Organziation-Wide Risk Management
Tier 1 - Organization (Governance) Tier 2 - Mission/Business Process (Information and Information Flows) Tier 3 - Information Systems (Environment of Operation) (fundamental of RMF)
SA-13
Two factors affecting the trustworthiness of an information system include: security functionality (I.e., the security features aor functions employed within the system) and security assurance (ie. the grounds for confidence that the security functionality is effective in its application)
XCCDF - The Extensible Configuration Checklist Description Format
XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices. XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.
RMF - Prepare 0
prepare mission and business processes and strategies, identify common controls, select appropriate stakeholders
Advanced Encryption Standard (AES)
strongest approved algorithm and is the preferred algorithm for Federal Agency use. The Triple Data Encryption Algorithm (TDEA) also know as Triple DES *3DES) is an approved algorithm and also acceptable for Federal Agency Use.
SP-800-39
superseded SP 800-30 From Risk Management Guide for Information Technology Systems to Managing Information Security Risk Organization: Mission and Information System View (F.A.R.M) guidance on risk management