Federal Information

Security Assessment Framework

DRAFT - September 30, 2000

Prepared for

Security, Privacy, and Critical Infrastructure Committee

by

National Institute of Standards and Technology (NIST)

Computer Security Division

Systems and Network Security Group

Overview

Information is one of the most valuable assets of any organization. This is equally true with Federal information systems. Protection of information, regardless of form (electronic, paper, or film), whether resident or in transit across networks, is vital and can be achieved only through effective management. Information security -- the protection of information from a wide range of threats in order to ensure the confidentiality, integrity and availability of the information -- is a fundamental and critical management responsibility.

Each Federal agency must provide an information security management infrastructure based on its mission and cost-effective Information Technology (IT) security. Vulnerabilities must be identified, reduced, eliminated, or countered to the extent practicable and economically feasible. Decision-makers need to understand the factors that could adversely impact the mission so they can make informed judgments to minimize risk. Managing information risks, assessing vulnerabilities, and practicing due care are crucial.

The Federal Information Security Assessment Framework (FISAF) describes a mechanism for Federal agencies to determine the current health of their security programs and, where necessary, to establish a target for improvement. A security program may be comprised in many different ways within an organization. For example, a program could be grouped as an agency asset, a major application, general support system, high impact program, mission critical system, or a logically related group of systems. This grouping is referred to in this document as an entity or asset. The Framework describes a process for assessing the security of a specific entity within an agency; it does not provide a specific method for culling agency assessments into a total agency-wide level or grade. It is the agencies' responsibility to define what composes as asset and then to analyze the assessments in a manner that provides an accurate status of their security program.

The FISAF, coupled with the NIST prepared self-assessment questionnaire,¹ provides a tool to measure the effectiveness of security programs. The Framework and NIST questionnaire do not create new security requirements for agencies; rather the documents provide a vehicle for consistent and effective application of existing policy and guidance. Based on requirements of existing statutes, OMB directives and memoranda, GAO audit procedures, and NIST guidance and standards, the Framework provides the groundwork for assessing the effectiveness of security and privacy objectives for an entity. The security and privacy objectives are measured by determining if specific control criteria are documented, implemented, tested and reviewed, and incorporated into a cyclic review/improvement program. The NIST questionnaire provides the specific control criteria against which an entity can measure.

The Framework comprises five levels to guide and prioritize agency efforts as well as provide a basis to measure progress. At each level there is criteria to determine if the level is adequately implemented. Level 1 is documented policy, level 2 is documented procedures, level 3 is implemented procedures and controls, level 4 is tested and reviewed procedures and controls, and level 5 is fully integrated procedures and controls. Each level represents increased and improved security; an entity is not in compliance with federal regulations unless levels 1 through 4 are met based on the criticality of the information and the systems within the entity. All entities should strive to complete all five levels.

Most agencies have developed their own methods of determining the criticality of their information and systems. For example, the Department of Health and Human Services uses a four-track scale for confidentiality, integrity, and availability. The Department of Energy uses a five-track scale. No matter what scale is used it is the information owners responsibility to decide if each specific control should be implemented. If it is implemented, the control must be tested periodically for effectiveness. The risk-based decision to implement or not implement a control should be documented.

Below is a sample of the NIST questionnaire that depicts the hypothetical government agency's completion of the NIST questionnaire for their backbone local area network. The criticality of the entity (local area network) was determined, and the specific control objectives for personnel security and for authentication were assessed at various levels. Based on the levels checked, and the need for the network to be available, it would appear the agency should target implementing and testing their password procedures. The background screening is another area that should be targeted as well as formally reviewing the controls in place. Note that the list of objectives is incomplete in this sample.

Hypothetical Government Agency's Backbone Local Area Network

Category of Criticality	Confidentiality	Integrity	Availability
High			X
Medium	X	X
Low

Specific Control Objectives	L.1 Policy	L.2 Procedures	L.3 Implemented	L.4 Tested	L.5 Integrated
Personnel Security
All positions reviewed for sensitivity level	X	X	X
Appropriate background screening for assigned positions	X	X
Conditions for allowing system access prior to completion of screening	X	X	X
Authentication
Passwords, tokens, or biometrics used	X	X	X	X
Passwords contain alpha numeric, upper/lower case, special characters	X	X
Passwords are changed at least every ninety days or earlier if needed	X	X

1. FISAF Description

The FISAF identifies five levels of information security program effectiveness. The five levels are measurement criteria for specific information security management, operational, and technical control objectives. Each of the five levels contain criteria to determine if the level is adequately implemented. For example, in 1evel 1 all policies should cover the purpose of the policy, the scope, who is responsible for implementing the policy, and the compliance and penalties for not following the policy. The policy for an individual control must be reviewed to ensure that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not simply their existence is key to achieving and maintaining adequate security.

In partnership with those responsible for administering the information assets (which include Information Technology (IT) systems), it is the role of the information owner to determine how well each measurement criteria or level is met or should be met. Before a determination can be made, it is important that the degree of sensitivity of information be determined by considering the requirements for confidentiality, integrity, and availability of the information. The value of the system is one of the first major factors in risk management.

A security program may be assessed at various levels within an organization. For example, a program could be grouped as an agency asset, a major application, general support system, high impact program, a physical plant, a mission critical system, or a logically related group of systems. This grouping is referred to as an entity or asset in this document.

The Framework describes what an asset self-assessment is and provides levels to guide and prioritize agency efforts as well as provide a basis to measure progress. The NIST questionnaire provides the implementation tools for the Framework. The questionnaire contains specific control objectives that should be applied to secure a system.

Level 1 - Policy Documented

Level 2 - Procedures Documented

Level 3 - Implemented Procedures and Controls

Level 4 - Tested and Reviewed Procedures and Controls

Level 5 - Fully Integrated Procedures and Controls

Figure 1 - FISAF

The Framework is based on the premise that all agency entities must meet the minimum security requirements of the Office of Management and Budget Circular A-130, "Management of Federal Resources", Appendix III, "Security of Federal Automated Information Resources" (A-130). The criteria outlined in the Framework and provided in detail in the questionnaire are abstracted directly from long-standing requirements found in statue, policy, and guidance on security and privacy. It should be noted that an agency might have additional laws, regulations, or policies that establish specific requirements for confidentiality, integrity, or availability. Each agency should decide if additional controls or criteria should be added to the questionnaire and if so, customize the questionnaire appropriately. A list of the documents the Framework and NIST questionnaire reflect are provided in Figure 2.

Office of Management and Budget Circular A-130, "Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Resources." Establishes a minimum set of controls to be included in Federal automated information security programs.

Computer Security Act of 1987. This statute set the stage for protecting systems by codifying the requirement for Government-wide computer security planning and training.

Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources management framework including security and subsumed the security responsibilities of the Computer Security Act of 1987.

Clinger-Cohen Act of 1996. Act linked security to agency capital planning and budget processes, established agency Chief Information Officers, and re-codified the Computer Security Act of 1987.

Presidential Decision Directive 63, Protecting America's Critical Infrastructures. This directive specifies that each agency must protect the nation infrastructure; assess vulnerabilities of public and private sectors; and eliminate vulnerabilities.

Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government. Relates to enduring constitutional government, continuity of operations (COOP) planning, and continuity of government (COG) operations

OMB Memorandum 99-05, Instructions on Complying with President's Memorandum of May 14, 1998, Privacy and Personal Information in Federal Records. A-130 establishes policy for Federal programs involving the collection, dissemination, publication, management, privacy, and safeguarding of information and information technology investments. Appendix III of this Circular establishes a minimum set of controls to be included in Federal information technology security programs and requires system security plans for all agency general support systems and major applications.

OMB Memorandum 99-18 Privacy Policies on Federal Web Sites. This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web sites, and provides guidance for doing so.

OMB Memorandum 00-13 Policies and Data Collection on Federal Web Sites. The purpose of this memorandum is a reminder that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies.

General Accounting Office "Federal Information System Control Audit Manual" (FISCAM). The FISCAM methodology was originally developed to provide guidance to auditors in evaluating internal controls over the confidentiality, integrity, and availability of data maintained in computer-based information systems. The manual is primarily designed for evaluating general and applications controls over financial information systems that support agency business operations. However, as the manual suggests, the methodology could be used to evaluate the general support system and major application controls in agency information systems, as called for in Government Auditing Standards.

NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Security Information Technology Systems." Guides organizations on the types of controls, objectives, and procedures that comprise an effective security program.

NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems." Details the specific controls that should be documented in a security plan.

Federal Information Processing Standards. Legislative and executive mandates for improving the utilization and management of computers and IT systems in the Federal Government.

Figure 2 - Source of Control Criteria

2. Level 1 - Policy Documented

2.1 Description

· Formally documented security policy covering agency headquarters and major components (e.g., bureaus and operating divisions). The policy may be asset specific.

· Policy references most of the basic requirements and guidance issued from the documents listed in Figure 2 - Source of Control Criteria.

An asset is at level 1 if there is a formally documented policy that establishes a continuing cycle of assessing risk, implements effective security policies including training, and promotes monitoring for program effectiveness. The policy may include major agency components, e.g., bureaus and operating divisions or a specific asset. A documented security policy is necessary to ensure adequate and cost effective organizational and system security controls. A sound policy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress and compliance. The criteria listed below should be applied when assessing the policy developed for the controls listed in the NIST questionnaire.

2.2 Level 1 Criteria

The level 1 criteria describe the components of a security policy.

Criteria for Level 1

a. Purpose and scope of policy. A security policy is written that covers all major facilities and operations agency-wide or for the asset. The plan is approved by key affected parties and covers security planning, risk management, vulnerability assessment, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.

b. Responsibilities designated. The security program comprises a security management structure with adequate independence, authority, and expertise. Information security manager(s) are appointed at an overall level and at appropriate subordinate levels. Security responsibilities and expected behaviors are clearly defined for information owners and users, information resources management and data processing personnel, senior management, and security administrators.

c. Periodically assess risks and vulnerabilities and monitor the computer security effectiveness. Risk management and vulnerability assessment activities are an integral part of the security policy. General compliance and specified penalties and disciplinary actions are identified.

3. Level 2 - Procedures Documented

3.1 Description

· Formal, complete, well-documented security procedures for the asset.

· Contains all of the basic requirements and guidance issued from the documents listed in Figure 2 - Source of Control Criteria.

An asset is at level 2 when formally documented procedures are developed focusing on specific areas. Implementing formal procedures promotes the repeatability of the security program. Formal procedures also provide the foundation for a clear, accurate, and complete understanding of the program implementation. Level 2 requires procedures for a continuing cycle to assess risk and vulnerabilities, implementing effective security policies, and monitoring effectiveness of the security controls. Approved system security plans are in place for all general support systems and major applications within the asset or for the asset. Well-documented security procedures are necessary to ensure adequate and cost effective organizational and system security controls. The criteria listed below should be applied when assessing the quality of the procedures for the controls that are listed in the NIST questionnaire.

3.2 Level 2 Criteria

Level 2 criteria describe the components of security procedures.

Criteria for Level 2

a. Control areas listed and organization's position stated. Procedures are written that covers all major facilities and operations within the asset. The procedures are approved by key responsible parties and covers security policies, security plans, risk management, vulnerability assessment, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The procedures clearly identify management's position, and whether there are further guidelines and any exceptions.

b. Applicability of procedures. Clarifying where, how, when, whom, and what a particular procedure applies.

c. Assign information security responsibilities and expected behavior. Security responsibilities and expected behaviors are clearly defined for (1) information resource owners and users, (2) information resources management and data processing personnel, (3) management, and (4) security administrators.

d. Periodically assess risk and vulnerabilities and monitor the computer security program effectiveness. Risk management activities are an integral part of the security procedures. Monitoring effectiveness of the controls and compliance are clearly stated.

e. Points of contact and supplementary information. Appropriate individuals to be contacted for further information, guidance, and compliance are provided.

4. Level 3 - Implemented Procedures and Controls

4.1 Description

· Security procedures and controls are implemented.

· Procedures are communicated and individuals are required to follow them.

At level 3 the IT security procedures are implemented in a consistent manner and communicated through training. Ad hoc approaches applied on an individual or case-by-case basis are discouraged. An asset could implement security controls and not have procedures documented, but the addition of formal documented procedures at level 2 represents a significant step in the effectiveness of implementing procedures and controls at level 3. It is important to note that testing, which is at level 4, should occur whenever modifications are implemented to the system, the information, or other resources.

The criteria listed below should be used to determine if the specific controls listed in the NIST questionnaire are being implemented.

4.2 Level 3 Criteria

Level 3 criteria describe how an asset can ensure implementation of their security procedures.

Criteria for Level 3

a. Make owners and users aware of security policies. Distribute security policies and procedures to all affected personnel, including system/application rules and expected behaviors. Require users to periodically sign a statement acknowledging their awareness and acceptance of responsibility for security.

b. Review of security controls. Routinely use automated tools to monitor security. Establish policy on review of system logs, penetration testing, internal/external audits.

c. Manage security throughout the life cycle of the system. Consider security in each of the life-cycle phases: initiation, development/acquisition, implementation, operation, and disposal.

d. Establish procedures for authorizing processing (certification and accreditation). Require management officials to formally authorize system operations and to manage risk.

e. Documented position descriptions. Accurately identify skill needs and security responsibilities in job descriptions.

f. Train employees on security requirements. Plan, implement, maintain, and evaluate an effective training and awareness program tailored for varying job functions.

5. Level 4 - Tested/Reviewed Procedures and Controls

5.1 Description

· Capability to monitor the effectiveness of the asset's security procedures and policies.

· Periodically assess the appropriateness of security policy and procedures and compliance and corrective actions are effectively implemented.

An asset at level 4 monitors the effectiveness of security policy and procedures and makes changes as needed. Monitoring, testing, and reviewing are important elements of risk management that ensure security policies and procedures intended to reduce risk are effective on an ongoing basis. Senior management's awareness, support, and involvement are essential in establishing the environment needed to promote compliance with the asset's security procedures. To implement an effective security program, management should monitor, test, and review its implementation and adjust the plan in accordance with changing risk factors. When material weaknesses or significant weaknesses are found and identified, related risks should be reassessed and corrective actions implemented.

Periodic self-assessments are important in identifying non-compliance, reminding employees of their responsibilities and demonstrating management's commitment to security. Independent audits performed or arranged by GAO or an agency IG are an important check on performance but should not be viewed as a substitute for management evaluations. The criteria listed below should be applied to each control area listed in the NIST questionnaire to determine if adequate monitoring, testing, and reviewing have been accomplished.

5.2 Level 4 Criteria

Level 4 criteria contain varying levels of assurance indicators used for monitoring, testing, and reviewing the effectiveness of an asset's security program.

Criteria for Level 4

a. Self-assessment reviews. Self-administered audit completed by the asset's system management staff.

b. Peer reviews. Review conducted by the entities' peer organization.

c. Independent audits. Performed by a professional audit staff, GAO or agencies' IG. Should have no professional stake in the system.

d. Testing and certification. Testing can address the quality of the system as built, as implemented, or as operated. Certification is a formal process for testing components or systems against a specified set of security requirements.

e. Monitoring. On-going activity that checks for vulnerabilities and security problems. i.e., periodic review of system-generated logs, virus scanners, intrusion detection.

f. Penetration testing. Manual or automated techniques to attempt a system break-in.

6. Level 5 - Fully Integrated Procedures and Controls

6.1 Description

· A comprehensive security program that is an integral part of an agency's organizational culture.

· Decision-making that is based on knowledge related to cost effectiveness balanced with mission impact.

The consideration of information security is pervasive in the culture of a level 5 asset. A proven life-cycle methodology is implemented and enforced and an on-going program to identify and institutionalize best practices has been implemented. There is active support from senior management. Decisions and actions that are part of the IT life cycle include:

- Improving security program

- Improving security program procedures

- Improving security countermeasures

- Adding security countermeasures

- Integrating security within existing and evolving IT architectures

- Improving mission processes and risk management activities

Each of these decisions is the result of a continuous improvement and refinement program that is instilled within the organization. It is at level 5 that the understanding of mission costs is married with a full range of implementation options to achieve maximum mission cost-effectiveness of security measures. That is, entities should apply the principle of selecting countermeasures that offer low cost of implementation while offering high-risk mitigation versus selecting those with high cost of implementation and low risk mitigation. The criteria listed below should be used to assess whether a specific control contained in the NIST questionnaire has evolved.

6.2 Level 5 Criteria

Level 5 criteria describe components of a fully integrated security program

Criteria for Level 5

a. Apply cost-effective measures in decision-making to achieve ongoing security program improvement.

b. Demonstrate that information security is an integrated practice within the asset.

c. Understand and manage security vulnerabilities.

d. Continually re-evaluate threats and adapt to changing security environment.

e. Identify additional or more cost-effective security alternatives as necessary.

f. Realize and show cost benefits of security.

7. Future of the Framework

This version of the Framework document primarily addresses security management issues. Essentially it describes a process for agencies to assess their compliance with long-standing basic requirements, such as those specified by the Computer Security Act of 1987; the Clinger-Cohen Act of 1996; the Paperwork Reduction Act of 1995; OMB Circular A-130; Management of Federal Information Resources; GAO's Federal Information System Control Audit Manual (FISCAM); and NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP). The Framework will give agencies an approach to begin the assessment process. The NIST questionnaire provides the tool to determine whether agencies are meeting these requirements.

The Framework is not a static document; it is a living document. Revisions will focus on more granularity of existing criteria and on expanding and refining criteria. In addition, a similar companion framework focused on the evolution of agency electronic privacy polices may be developed in the future.

The Framework can be viewed as both an auditing tool and a management tool. Flexibility, contextual risk management, asset/mission-driven customization of improvement strategies may be in conflict with statements about auditable process requirements. At some point, consideration of cost-effective information security oversight (i.e., existence of the elements of a sound security program) and the successful protection of an organization's critical assets in a cost-effective manner (i.e., through asset-driven risk management) will lead to conflicting goals. Guidance will be needed to address these conflicts. This will be follow-on work.

Currently, the NIST questionniare is under development and will be available in early 2001.

References

1. Clinger-Cohen Act of 1996

2. Paperwork Reduction Act of 1995

3. Computer Security Act of 1987

4. OMB Circular A-130, Management of Federal Information Resources

5. GAO/AIMD-12.19.6, Federal Information System Control Audit Manual (FISCAM)

6. GAO/AIMD-99-139, Information Security Risk Assessment Practices of Leading Organizations

7. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP)

8. COBIT 3^rd Edition Management Guidelines

Acronyms

FISCAM Federal Information System Control Audit Manual

GAO General Accounting Office

GSSP Generally Accepted Principles and Practices for Security Information

Technology Systems

NIST National Institute of Standards and Technology

OMB Office of Management and Budget

Terminology

Acceptable Risk is a concern that is acceptable to responsible management, due to the cost and magnitude of implementing countermeasures.

Accreditation is synonymous with the term authorize processing. Accreditation is the authorization and approval granted to a major application or general support system to process in an operational environment. It is made on the basis of a certification by designated technical personnel that the system meets pre-specified technical requirements for achieving adequate system security. See also Authorize Processing, Certification, and Designated Approving Authority.

Asset is a security program grouped as an agency asset, a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

Authorize Processing occurs when management authorizes a system based on an assessment of management, operational, and technical controls. By authorizing processing in a system the management official accepts the associated risks. See also Accreditation, Certification, and Designated Approving Authority.

Availability Protection requires backup of system and information, contingency plans, disaster recovery plans, and redundancy. Examples of systems and information requiring availability protection are time-share systems, mission-critical applications, time and attendance, financial, procurement, or life-critical.

Awareness, Training, and Education includes (1) awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure; (2) training is to teach people the skills that will enable them to perform their jobs more effectively; and (3) education is more in-depth than training and is targeted for security professionals and those whose jobs require expertise in automated information security.

Certification is synonymous with the term authorize processing. Certification is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meets a pre-specified set of security requirements. See also Accreditation and Authorize Processing.

Entity is a security program grouped as an agency asset, a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

General Support System is an interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Users may be from the same or different organizations.

Individual Accountability requires individual users to be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules.

Information Owner is responsible for establishing the rules for appropriate use and protection of the data/information. The information owner retains that responsibility even when the data/information are shared with other organizations.

Major Application is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.

Networks include communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.

Operational Controls address security methods that focus on mechanisms that primarily are implemented and executed by people (as opposed to systems).

Risk is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.

Risk Management is the ongoing process of assessing the risk to automated information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.

Rules of Behavior are the rules that have been established and implemented for use of, security in, and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of Federal government equipment, assignment and limitation of system privileges, and individual accountability.

Sensitive Information refers to information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, records about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act.

Sensitivity in an information technology environment consists of the system, data, and applications that must be examined individually and in total. All systems and applications require some level of protection for confidentiality, integrity, and availability that is determined by an evaluation of the sensitivity and criticality of the information processed, the relationship of the system to the organizations mission, and the economic value of the system components.

System is a generic term used to describe either a major application or a general support system.

System Operational Status is either (1) Operational - system is currently in operation, (2) Under Development - system is currently under design, development, or implementation, or (3) Undergoing a Major Modification - system is currently undergoing a major conversion or transition.

Technical Controls consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications.

Threat is an activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity.

Vulnerability is a flaw or weakness that may allow harm to occur to an automated information system or activity.

1 The NIST Self Assessment Questionnaire will be issued in the beginning of 2001 as a NIST Special Publication.