Industry:Project Review/NIST SP 800-37r1 FPD Chapter 1

CHAPTER ONE

INTRODUCTION

THE NEED FOR MANAGING INFORMATION SYSTEM-RELATED SECURITY RISKS

Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in great harm to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels understand their responsibilities for achieving adequate information security and for managing information system-related security risks.

1.1 BACKGROUND
NIST in partnership with the Department of Defense (DOD), the Office of the Director of National Intelligence (ODNI), and the Committee on National Security Systems (CNSS), is developing a common information security framework for the federal government and its support contractors. This publication represents the second in a series of publications developed by the Joint Task Force Transformation Initiative. The initial publication produced by the joint task force, NIST Special Publication 800-53, Revision 3, created a unified security control catalog reflecting the information security requirements of both the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, continues the evolution to a unified framework by transforming the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised process emphasizes: (i) building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) providing essential information to senior leaders to facilitate credible decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems.

The RMF-based process has the following characteristics:


 * Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
 * Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
 * Integrates information security more closely into the enterprise architecture and system development life cycle;
 * Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
 * Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function); and
 * Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).

The risk management process described in this publication and in other supporting NIST publications changes the traditional focus from the stove-pipe, organization-centric, static-based approaches to C&A and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.

1.2 PURPOSE AND APPLICABILITY
The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. The guidelines have been developed:


 * To ensure that managing risk from the operation and use of federal information systems is consistent with the organization's mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);
 * To ensure that information security requirements, including necessary security controls, are integrated into the organization's enterprise architecture and system development life cycle processes;
 * To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results; and
 * To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies.

This publication satisfies the requirements of the Act|Federal Information Security Management Act (FISMA) and meets or exceeds the information security requirements established for executive agencies by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources. The guidelines in this publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

1.3 TARGET AUDIENCE
This publication serves individuals associated with the design, development, implementation, operation, maintenance, and disposition of federal information systems including:


 * Individuals with mission/business ownership responsibilities or fiduciary responsibilities (e.g., heads of federal agencies, chief executive officers, chief financial officers);
 * Individuals with information system development and integration responsibilities (e.g., program managers, information technology product developers, information system developers, information systems integrators, enterprise architects, information security architects);
 * Individuals with information system and/or security management/oversight responsibilities (e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior information security officers );
 * Individuals with information system and security control assessment and monitoring responsibilities (e.g., system evaluators, assessors/assessment teams, independent verification and validation assessors, auditors, or information system owners); and
 * Individuals with information security implementation and operational responsibilities (e.g., information system owners, common control providers, information owners/stewards, mission/business owners, information security architects, information system security engineers/officers).

1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION
The remainder of this special publication is organized as follows:


 * Chapter Two describes the fundamental concepts associated with managing risk from information systems including: (i) an enterprise-wide view of risk management and the application of the Risk Management Framework; (ii) the integration of information security requirements into the system development life cycle; (iii) the establishment of information system boundaries; and (iv) the allocation of security controls to organizational information systems as system-specific, hybrid, or common controls.
 * Chapter Three describes the tasks required to apply the Risk Management Framework to information systems including: (i) the categorization of information and information systems; (ii) the selection of security controls; (iii) the implementation of security controls; (iv) the assessment of security control effectiveness; (v) the authorization of the information system; and (vi) the ongoing monitoring of security controls and the security state of the information system.
 * Supporting appendices provide additional information regarding the application of the Risk Management Framework to information systems including: (i) references; (ii) glossary; (iii) acronyms; (iv) roles and responsibilities; (v) summary of Risk Management Framework tasks; (vi) security authorization of information systems; (vii) monitoring the security state of information systems; (viii) operational scenarios; and (ix) security controls in external environments.