E N D
1. Tenacity Solutions Incorporated David Comings, Ph.D.
Risk Management Framework
Applied to Cross-Domain Solutions -
Additional Information on Tenacity Solutions, Inc. (Tenacity Solutions):
1835 Alexander Bell Drive - Suite 210
Reston, Virginia 20191
Phone: 703.673.3100
Fax: 703.707.0680
www.tenacitysolutions.net
Tenacity Solutions award winning staff offers the skills, clearances, and tenacity necessary to achieve IT innovations that others cannot or will not. Tenacity engineers routinely deliver the impossible: whether in the deserts of Iraq, or the office in DC. Whenever your missions success hinges on IT, turn to Tenacity for assured success. Our staff offers the skills and clearances necessary to address your organization's requirements for the comprehensive protection of your information & communications systems. Our solutions are among the most reliable, cost-effective data and hardware security solutions on the market today. Additional Information on Tenacity Solutions, Inc. (Tenacity Solutions):
1835 Alexander Bell Drive - Suite 210
Reston, Virginia 20191
Phone: 703.673.3100
Fax: 703.707.0680
www.tenacitysolutions.net
Tenacity Solutions award winning staff offers the skills, clearances, and tenacity necessary to achieve IT innovations that others cannot or will not. Tenacity engineers routinely deliver the impossible: whether in the deserts of Iraq, or the office in DC. Whenever your missions success hinges on IT, turn to Tenacity for assured success. Our staff offers the skills and clearances necessary to address your organization's requirements for the comprehensive protection of your information & communications systems. Our solutions are among the most reliable, cost-effective data and hardware security solutions on the market today.
2. Introductions & Objectives (Agenda) 2 Tenacity Solutions Experience in the area of Certification & Accreditation:
Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems
Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception
Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process
Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process
Student Input & Feedback:
Interaction & productive discussions are encouraged
An open forum for the exchange of ideas and experiences
Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updatedTenacity Solutions Experience in the area of Certification & Accreditation:
Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems
Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception
Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process
Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process
Student Input & Feedback:
Interaction & productive discussions are encouraged
An open forum for the exchange of ideas and experiences
Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updated
3. Presentation Scope 3 Tenacity Solutions Experience in the area of Certification & Accreditation:
Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems
Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception
Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process
Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process
Student Input & Feedback:
Interaction & productive discussions are encouraged
An open forum for the exchange of ideas and experiences
Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updatedTenacity Solutions Experience in the area of Certification & Accreditation:
Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems
Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception
Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process
Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process
Student Input & Feedback:
Interaction & productive discussions are encouraged
An open forum for the exchange of ideas and experiences
Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updated
4. Risk Management Framework 6 Steps 4 Additional Information:
NIST Special Publications - http://csrc.nist.gov/publications/PubsSPs.html
NIST Public Drafts - http://csrc.nist.gov/publications/PubsDrafts.html
CNSS - http://www.cnss.gov/Additional Information:
NIST Special Publications - http://csrc.nist.gov/publications/PubsSPs.html
NIST Public Drafts - http://csrc.nist.gov/publications/PubsDrafts.html
CNSS - http://www.cnss.gov/
5. RMF Step 1 - Categorize 5 Additional Information:
NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
Guidance: Descriptive information about the information system is typically documented in the system identification section of the security plan, included in attachments to the plan or referenced in other standard sources for the information generated as part of the SDLC. System identification information can also be provided by reference. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security category of the information system in accordance with FIPS 199 or CNSS Instruction 1199/1253 (i.e., the level of detail in the plan increases as the potential impact on organizational operations and assets, individuals, other organizations, and the Nation increases). Information may be added to the information system description as it becomes available during the security authorization process. Additional Information:
NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
Guidance: Descriptive information about the information system is typically documented in the system identification section of the security plan, included in attachments to the plan or referenced in other standard sources for the information generated as part of the SDLC. System identification information can also be provided by reference. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security category of the information system in accordance with FIPS 199 or CNSS Instruction 1199/1253 (i.e., the level of detail in the plan increases as the potential impact on organizational operations and assets, individuals, other organizations, and the Nation increases). Information may be added to the information system description as it becomes available during the security authorization process.
6. RMF Step 1 Categorize (cont.) 6 Additional Information:
It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every Initial Stakeholder Meeting as part of the Categorization process. However, for the Categorization step to be as effective as possible, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!Additional Information:
It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every Initial Stakeholder Meeting as part of the Categorization process. However, for the Categorization step to be as effective as possible, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!
7. RMF Step 1 Categorize (cont.) 7 Additional Information:
It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every Initial Stakeholder Meeting as part of the Categorization process. However, for the Categorization step to be as effective as possible, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!Additional Information:
It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every Initial Stakeholder Meeting as part of the Categorization process. However, for the Categorization step to be as effective as possible, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!
8. RMF Step 1 Categorize (cont.) 8 Additional Information:
Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!
Additional Information:
Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!
9. RMF Step 1 Categorize (cont.) 9 Additional Information:
Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!
Additional Information:
Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!
10. RMF Step 2 - Select 10 Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)
11. RMF Step 2 Select (cont.) 11 Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)
12. RMF Step 2 Select (cont.) 12 Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information:
NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control!
CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)
13. RMF Step 3 - Implement 13 Additional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
14. RMF Step 3 Implement (cont.) 14 Additional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
15. RMF Step 3 Implement (cont.) 15 Additional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information:
NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf
Center for Internet Security (Hardening Guides)
http://www.cisecurity.org/
NSA Security Configuration Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
16. RMF Step 4 - Assess 16 Additional Information:
The intention is to make NIST SP 800-53A the single authoritative source for the how do I evaluate criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on indefinite hold until it is determined if there will be a need for a separate document for the National Security Community.
Additional Information:
The intention is to make NIST SP 800-53A the single authoritative source for the how do I evaluate criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on indefinite hold until it is determined if there will be a need for a separate document for the National Security Community.
17. RMF Step 4 Assess (cont.) 17 Additional Information:
The intention is to make NIST SP 800-53A the single authoritative source for the how do I evaluate criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on indefinite hold until it is determined if there will be a need for a separate document for the National Security Community.Additional Information:
The intention is to make NIST SP 800-53A the single authoritative source for the how do I evaluate criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on indefinite hold until it is determined if there will be a need for a separate document for the National Security Community.
18. RMF Step 5 - Authorize 18 Additional Information:
When Step 5 is fully implemented in the Intelligence Community as part of the C&A Transformation Effort and the adoption of the Risk Management Framework as the process that all will follow, the previous traditional authorization decisions, Interim Approval to Test (IATT), and Interim Approval to Operate (IATO) will no longer be utilized. The only authorization decisions that will be issued will be Authorization to Operate (ATO) or Denial to Operate.Additional Information:
When Step 5 is fully implemented in the Intelligence Community as part of the C&A Transformation Effort and the adoption of the Risk Management Framework as the process that all will follow, the previous traditional authorization decisions, Interim Approval to Test (IATT), and Interim Approval to Operate (IATO) will no longer be utilized. The only authorization decisions that will be issued will be Authorization to Operate (ATO) or Denial to Operate.
19. RMF Step 6 Monitor 19 Additional Information:
Continuous Monitoring is a key/critical step in the execution of the Risk Management Framework! Effective continuous monitoring saves both time and money, as well as gathering data about the status of an organizations information systems, that supports other necessary/required reporting (aka FISMA).
http://www.onpointcorp.com/documents/IA_Continuous_Monitoring.pdfAdditional Information:
Continuous Monitoring is a key/critical step in the execution of the Risk Management Framework! Effective continuous monitoring saves both time and money, as well as gathering data about the status of an organizations information systems, that supports other necessary/required reporting (aka FISMA).
http://www.onpointcorp.com/documents/IA_Continuous_Monitoring.pdf
20. 20
21. 21
22. 22
23. 23 Additional Information:
C&A transformation is about changing the way the national security community manages IA risk. This means breaking down unnecessary barriers between community members and improving information sharing among the security, IT provider, and IT user communities.
Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdfAdditional Information:
C&A transformation is about changing the way the national security community manages IA risk. This means breaking down unnecessary barriers between community members and improving information sharing among the security, IT provider, and IT user communities.
Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdf
24. The Global Threat is Real 24 Information on Dr. Ross:
NIST Computer Security Division Rolodex on Dr. Ross: http://csrc.nist.gov/staff/rolodex/ross_ron.html
* Project leader, FISMA Implementation Project
* FISMA-related standards and guidelines
* Security controls development and implementation
* Security certification and accreditation
Full Bio on Dr. Ross: http://csrc.nist.gov/staff/Ross/biography_ross_10-21-2007.pdf
Information on Dr. Ross:
NIST Computer Security Division Rolodex on Dr. Ross: http://csrc.nist.gov/staff/rolodex/ross_ron.html
* Project leader, FISMA Implementation Project
* FISMA-related standards and guidelines
* Security controls development and implementation
* Security certification and accreditation
Full Bio on Dr. Ross: http://csrc.nist.gov/staff/Ross/biography_ross_10-21-2007.pdf
25. U.S. IC Infrastructure 25 USA Patriot Act:
Full Text of Enrolled (Final) Version can be found at the Library of Congress: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3162.ENR:
USA Patriot Act:
Full Text of Enrolled (Final) Version can be found at the Library of Congress: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3162.ENR:
26. C&A Transformation Effort 26 Additional Information:
Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdfAdditional Information:
Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdf
27. Seven (7) Transformation Goals 27 Additional Information:
1) Reduce the varying numbers of IC Protection Levels and DoD Mission Assurance Categories (MAC) by defining a common set of trust levels the IC and DoD can jointly apply to systems eliminating conflicting criteria used to apply security controls that currently inhibit systems' interconnection and information sharing.
2) Adopt reciprocity, in the sense of cooperation, as normal business rather the exception to facilitate re-use of systems developed and approved by other organizations. This transformation will reduce duplicative expenditures on multiple systems development efforts.
3) Define common security controls, using NIST Special Publication 800-53 as a starting point, enabling the IC and DoD to develop systems to the same protection standards. In doing so, this facilitates reciprocity of approvals and reuse of systems across the IC and DoD communities.Additional Information:
1) Reduce the varying numbers of IC Protection Levels and DoD Mission Assurance Categories (MAC) by defining a common set of trust levels the IC and DoD can jointly apply to systems eliminating conflicting criteria used to apply security controls that currently inhibit systems' interconnection and information sharing.
2) Adopt reciprocity, in the sense of cooperation, as normal business rather the exception to facilitate re-use of systems developed and approved by other organizations. This transformation will reduce duplicative expenditures on multiple systems development efforts.
3) Define common security controls, using NIST Special Publication 800-53 as a starting point, enabling the IC and DoD to develop systems to the same protection standards. In doing so, this facilitates reciprocity of approvals and reuse of systems across the IC and DoD communities.
28. Seven (7) Transformation Goals (cont.) 28 Additional Information:
4) Define a common lexicon (common language and common understanding), using the Committee on National Security Systems (CNSS) 4009 glossary as a baseline, for establishing reuse and reciprocity across the IC and DoD.
5) Look broader than individual systems or events when making risk decisions. Therefore, implement a senior risk executive function to base decisions on an "enterprise" view of risk considering all factors, including mission, IT, budget, and security. This view of risk enables Approval Authorities to make informed decisions.
6) Design and operate Information Assurance within the enterprise operational environments, as a coherent whole across the IC and DoD, enabling IA situational awareness and command and control.
Additional Information:
4) Define a common lexicon (common language and common understanding), using the Committee on National Security Systems (CNSS) 4009 glossary as a baseline, for establishing reuse and reciprocity across the IC and DoD.
5) Look broader than individual systems or events when making risk decisions. Therefore, implement a senior risk executive function to base decisions on an "enterprise" view of risk considering all factors, including mission, IT, budget, and security. This view of risk enables Approval Authorities to make informed decisions.
6) Design and operate Information Assurance within the enterprise operational environments, as a coherent whole across the IC and DoD, enabling IA situational awareness and command and control.
29. Seven (7) Transformation Goals (cont.) 29 Additional Information:
7) Institute a common process for the IC and DoD incorporating security engineering within "lifecycle" processes. This eliminates current security-specific processes by incorporating security processes within development and system acceptance. The common process will be adaptable to various development environments. Coupled with an ongoing validation process based on strict configuration management, continuous risk assessment, continuous monitoring, and periodic and/or ad-hoc audits this change eliminates the need for "re accreditation" as a paperwork exercise. This process reduces the existing redundant C&A activities, unnecessary documentation, and shortens the overall process of approving systems.
Additional Information:
7) Institute a common process for the IC and DoD incorporating security engineering within "lifecycle" processes. This eliminates current security-specific processes by incorporating security processes within development and system acceptance. The common process will be adaptable to various development environments. Coupled with an ongoing validation process based on strict configuration management, continuous risk assessment, continuous monitoring, and periodic and/or ad-hoc audits this change eliminates the need for "re accreditation" as a paperwork exercise. This process reduces the existing redundant C&A activities, unnecessary documentation, and shortens the overall process of approving systems.
30. C&A Transformation & the 500-Day Plan 30 Additional Information:
Directorate of National Intelligence 500-Day Plan: www.dni.gov/500-day-plan.pdf
HPSCI 500-Day Plan Hearing: intelligence.house.gov/Media/PDFS/Kerr120607.pdfAdditional Information:
Directorate of National Intelligence 500-Day Plan: www.dni.gov/500-day-plan.pdf
HPSCI 500-Day Plan Hearing: intelligence.house.gov/Media/PDFS/Kerr120607.pdf
31. C&A Transformation Partnership 31 Additional Information:
One Government, One Set of Standards
http://fcw.com/microsites/security-directives/one-government.aspx
Transforming IA Certification and Accreditation Across the National Security Community
http://www.stsc.hill.af.mil/crosstalk/2008/07/0807King.htmlAdditional Information:
One Government, One Set of Standards
http://fcw.com/microsites/security-directives/one-government.aspx
Transforming IA Certification and Accreditation Across the National Security Community
http://www.stsc.hill.af.mil/crosstalk/2008/07/0807King.html
32. C&A Transformation Partnership (cont.) 32 Additional Information:
NIST Computer Security Division Annual Report
http://csrc.nist.gov/publications/nistir/ir7442/NIST-IR-7442_2007CSDAnnualReport.pdf
CNSS Annual Report
http://www.cnss.gov/Assets/pdf/CNSS_Report_07-08.pdf
Additional Information:
NIST Computer Security Division Annual Report
http://csrc.nist.gov/publications/nistir/ir7442/NIST-IR-7442_2007CSDAnnualReport.pdf
CNSS Annual Report
http://www.cnss.gov/Assets/pdf/CNSS_Report_07-08.pdf
33. Unifying the C&A Process 33 Additional Information:
Information Sharing Environment Report to Congress -
http://www.docstoc.com/docs/5793760/Annual-Report-to-Congress-on-the-Information-Sharing-Environment
DNI/DOD Reciprocity & Re-Use Memorandum can be located on most Unclassified Government networks!!!Additional Information:
Information Sharing Environment Report to Congress -
http://www.docstoc.com/docs/5793760/Annual-Report-to-Congress-on-the-Information-Sharing-Environment
DNI/DOD Reciprocity & Re-Use Memorandum can be located on most Unclassified Government networks!!!
34. 34 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
35. DNI Approach to Policy & Standards 35 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
36. ICD 503 36 Intelligence Community Directive (ICD) 503:
Section B, Para 2 - This ICD rescinds and replaces the Director of Central Intelligence Directive (DCID) 6/3 Policy, Protecting Sensitive Compartmented Information within Information Systems, and the associated DCID 6/3 Manual having the same title. It also rescinds the DCID 6/5 Implementation Manual for the Protection of Certain non-Sensitive Compartmented Information (SCI) Sources and Methods Information (SAMI). Appendix E in the DCID 6/3 Manual, Access by Foreign Nationals to Systems Processing Intelligence, shall remain in effect until subsequent issuances supersede it.
Section E - EFFECTIVE DATE: This ICD becomes effective on the date of signature. IC elements may continue to operate systems and items of information technology currently certified and accredited under pre-existing policies, guidelines and standards; any certification, recertification, accreditation, or reaccreditation of existing and currently certified and accredited systems or items of information technology undertaken after the date of signature must, however, be accomplished in accordance with the policies set forth in this Directive. Any information systems or items of information technology placed into service after the date of signature shall be certified and accredited in accordance with the policies set forth in this Directive.
Intelligence Community Directive (ICD) 503:
Section B, Para 2 - This ICD rescinds and replaces the Director of Central Intelligence Directive (DCID) 6/3 Policy, Protecting Sensitive Compartmented Information within Information Systems, and the associated DCID 6/3 Manual having the same title. It also rescinds the DCID 6/5 Implementation Manual for the Protection of Certain non-Sensitive Compartmented Information (SCI) Sources and Methods Information (SAMI). Appendix E in the DCID 6/3 Manual, Access by Foreign Nationals to Systems Processing Intelligence, shall remain in effect until subsequent issuances supersede it.
Section E - EFFECTIVE DATE: This ICD becomes effective on the date of signature. IC elements may continue to operate systems and items of information technology currently certified and accredited under pre-existing policies, guidelines and standards; any certification, recertification, accreditation, or reaccreditation of existing and currently certified and accredited systems or items of information technology undertaken after the date of signature must, however, be accomplished in accordance with the policies set forth in this Directive. Any information systems or items of information technology placed into service after the date of signature shall be certified and accredited in accordance with the policies set forth in this Directive.
37. ICD 503 Authorities 37 Additional Information:
National Security Act of 1947 (as amended) - http://intelligence.senate.gov/nsaact1947.pdf
Executive Order 12958 http://nsi.org/Library/Govt/ExecOrder12958.html
Executive Order 12333 http://www.ncs.gov/library/policy_docs/eo_12333.pdfAdditional Information:
National Security Act of 1947 (as amended) - http://intelligence.senate.gov/nsaact1947.pdf
Executive Order 12958 http://nsi.org/Library/Govt/ExecOrder12958.html
Executive Order 12333 http://www.ncs.gov/library/policy_docs/eo_12333.pdf
38. Risk Management 38 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
39. Accreditation 39
40. Authorizing Official 40 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
41. Delegated Authorizing Official 41 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
42. Certification 42 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
43. Reciprocity 43 Additional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
44. Execution of Reciprocity in the IC 44 Additional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
Additional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
45. Interconnections & Resolution 45 Additional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
46. Status of ICD 503 46 Additional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information:
DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room
ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf
47. 47
48. Why use a Risk Managed Approach? 48 Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Developing an organization-wide information security program is not a new concept. However, obtaining a broad-based, organization-wide perspective by authorizing officials and other senior leaders facilitates a more comprehensive view of managing risk from the operation and use of information systems. In todays organizations, a single mission/business process may be supported by multiple information systems. Conversely, there may be multiple mission/business processes supported by a single information system. This many-to-many relationship among mission/business processes and information systems requires an organization-wide approach to managing riskthat is, the risk resulting from the use of information systems in organizational mission/business processes. Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Developing an organization-wide information security program is not a new concept. However, obtaining a broad-based, organization-wide perspective by authorizing officials and other senior leaders facilitates a more comprehensive view of managing risk from the operation and use of information systems. In todays organizations, a single mission/business process may be supported by multiple information systems. Conversely, there may be multiple mission/business processes supported by a single information system. This many-to-many relationship among mission/business processes and information systems requires an organization-wide approach to managing riskthat is, the risk resulting from the use of information systems in organizational mission/business processes.
49. Concept of Risk Management 49 Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
Insider Threat
www.cs.cmu.edu/~jfrankli/talks/insider-threat.ppt
http://www.cert.org/archive/pdf/CSG-V3.pdf
Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
Insider Threat
www.cs.cmu.edu/~jfrankli/talks/insider-threat.ppt
http://www.cert.org/archive/pdf/CSG-V3.pdf
50. Organizational Risk Management 50 Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
To be effective, organization-wide information security programs require strong commitment, direct involvement, and ongoing support from senior leaders. The objective is to institutionalize information security into the day-to-day operations of organizations as a priority and an integral part of how organizations conduct their operations in cyberspace, recognizing that this is essential in order to successfully carry out organizational mission and business processes in actual threat- laden operational environments. Building information security into the culture and infrastructure of organizations requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by organizations (e.g., enterprise architecture development, acquisition and procurement processes, system development life cycle processes, concepts of operation). Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
To be effective, organization-wide information security programs require strong commitment, direct involvement, and ongoing support from senior leaders. The objective is to institutionalize information security into the day-to-day operations of organizations as a priority and an integral part of how organizations conduct their operations in cyberspace, recognizing that this is essential in order to successfully carry out organizational mission and business processes in actual threat- laden operational environments. Building information security into the culture and infrastructure of organizations requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by organizations (e.g., enterprise architecture development, acquisition and procurement processes, system development life cycle processes, concepts of operation).
51. Organizational Risk Management (cont.) 51 Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
52. Risk from an Enterprise Perspective 52 Additional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdfAdditional Information:
NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf
NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
53. 53
54. Evolution of NSS SecurityControl Input to NIST SP 800-53 54 Additional Information:
Expands NIST SP 800-53 to include controls for the protection of National Security Information and Systems
Moves guidance areas of NIST SP 800-53 and includes them as requirements
Provides supplemental enhancement and supplemental guidanceAdditional Information:
Expands NIST SP 800-53 to include controls for the protection of National Security Information and Systems
Moves guidance areas of NIST SP 800-53 and includes them as requirements
Provides supplemental enhancement and supplemental guidance
55. Security Controls Structure 55 Additional Information:
NIST SP 800-53 can be found at the following location
http://csrc.nist.gov/publications/Additional Information:
NIST SP 800-53 can be found at the following location
http://csrc.nist.gov/publications/
56. Security Control Classes and Families 56 Additional Information:
NIST SP 800-53 can be found at the following location
http://csrc.nist.gov/publications/
The final version of NIST SP 800-53 may have an added security control family; Personally Identifiable Information (PII).Additional Information:
NIST SP 800-53 can be found at the following location
http://csrc.nist.gov/publications/
The final version of NIST SP 800-53 may have an added security control family; Personally Identifiable Information (PII).