Security Assessment Framework
DRAFT - September 30, 2000
Security, Privacy, and Critical Infrastructure Committee
National Institute of Standards and Technology (NIST)
Computer Security Division
Systems and Network Security Group
Information is one of the most valuable assets of any organization. This is equally true with Federal information systems. Protection of information, regardless of form (electronic, paper, or film), whether resident or in transit across networks, is vital and can be achieved only through effective management. Information security -- the protection of information from a wide range of threats in order to ensure the confidentiality, integrity and availability of the information -- is a fundamental and critical management responsibility.
Each Federal agency must provide an information security management infrastructure based on its mission and cost-effective Information Technology (IT) security. Vulnerabilities must be identified, reduced, eliminated, or countered to the extent practicable and economically feasible. Decision-makers need to understand the factors that could adversely impact the mission so they can make informed judgments to minimize risk. Managing information risks, assessing vulnerabilities, and practicing due care are crucial.
The Federal Information Security Assessment Framework (FISAF) describes a mechanism for Federal agencies to determine the current health of their security programs and, where necessary, to establish a target for improvement. A security program may be comprised in many different ways within an organization. For example, a program could be grouped as an agency asset, a major application, general support system, high impact program, mission critical system, or a logically related group of systems. This grouping is referred to in this document as an entity or asset. The Framework describes a process for assessing the security of a specific entity within an agency; it does not provide a specific method for culling agency assessments into a total agency-wide level or grade. It is the agencies' responsibility to define what composes as asset and then to analyze the assessments in a manner that provides an accurate status of their security program.
The FISAF, coupled with the NIST prepared self-assessment questionnaire,1 provides a tool to measure the effectiveness of security programs. The Framework and NIST questionnaire do not create new security requirements for agencies; rather the documents provide a vehicle for consistent and effective application of existing policy and guidance. Based on requirements of existing statutes, OMB directives and memoranda, GAO audit procedures, and NIST guidance and standards, the Framework provides the groundwork for assessing the effectiveness of security and privacy objectives for an entity. The security and privacy objectives are measured by determining if specific control criteria are documented, implemented, tested and reviewed, and incorporated into a cyclic review/improvement program. The NIST questionnaire provides the specific control criteria against which an entity can measure.
The Framework comprises five levels to guide and prioritize agency efforts as well as provide a basis to measure progress. At each level there is criteria to determine if the level is adequately implemented. Level 1 is documented policy, level 2 is documented procedures, level 3 is implemented procedures and controls, level 4 is tested and reviewed procedures and controls, and level 5 is fully integrated procedures and controls. Each level represents increased and improved security; an entity is not in compliance with federal regulations unless levels 1 through 4 are met based on the criticality of the information and the systems within the entity. All entities should strive to complete all five levels.
Most agencies have developed their own methods of determining the criticality of their information and systems. For example, the Department of Health and Human Services uses a four-track scale for confidentiality, integrity, and availability. The Department of Energy uses a five-track scale. No matter what scale is used it is the information owners responsibility to decide if each specific control should be implemented. If it is implemented, the control must be tested periodically for effectiveness. The risk-based decision to implement or not implement a control should be documented.
Below is a sample of the NIST questionnaire that depicts the hypothetical government agency's completion of the NIST questionnaire for their backbone local area network. The criticality of the entity (local area network) was determined, and the specific control objectives for personnel security and for authentication were assessed at various levels. Based on the levels checked, and the need for the network to be available, it would appear the agency should target implementing and testing their password procedures. The background screening is another area that should be targeted as well as formally reviewing the controls in place. Note that the list of objectives is incomplete in this sample.
Hypothetical Government Agency's Backbone Local Area Network
1. FISAF Description
The FISAF identifies five levels of information security program effectiveness. The five levels are measurement criteria for specific information security management, operational, and technical control objectives. Each of the five levels contain criteria to determine if the level is adequately implemented. For example, in 1evel 1 all policies should cover the purpose of the policy, the scope, who is responsible for implementing the policy, and the compliance and penalties for not following the policy. The policy for an individual control must be reviewed to ensure that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not simply their existence is key to achieving and maintaining adequate security.
In partnership with those responsible for administering the information assets (which include Information Technology (IT) systems), it is the role of the information owner to determine how well each measurement criteria or level is met or should be met. Before a determination can be made, it is important that the degree of sensitivity of information be determined by considering the requirements for confidentiality, integrity, and availability of the information. The value of the system is one of the first major factors in risk management.
A security program may be assessed at various levels within an organization. For example, a program could be grouped as an agency asset, a major application, general support system, high impact program, a physical plant, a mission critical system, or a logically related group of systems. This grouping is referred to as an entity or asset in this document.
The Framework describes what an asset self-assessment is and provides levels to guide and prioritize agency efforts as well as provide a basis to measure progress. The NIST questionnaire provides the implementation tools for the Framework. The questionnaire contains specific control objectives that should be applied to secure a system.
Figure 1 - FISAF
The Framework is based on the premise that all agency entities must meet the minimum security requirements of the Office of Management and Budget Circular A-130, "Management of Federal Resources", Appendix III, "Security of Federal Automated Information Resources" (A-130). The criteria outlined in the Framework and provided in detail in the questionnaire are abstracted directly from long-standing requirements found in statue, policy, and guidance on security and privacy. It should be noted that an agency might have additional laws, regulations, or policies that establish specific requirements for confidentiality, integrity, or availability. Each agency should decide if additional controls or criteria should be added to the questionnaire and if so, customize the questionnaire appropriately. A list of the documents the Framework and NIST questionnaire reflect are provided in Figure 2.
Figure 2 - Source of Control Criteria
2. Level 1 - Policy Documented
· Formally documented security policy covering agency headquarters and major components (e.g., bureaus and operating divisions). The policy may be asset specific.
· Policy references most of the basic requirements and guidance issued from the documents listed in Figure 2 - Source of Control Criteria.
An asset is at level 1 if there is a formally documented policy that establishes a continuing cycle of assessing risk, implements effective security policies including training, and promotes monitoring for program effectiveness. The policy may include major agency components, e.g., bureaus and operating divisions or a specific asset. A documented security policy is necessary to ensure adequate and cost effective organizational and system security controls. A sound policy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress and compliance. The criteria listed below should be applied when assessing the policy developed for the controls listed in the NIST questionnaire.
2.2 Level 1 Criteria
The level 1 criteria describe the components of a security policy.
3. Level 2 - Procedures Documented
· Formal, complete, well-documented security procedures for the asset.
· Contains all of the basic requirements and guidance issued from the documents listed in Figure 2 - Source of Control Criteria.
An asset is at level 2 when formally documented procedures are developed focusing on specific areas. Implementing formal procedures promotes the repeatability of the security program. Formal procedures also provide the foundation for a clear, accurate, and complete understanding of the program implementation. Level 2 requires procedures for a continuing cycle to assess risk and vulnerabilities, implementing effective security policies, and monitoring effectiveness of the security controls. Approved system security plans are in place for all general support systems and major applications within the asset or for the asset. Well-documented security procedures are necessary to ensure adequate and cost effective organizational and system security controls. The criteria listed below should be applied when assessing the quality of the procedures for the controls that are listed in the NIST questionnaire.
3.2 Level 2 Criteria
Level 2 criteria describe the components of security procedures.
4. Level 3 - Implemented Procedures and Controls
· Security procedures and controls are implemented.
· Procedures are communicated and individuals are required to follow them.
At level 3 the IT security procedures are implemented in a consistent manner and communicated through training. Ad hoc approaches applied on an individual or case-by-case basis are discouraged. An asset could implement security controls and not have procedures documented, but the addition of formal documented procedures at level 2 represents a significant step in the effectiveness of implementing procedures and controls at level 3. It is important to note that testing, which is at level 4, should occur whenever modifications are implemented to the system, the information, or other resources.
The criteria listed below should be used to determine if the specific controls listed in the NIST questionnaire are being implemented.
4.2 Level 3 Criteria
Level 3 criteria describe how an asset can ensure implementation of their security procedures.
5. Level 4 - Tested/Reviewed Procedures and Controls
· Capability to monitor the effectiveness of the asset's security procedures and policies.
· Periodically assess the appropriateness of security policy and procedures and compliance and corrective actions are effectively implemented.
An asset at level 4 monitors the effectiveness of security policy and procedures and makes changes as needed. Monitoring, testing, and reviewing are important elements of risk management that ensure security policies and procedures intended to reduce risk are effective on an ongoing basis. Senior management's awareness, support, and involvement are essential in establishing the environment needed to promote compliance with the asset's security procedures. To implement an effective security program, management should monitor, test, and review its implementation and adjust the plan in accordance with changing risk factors. When material weaknesses or significant weaknesses are found and identified, related risks should be reassessed and corrective actions implemented.
Periodic self-assessments are important in identifying non-compliance, reminding employees of their responsibilities and demonstrating management's commitment to security. Independent audits performed or arranged by GAO or an agency IG are an important check on performance but should not be viewed as a substitute for management evaluations. The criteria listed below should be applied to each control area listed in the NIST questionnaire to determine if adequate monitoring, testing, and reviewing have been accomplished.
5.2 Level 4 Criteria
Level 4 criteria contain varying levels of assurance indicators used for monitoring, testing, and reviewing the effectiveness of an asset's security program.
6. Level 5 - Fully Integrated Procedures and Controls
· A comprehensive security program that is an integral part of an agency's organizational culture.
· Decision-making that is based on knowledge related to cost effectiveness balanced with mission impact.
The consideration of information security is pervasive in the culture of a level 5 asset. A proven life-cycle methodology is implemented and enforced and an on-going program to identify and institutionalize best practices has been implemented. There is active support from senior management. Decisions and actions that are part of the IT life cycle include:
- Improving security program
- Improving security program procedures
- Improving security countermeasures
- Adding security countermeasures
- Integrating security within existing and evolving IT architectures
- Improving mission processes and risk management activities
Each of these decisions is the result of a continuous improvement and refinement program that is instilled within the organization. It is at level 5 that the understanding of mission costs is married with a full range of implementation options to achieve maximum mission cost-effectiveness of security measures. That is, entities should apply the principle of selecting countermeasures that offer low cost of implementation while offering high-risk mitigation versus selecting those with high cost of implementation and low risk mitigation. The criteria listed below should be used to assess whether a specific control contained in the NIST questionnaire has evolved.
6.2 Level 5 Criteria
Level 5 criteria describe components of a fully integrated security program
7. Future of the Framework
This version of the Framework document primarily addresses security management issues. Essentially it describes a process for agencies to assess their compliance with long-standing basic requirements, such as those specified by the Computer Security Act of 1987; the Clinger-Cohen Act of 1996; the Paperwork Reduction Act of 1995; OMB Circular A-130; Management of Federal Information Resources; GAO's Federal Information System Control Audit Manual (FISCAM); and NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP). The Framework will give agencies an approach to begin the assessment process. The NIST questionnaire provides the tool to determine whether agencies are meeting these requirements.
The Framework is not a static document; it is a living document. Revisions will focus on more granularity of existing criteria and on expanding and refining criteria. In addition, a similar companion framework focused on the evolution of agency electronic privacy polices may be developed in the future.
The Framework can be viewed as both an auditing tool and a management tool. Flexibility, contextual risk management, asset/mission-driven customization of improvement strategies may be in conflict with statements about auditable process requirements. At some point, consideration of cost-effective information security oversight (i.e., existence of the elements of a sound security program) and the successful protection of an organization's critical assets in a cost-effective manner (i.e., through asset-driven risk management) will lead to conflicting goals. Guidance will be needed to address these conflicts. This will be follow-on work.
Currently, the NIST questionniare is under development and will be available in early 2001.
1. Clinger-Cohen Act of 1996
2. Paperwork Reduction Act of 1995
3. Computer Security Act of 1987
4. OMB Circular A-130, Management of Federal Information Resources
5. GAO/AIMD-12.19.6, Federal Information System Control Audit Manual (FISCAM)
6. GAO/AIMD-99-139, Information Security Risk Assessment Practices of Leading Organizations
7. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP)
8. COBIT 3rd Edition Management Guidelines
FISCAM Federal Information System Control Audit Manual
GAO General Accounting Office
GSSP Generally Accepted Principles and Practices for Security Information
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
Acceptable Risk is a concern that is acceptable to responsible management, due to the cost and magnitude of implementing countermeasures.
Accreditation is synonymous with the term authorize processing. Accreditation is the authorization and approval granted to a major application or general support system to process in an operational environment. It is made on the basis of a certification by designated technical personnel that the system meets pre-specified technical requirements for achieving adequate system security. See also Authorize Processing, Certification, and Designated Approving Authority.
Asset is a security program grouped as an agency asset, a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.
Authorize Processing occurs when management authorizes a system based on an assessment of management, operational, and technical controls. By authorizing processing in a system the management official accepts the associated risks. See also Accreditation, Certification, and Designated Approving Authority.
Availability Protection requires backup of system and information, contingency plans, disaster recovery plans, and redundancy. Examples of systems and information requiring availability protection are time-share systems, mission-critical applications, time and attendance, financial, procurement, or life-critical.
Awareness, Training, and Education includes (1) awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure; (2) training is to teach people the skills that will enable them to perform their jobs more effectively; and (3) education is more in-depth than training and is targeted for security professionals and those whose jobs require expertise in automated information security.
Certification is synonymous with the term authorize processing. Certification is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meets a pre-specified set of security requirements. See also Accreditation and Authorize Processing.
Entity is a security program grouped as an agency asset, a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.
General Support System is an interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Users may be from the same or different organizations.
Individual Accountability requires individual users to be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules.
Information Owner is responsible for establishing the rules for appropriate use and protection of the data/information. The information owner retains that responsibility even when the data/information are shared with other organizations.
Major Application is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.
Networks include communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.
Operational Controls address security methods that focus on mechanisms that primarily are implemented and executed by people (as opposed to systems).
Risk is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.
Risk Management is the ongoing process of assessing the risk to automated information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.
Rules of Behavior are the rules that have been established and implemented for use of, security in, and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of Federal government equipment, assignment and limitation of system privileges, and individual accountability.
Sensitive Information refers to information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, records about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act.
Sensitivity in an information technology environment consists of the system, data, and applications that must be examined individually and in total. All systems and applications require some level of protection for confidentiality, integrity, and availability that is determined by an evaluation of the sensitivity and criticality of the information processed, the relationship of the system to the organizations mission, and the economic value of the system components.
System is a generic term used to describe either a major application or a general support system.
System Operational Status is either (1) Operational - system is currently in operation, (2) Under Development - system is currently under design, development, or implementation, or (3) Undergoing a Major Modification - system is currently undergoing a major conversion or transition.
Technical Controls consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications.
Threat is an activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity.
Vulnerability is a flaw or weakness that may allow harm to occur to an automated information system or activity.