RECOMMENDED SECURITY CONTROLS FOR FEDERAL INFORMATION SYSTEMS: GUIDANCE FOR SELECTING COST-EFFECTIVE CONTROLS USING A RISK-BASED PROCESS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Security controls are the management, operational, and technical safeguards that protect the confidentiality, integrity, and availability of an information system and its information. Organizations face critical decisions in selecting and implementing the right controls and in making the controls an effective part of their information security programs. The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has developed guidance to help organizations protect their information and information systems and to use security controls that are selected through a risk-based process. Development of NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems The basic questions that organizations should address when selecting security controls are: What controls are needed to protect systems, while supporting their operations and safeguarding their assets? Can the selected controls be implemented? And once implemented, are they effective? NIST SP 800-53, Recommended Security Controls for Federal Information Systems, helps organizations to answer these questions and to maintain effective information security programs. This ITL Bulletin summarizes the special publication. Written by Ron Ross, Stuart Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, George Rogers, and Annabelle Lee, NIST SP 800-53 was developed using input from a variety of sources including published NIST standards and guidance, Department of Defense (DoD) policies, international standards, and other federal government directives and policies. SP 800-53 provides guidance for federal agencies that operate federal information systems other than those systems designated as national security systems, as defined in 44 U.S.C., Section 3542. However, the security controls that are specified in NIST SP 800-53 are complementary to similar guidance that has been issued for national security systems. NIST SP 800-53 was issued in final form in February 2005 after extensive public input and review. The authors received many valuable comments from government and private sectors that helped to shape the final recommendations. While primarily aimed toward helping federal agencies achieve more secure information systems, other activities including state, local and tribal governments, and private sector organizations should find the guide useful in selecting and specifying security controls for their information and information systems. Understanding and Selecting Security Controls Recommended Security Controls for Federal Information Systems provides a foundation for understanding the fundamental concepts of security controls. The introductory material presents the concept of security controls and their use within a well-defined information security program. Some of the issues discussed include the structural components of controls, how the controls are organized into families, and the use of controls to support information security programs. The guide outlines the essential steps that should be followed to determine needed controls, to assure the effectiveness of controls, and to maintain the effectiveness of installed controls. A detailed process for selecting and specifying appropriate security controls is described. The publication's appendices provide additional resources including general references, definitions, explanation of acronyms, a breakdown of security controls for graduated levels of security requirements, a catalog of security controls, and information relating security controls to other standards and control sets. The controls in the catalog are organized into classes of operational, management, and technical controls, and then into families within each class. NIST plans to review and to update the controls in the catalog as technology changes and as new safeguards and new information security countermeasures are identified. NIST SP 800-53 is available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications/nistpubs/index.html. NIST SP 800-53 and FISMA Requirements NIST SP 800-53 is one of the series of standards and guidelines that NIST has developed to help federal agencies implement their responsibilities under the Federal Information Security Management Act (FISMA). FISMA requires that all federal agencies develop, document, and implement agency-wide information security programs to protect the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. To support agencies in conducting their information security programs, the FISMA directed NIST to develop: ? Standards for categorizing information and information systems collected or maintained by or on behalf of each federal agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; ? Guidelines recommending the types of information and information systems to be included in each category; and ? Minimum information security requirements for information and information systems in each such category. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, issued in February 2004, addresses the first task specified by FISMA. FIPS 199 requires that agencies categorize their information systems as low-impact, moderate- impact, or high-impact systems for the security objectives of confidentiality, integrity, and availability. In a low-impact system, all security objectives are low. If at least one of the security objectives is moderate and no security objective is greater than moderate, the system is moderate-impact. A high-impact system is one for which at least one security objective is high. This categorization is the first step in the agency's risk management process, to be followed by the selection of security controls that are appropriate for the impact levels determined in the categorization procedure. Draft FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, which is in the final stages of development, will specify a risk- based approach for agencies to follow in determining their minimum security requirements and for selecting cost-effective security controls. NIST expects to announce FIPS 200 for public review and comment in the near future. In applying the provisions of proposed FIPS 200, agencies will categorize their systems as required by FIPS 199, and then select an appropriate set of security controls from NIST SP 800-53. These controls are the foundation for the selection of adequate controls, but the final determination of the appropriate set of controls depends upon the organization's assessment of risk. Implementing an Effective Information Security Program To maintain an effective information security program that protects their information and information systems, organizations should follow a systematic process to carry out these tasks: ? Periodically assess the risks that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization; ? Adopt policies and procedures that are based on risk assessments, reduce risks cost-effectively to an acceptable level, and ensure that information security is addressed throughout the life cycle of the information system; ? Develop plans to provide information security for networks, facilities, information systems, or groups of information systems; ? Provide security awareness training to educate personnel about information security risks and responsibilities for following policies and procedures that are designed to reduce risks; ? Periodically test and evaluate the effectiveness of information security policies, procedures, practices, and security controls; ? Use an organizational process to plan, implement, evaluate, and document remedial actions that address identified deficiencies; ? Adopt procedures that detect, report, and respond to security incidents; and ? Support plans and procedures to ensure continuity of operations. A Risk-Based Approach to Selecting Controls In adopting a risk-based approach to the selection of security controls, organizations should consider the effectiveness and efficiency needed in their systems, and the requirements that are specified in applicable, laws, directives, executive orders, policies, standards, and regulations. The following activities can be applied to new and legacy information systems within the context of overall life-cycle planning, including the planning guides in the System Development Life Cycle and the Federal Enterprise Architecture: ? Categorize information systems and their information based on the procedures for categorizing systems that are detailed in FIPS 199. Based on the security categorization, select an initial set of security controls from the catalog of controls listed in Appendix D of SP 800-53. ? Adjust the initial set of security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances. ? Document the agreed-upon set of security controls taking into account any adjustments or refinements. The Security Control Catalog The security controls listed in the SP 800-53 catalog represent the current state-of-the- practice safeguards and countermeasures for information systems. These controls will be revised and extended as experience is gained in using the controls, and as requirements and technology change. The security controls should be considered as the foundations or starting points in the selection of controls for low-impact, moderate-impact, and high-impact information systems, based on categorizations done in accordance with FIPS 199. Since the determination of adequate controls is based on the organization's determination of risk, additional controls may be needed to address specific threats or particular organizational requirements. The security controls cover the following seventeen areas: ? Risk assessment – including policies and procedures; security categorization; and management of the risk assessment process. ? Certification, accreditation, and security assessments – including policies and procedures; control of system connections; management of the accreditation process; and assessments and monitoring of controls. ? System services and acquisition – including policies and procedures; management of resource allocation, life cycle support, acquisitions, and system documentation; and control of software usage and of outsourced information services. ? Security planning – including policies and procedures; development and implementation of plans; and management of staff behavior rules and privacy procedures. ? Configuration management – including policies and procedures; management of information system components; and control and management of changes to information systems and to system settings. ? System and communications protection – including policies and procedures; application partitioning; controls for denial of service protection, resource use, boundary protection, and telecommunications services; and management of cryptography applications and public key infrastructure certificates. ? Personnel security – including policies and procedures; and management of staff positions, screening, terminations, and transfers. ? Awareness and training – including policies and procedures; and management of the content of training and of training records. ? Physical and environmental protection – including policies and procedures; management of access authorizations; controls for access to transmission facilities and display media; management of access logs and visitor controls; and management of power equipment, cabling, lighting, fire protection, and alternate work sites. ? Media protection – including policies and procedures; processes for media access, labeling, storage, transport, and sanitization; and destruction and disposal of media. ? Contingency planning – including policies and procedures; contingency training; and development, maintenance, and testing of plans; management of alternate processing sites, telecommunications services, and information backup; and management of system recovery. ? Maintenance – including policies and procedures; management of periodic maintenance; and control of maintenance tools and maintenance personnel. ? System and information integrity – including policies and procedures; management of flaw protection, malicious code protection, and intrusion detection; controls for security alerts, and for software and information integrity; spam and spyware protection; and error handling. ? Incident response – including policies and procedures; incident training, testing, handling, monitoring, and reporting. ? Identification and authentication – including policies and procedures; management of devices, identifiers, and authenticators; and management of cryptographic processes. ? Access control – including policies and procedures; access enforcement; information flow enforcement; management of login attempts; system use notification; remote access controls; and wireless access controls. ? Accountability and audit – including policies and procedures; audit processing; audit monitoring, analysis, and reporting; and audit report generation. Using Security Controls to Improve Information System Security NIST SP 800-53 provides detailed information about these seventeen categories of broadly applicable security controls and helps organizations select the controls that are appropriate for a wide variety of security requirements. When correctly implemented and periodically assessed for effectiveness, security controls can contribute to organizational confidence that requirements for the security of information systems are being met. The controls are a starting point for risk assessments and play an important role in the organization's practices for comprehensive system security planning and life cycle management. The extensive reference list in SP 800-53 includes standards, guidelines, and recommendations that organizations can use for their comprehensive security planning and life cycle management processes. These publications can be accessed from the NIST web pages at http://csrc.nist.gov/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.