Demystifying the

Cyber NISTs

WEBINAR

1

Federal Alphabet Soup

Acronym Overload!

Compliance, Critical Infrastructure, Cyber Security,

EO 13636 - and Cyber Cyber Cyber…

FedRAMP, FISMA, NIST, FIPS, RMF, DIACAP

SP 800-53, SP 800-171, SP 800-37

FIPS 199, FIPS 200, OMB Circular 130

• Provide baseline knowledge of the most discussed

frameworks, standards, and programs

• Put the acronyms in context of their intention and

discuss their relationship to other standards

• Attempt to dispel some common misconceptions

Learning Objectives

Cybersecurity threats exploit the increased

complexity and connectivity of critical

infrastructure systems, placing the Nation’s

security, economy, and public safety and

health at risk.

Source – NIST Cybersecurity Framework

Bottom line is that the government has defined cybersecurity as the function of

protecting interconnected critical infrastructure and data

About That Cyber Term…

2

Diving into the “NISTs”

• Laws – Speak in terms of goals and objectives (e.g. FISMA)

• Regulations – Clarify the goals and objectives of a law

• Executive Orders – Provide additional guidance and direction

• Frameworks – Bring together series of goals, objectives, and standards and implementation

guidance like the NIST Cybersecurity Framework

• Standards and Best Practices

• FIPS – Federal Information Processing Standards

• NIST SP – Special Publication (for security)

• Information Supplements

• Programs – Designed to implement and enforce laws, regulations, and standards for a defined

group (e.g. FedRAMP for Cloud Computing)

Note that the focus will largely be around standards and frameworks that Schellman’s service provider clients have to follow.

Framing the Discussion for Federal

• FISMA – Federal Information Security Management Act

• FISMA is a law that governs government agencies

• Applies by extension to those that use government data or resources

• Not a compliance certification

• Regulations and Rulings

• Often agency specific (e.g. ITAR)

• HIPAA – Final Security Ruling

• Executive Orders

• Can provide clarity and enforcement guidance

(e.g. EO 13636 signed by Barack Obama)

Laws, Regulations, and EOs

• Why start here?

• NIST SP 800-53 is the

Kevin Bacon of federal

cybersecurity

• If not directly referenced

within a law it is no more

than two degrees of

separation from everything!

Standards:NIST SP 800-53

• National Institute of Standards and Technology Special

Publication 800-53 - Security and Privacy Controls for

Federal Information Systems and Organization

• Currently revision 4 (5 is being put out to comment)

• Supports government FISMA compliance

• Is the detail behind Federal Information Processing

Standard (FIPS) 200

• Is tailored based on FIPS 199

NIST SP 800-53 (cont.)

• Federal Information Processing Standards (FIPS) Publications are

standards issued by NIST after approval by the Secretary of Commerce

pursuant to the Federal Information Security Management Act (FISMA)

• Most Common include:

• FIPS 200 – Minimum Security Requirements for Federal Information and

Information Systems

• FIPS 199 – Provides the methodology for establishing information

categorization based on risk (i.e. low, moderate, and high)

• FIPS 140-2 – Security Requirements for Cryptographic Modules

• FIPS tie laws to standards and in almost all cases, FIPS are supported by

more detailed guidance within the NIST Special Publications (e.g. NIST

800-53)

• https://csrc.nist.gov/publications/PubsFIPS.html

Back to FIPS

NIST SP 800-171

• Protecting Controlled Unclassified Information in

Nonfederal Information Systems and Organizations

• Designed largely for federal contractors

• Uses a carved out subset of the NIST 800-53 requirements

• Revision 1 released in December of 2016

Other Relevant Standards

• Special Publications

• SP 800-145 – The NIST Definition of Cloud Computing

• SP 800-117 and 800-126 – Multiple standards related to the Security Content Automation Protocol (SCAP)

• SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: a

Security Life Cycle Approach

• Multiple SPs related to encryption and key management in support of FIPS 140-2

• Others are platform and technology specific (e.g. virtualization, wireless, and Apple OSX, and more)

• http://csrc.nist.gov/publications/PubsSPs.html

• Additional

• Common Criteria aka ISO/IEC 15408

• Federal Risk and Authorization Management Program (FedRAMP)

defined standard and requirements

• Designed for cloud service providers (CSPs) being used by federal

agencies

• Core Documentation/Deliverables - System Security Plan (SSP),

FIPS 199, Security Assessment Plan (SAP) and Security

Assessment Report (SAR), and Plan of Action and Milestones

(POA&M)

• Based on NIST SP 800-53 and 800-53A (testing procedures)

Program: FedRAMP

• DoD has additional frameworks and controls

for maintaining mission critical systems

• Leverages the Risk Management Framework

(RMF) set forth in NIST SP 800-37

• Defines impact levels of 2 through 6

• FedRAMP moderate = Level 2

• FedRAMP+ = FedRAMP plus additional controls

from the DoD Supplemental Resource Guide (SRG)

• http://iasecontent.disa.mil/cloud/SRG/

DoD Instruction (DoDI) 8500.01, entitled

Cybersecurity, directs Director DISA, under

the authority, direction, and control of the

DoD CIO to develop and maintain Control

Correlation Identifiers (CCIs), Security

Requirements Guides (SRGs), Security

Technical Implementation Guides (STIGs),

and mobile code risk categories and usage

guides that implement and are consistent

with DoD cybersecurity policies, standards,

architectures, security controls, and

validation procedures, with the support of the

National Security Agency Central Security

Service (NSA/CSS), using input from

stakeholders, and using automation

whenever possible.

Program: Department of Defenseand FedRAMP+

DoD Impact Levels Broken Out

• Originally published in 2014. Version 1.1

comments were solicited until April 10, 2017.

• Designed to scale with flexibility regardless

of industry

• Builds on SP 800-53 and also maps to ISO

27001, COBIT, and Industrial Controls

requirements

• Recently pitched to the healthcare industry

for adoption

https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events

Framework: NIST Cybersecurity Framework

Describes how cybersecurity risk is

managed by an organization and degree

the risk management practices exhibit

key characteristics

Cybersecurity activities and

informative references, organized

around particular outcomes

Enables communication of

cyber risk across

an organization

Aligns industry standards and best

practices to the Framework Core in a

particular implementation scenario

Supports prioritization and

measurement while

factoring in business needsFramework

Profile

Framework

Core

Framework

Implementation

Tiers

• International Traffic in Arms Regulation (ITAR)

• Criminal Justice Information System (CJIS)

• Program

• Includes a “policy” of standards requirements

• Department of Commerce National Technical Information Service (NTIS)

Limited Access Death Master File (DMF)

• Standard for protecting a file of social security numbers associated with deceased persons

• Includes an attestation report/template

What Else?

3

Bringing it Back Together

Understanding the Cyber NIST Pieces of the Puzzle

Laws, Regulations,

and EOs

FISMA

HIPAA

EO 13636

FIPS Standards

FIPS 200

FIPS 199

FIPS 140-2

SP Standards

800-53

800-37

800-171

Compliance Programs

FedRAMP

DoD SRG

CJIS

Frameworks

NIST Risk Management Framework

NIST Cybersecurity

Framework

• Don’t have to be an expert

• Recognize the core

standards most applicable

for your business

• Know where to look for

help (and who to ask!)

Closing Thoughts

STAY UP-TO-DATE

www.schellmanco.com