[ga] Will ICANN be complying? - ITL Bulletin for May 2004

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

All former DNSO GA members or other interested stakeholders/users,

  I wonder when or if ICANN will be complying?
See:http://csrc.nist.gov/sec-cert/

ITL Bulletin for May 2004

GUIDE FOR THE SECURITY CERTIFICATION AND
ACCREDITATION OF FEDERAL INFORMATION SYSTEMS
Elizabeth B. Lennon, Editor
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Introduction

In response to the requirements of the E-Government Act
(Public Law 107-347), Title III, Federal Information
Security Management Act (FISMA) of December 2002, ITL
recently published NIST Special Publication (SP) 800-37,
Guide for the Security Certification and Accreditation of
Federal Information Systems. Developed through an extensive
public review process, the document represents a
significant contribution to federal agency security
management by providing specific recommendations on how to
certify and accredit information systems. State, local, and
tribal governments, as well as private sector
organizations, are encouraged to use the guidelines, as
appropriate. This ITL Bulletin summarizes the document,
which is available at http://csrc.nist.gov/sec-cert/.

NIST SP 800-37 provides guidelines for the security
certification and accreditation of information systems
supporting the executive agencies of the federal
government. The guidelines have been developed to help
achieve more secure information systems within the federal
government by:
* Enabling more consistent, comparable, and repeatable
assessments of security controls in federal information systems;
* Promoting a better understanding of agency-related
mission risks resulting from the operation of information
systems; and
* Creating more complete, reliable, and trustworthy
information for authorizing officials-to facilitate more
informed security accreditation decisions.

Security Certification and Accreditation

Security certification and accreditation are important
activities that support a risk management process and an
integral part of an agency's information security program.

Security accreditation is the official management decision
given by a senior agency official to authorize operation of
an information system and to explicitly accept the risk to
agency operations, agency assets, or individuals based on
the implementation of an agreed-upon set of security
controls. Required by OMB Circular A-130, Appendix III,
security accreditation provides a form of quality control
and challenges managers and technical staffs at all levels
to implement the most effective security controls possible
in an information system, given mission requirements,
technical constraints, operational constraints, and
cost/schedule constraints. By accrediting an information
system, an agency official accepts responsibility for the
security of the system and is fully accountable for any
adverse impacts to the agency if a breach of security
occurs. Thus, responsibility and accountability are core
principles that characterize security accreditation.

It is essential that agency officials have the most
complete, accurate, and trustworthy information possible on
the security status of their information systems in order
to make timely, credible, risk-based decisions on whether
to authorize operation of those systems. The information
and supporting evidence needed for security accreditation
is often developed during a detailed security review of an
information system, typically referred to as security
certification. Security certification is a comprehensive
assessment of the management, operational, and technical
security controls in an information system, made in support
of security accreditation, to determine the extent to which
the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to
meeting the security requirements for the system. The
results of a security certification are used to reassess
the risks and update the system security plan, thus
providing the factual basis for an authorizing official to
render a security accreditation decision.

Roles and Responsibilities

NIST SP 800-37 describes the roles and responsibilities of
key participants, summarized below, involved in an agency's
security certification and accreditation process:

* The Chief Information Officer is the agency official
responsible for: (i) designating a senior agency
information security officer;  (ii) developing and
maintaining information security policies, procedures, and
control techniques to address all applicable
requirements;  (iii) training and overseeing personnel with
significant responsibilities for information security; (iv)
assisting senior agency officials concerning their security
responsibilities; and (v) in coordination with other senior
agency officials, reporting annually to the agency head on
the effectiveness of the agency information security
program, including progress of remedial actions.

* The authorizing official (or designated
approving/accrediting authority as referred to by some
agencies) is a senior management official or executive with
the authority to formally assume responsibility for
operating an information system at an acceptable level of
risk to agency operations, agency assets, or individuals.

* The authorizing official's designated representative is
an individual acting on the authorizing official's behalf
in coordinating and carrying out the necessary activities
required during the security certification and
accreditation of an information system.

* The senior agency information security officer is the
agency official responsible for: (i) carrying out the Chief
Information Officer responsibilities under FISMA; (ii)
possessing professional qualifications, including training
and experience, required to administer the information
security program functions; (iii) having information
security duties as that official's primary duty; and (iv)
heading an office with the mission and resources to assist
in ensuring agency compliance with FISMA.

* The information system owner is an agency official
responsible for the overall procurement, development,
integration, modification, or operation and maintenance of
an information system.

* The information owner is an agency official with
statutory or operational authority for specified
information and responsibility for establishing the
controls for its generation, collection, processing,
dissemination, and disposal.

* The information system security officer is the individual
responsible to the authorizing official, information system
owner, or the senior agency information security officer
for ensuring the appropriate operational security posture
is maintained for an information system or program.

* The certification agent is an individual, group, or
organization responsible for conducting a security
certification, or comprehensive assessment of the
management, operational, and technical security controls in
an information system to determine the extent to which the
controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to meeting
the security requirements for the system.

* User representatives are individuals that represent the
operational interests of the user community and serve as
liaisons for that community throughout the system
development life cycle of the information system.
At the discretion of senior agency officials, certain
security certification and accreditation roles may be
delegated, and if so, appropriately documented. Individuals
serving in delegated roles are able to operate with the
authority of agency officials within the limits defined for
the specific certification and accreditation activities.
Agency officials retain ultimate responsibility, however,
for the results of actions performed by individuals serving
in delegated roles.

The Process

The security certification and accreditation process
consists of four distinct phases:
* Initiation Phase;
* Security Certification Phase;
* Security Accreditation Phase; and
* Continuous Monitoring Phase.

Each phase in the security certification and accreditation
process consists of a set of well-defined tasks and
subtasks that are to be carried out, as indicated, by
responsible individuals (e.g., the Chief Information
Officer, authorizing official, authorizing official's
designated representative, senior agency information
security officer, information system owner, information
owner, information system security officer, certification
agent, and user representatives).

The Initiation Phase consists of three tasks: (i)
preparation; (ii) notification and resource identification;
and (iii) system security plan review, analysis, and
acceptance. The purpose of this phase is to ensure that the
authorizing official and senior agency information security
officer are in agreement with the contents of the system
security plan before the certification agent begins the
assessment of the security controls in the information system.

The Security Certification Phase consists of two tasks: (i)
security control assessment; and (ii) security
certification documentation. The purpose of this phase is
to determine the extent to which the security controls in
the information system are implemented correctly, operating
as intended, and producing the desired outcome with respect
to meeting the security requirements for the system. This
phase also addresses specific actions taken or planned to
correct deficiencies in the security controls and to reduce
or eliminate known vulnerabilities in the information
system. Upon successful completion of this phase, the
authorizing official will have the information needed from
the security certification to determine the risk to agency
operations, agency assets, or individuals, and thus will be
able to render an appropriate security accreditation
decision for the information system.

The Security Accreditation Phase consists of two tasks: (i)
security accreditation decision; and (ii) security
accreditation documentation. The purpose of this phase is
to determine if the remaining known vulnerabilities in the
information system (after the implementation of an
agreed-upon set of security controls) pose an acceptable
level of risk to agency operations, agency assets, or
individuals. Upon successful completion of this phase, the
information system owner will have: (i) authorization to
operate the information system; (ii) an interim
authorization to operate the information system under
specific terms and conditions; or (iii) denial of
authorization to operate the information system.

The Continuous Monitoring Phase consists of three tasks:
(i) configuration management and control; (ii) security
control monitoring; and (iii) status reporting and
documentation. The purpose of this phase is to provide
oversight and monitoring of the security controls in the
information system on an ongoing basis and to inform the
authorizing official when changes occur that may impact on
the security of the system. The activities in this phase
are performed continuously throughout the life cycle of the
information system.

Accreditation Decisions

The security accreditation package documents the results of
the security certification and provides the authorizing
official with the essential information needed to make a
credible, risk-based decision on whether to authorize
operation of the information system.  Security
accreditation decisions resulting from security
certification and accreditation processes should be
conveyed to information system owners. To ensure the
agency's business and operational needs are fully
considered, the authorizing official should meet with the
information system owner prior to issuing the security
accreditation decision to discuss the security
certification findings and the terms and conditions of the
authorization. There are three types of accreditation
decisions that can be rendered by authorizing officials:
* Authorization to operate;
* Interim authorization to operate; or
* Denial of authorization to operate.

Examples of security accreditation decision letters appear
in Appendix E.

Continuous Monitoring

A critical aspect of the security certification and
accreditation process is the post-accreditation period
involving the continuous monitoring of security controls in
the information system over time. An effective continuous
monitoring program requires:
* Configuration management and configuration control processes;
* Security impact analyses on changes to the information
system; and
* Assessment of selected security controls in the
information system and security status reporting to
appropriate agency officials.

Conclusion

Completing a security accreditation ensures that an
information system will be operated with appropriate
management review, that there is ongoing monitoring of
security controls, and that re-accreditation occurs
periodically in accordance with federal or agency policy
and whenever there is a significant change to the system or
its operational environment.

Disclaimer: Any mention of commercial products or reference
to commercial organizations is for information only; it
does not imply recommendation or endorsement by the
National Institute of Standards and Technology nor does it
imply that the products mentioned are necessarily the best
available for the purpose.


Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827