NIST SP 800-37 Footnotes

1

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

2

An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

3

Agency operations include such things as mission, functions, image, and reputation.

4

Security controls are the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

5

An executive agency is: (i) an Executive Department specified in 5 U.S.C., Section 101; (ii) a Military Department specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

6

Security accreditation is synonymous with security authorization; the terms are used interchangeably in this special publication.

7

Risks to individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.

8

NIST Special Publications 800-18, 800-30, 800-34, 800-47, 800-50, 800-61, and 800-70 respectively, provide guidance on system security plans, risk management and risk assessments, contingency planning, information system interconnections, security awareness and training, incident response planning, and security configuration checklists.

9

Management controls are the safeguards or countermeasures that focus on the management of risk and the management of information system security. Operational controls are the safeguards or countermeasures that primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards or countermeasures that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

10

Examples of significant changes to an information system that should be reviewed for possible reaccreditation include but are not limited to: (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform or firmware component; or (iv) modifications to cryptographic modules or services. Changes in laws, directives, policies, or regulations, while not always directly related to the information system, can also potentially affect the security of the system and trigger a reaccreditation action.

11

NIST Special Publication 800-59 provides guidance for identifying an information system as a national security system.

12

There are typically five phases in the system development life cycle of an information system: (i) system initiation; (ii) system development and acquisition; (iii) system implementation; (iv) system operations and maintenance; and (v) system disposal. NIST Special Publication 800-64 provides guidance on the security considerations in the information system development life cycle.

13

NIST Special Publication 800-53A provides guidance for assessing the security controls in an information system.

14

Security certification and accreditation activities should be closely linked to and be a part of the system development life cycle for the information system. This linkage and integration into the life cycle will ensure that important security-related considerations are included in the design, development, implementation, and operation of the information system.

15

Some agencies may choose to establish an authorization advocate or security certification and authorization organization that manages, coordinates, and oversees all security authorization activities, agency-wide-working with the Senior Agency Information Security Officer, Authorizing Officials, and Information System Owners.

16

Programs for the testing and evaluation of cryptographic modules and information technology products are available under the NIST Cryptographic Module Validation Program (CMVP) (http://csrc.nist.gov/cryptval), and National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) (http://niap.nist.gov/cc-scheme), respectively, in accordance with federal and international security standards.

17

Self-assessments can be conducted using a variety of methodologies including the National Security Agency INFOSEC Assessment Methodology (http://www.nsa.gov/isso) and NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems (http://csrc.nist.gov/publications).

18

The Office of the Inspector General typically conducts internal audits on federal agencies. The General Accounting Office conducts external audits on agency information systems using the [[Federal Information System]] Controls Audit Manual (http://www.gao.gov).

19

Previous assessment and audit results should always be reviewed and/or analyzed to determine the extent to which those results are still applicable and accurately reflect the current security state of the information system. Where previous results are deemed not fully applicable or less than current, those areas should be reassessed or the differences so noted for consideration in the final security assessment report.

20

Agencies may define other significant roles (e.g., systems administrators, facilities managers, system security engineers, and operations managers) to support the security certification and accreditation process. The Office of the Inspector General may also become involved and take on the role of independent auditor in assessing the quality of security certification and accreditation processes.

21

Caution should be exercised when one individual fills multiples roles in the security certification and accreditation process to ensure that the individual retains an appropriate level of independence and remains free from conflicts of interest.

22

When an agency has not designated a formal Chief Information Officer position, FISMA requires the associated responsibilities to be handled by a comparable agency official.

23

In some agencies, the senior official and the Chief Information Officer may be co-Authorizing Officials. In this situation, the senior official approves the operation of the information system prior to the Chief Information Officer.

24

The role of Information System Owner can be interpreted in a variety of ways depending on the particular agency and the system development life cycle phase of the information system. Some agencies may refer to Information System Owners as program managers or business/asset/mission owners.

25

In some situations, the notification of the need to conduct a security certification and accreditation may come from the Senior Agency Information Security Officer or Authorizing Official as they endeavor to ensure compliance with federal or agency policy. The responsibility for ensuring appropriate resources are allocated to the security certification and accreditation effort depends on whether the agency uses a centralized or decentralized funding mechanism.

26

Depending on how the agency has organized and structured its security certification and accreditation activities, the Authorizing Official may choose to designate an individual other than the Information System Owner to compile and assemble the information for the accreditation package. In this situation, the designated individual must coordinate the compilation and assembly activities with the Information System Owner.

27

Information resources consist of information and related resources, such as personnel, equipment, funds, and information technology.

28

Direct management control typically involves budgetary, programmatic, or operational authority and associated responsibility. For new information systems, management control can be interpreted as having budgetary/programmatic authority and responsibility for the development and deployment of the information systems. For information systems currently in the federal inventory, management control can be interpreted as having budgetary/operational authority for the day-to-day operations and maintenance of the information systems.

29

A subsystem is a major subdivision or component of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

30

Based on the definitions provided in OMB Circular A-130, Appendix III, agencies can associate the different types of information systems and applications with the security categories and impact levels defined in FIPS 199. For example, a major application could be expected to have a potential impact level of moderate or high in its security categorization. A minor application could be expected to have a potential impact level of low or moderate in its security categorization. A general support system could be expected to have a potential impact level of low, moderate, or high in its security categorization depending on the criticality or sensitivity of the system, potential impact of loss, and whether the system is supporting (i.e., hosting) any major applications. Minor applications are typically included (or bundled) within a general support system.

31

Each subsystem component within the information system can be assigned a security categorization in accordance with FIPS 199. The overall security categorization of the information system can be determined by taking the high water mark of the security categorizations of the individual subsystem components.

32

Since Information System Owners are involved in the planning process that establishes timeframes for conducting security certification and accreditation activities, they are in a good position to address security-related deficiencies in a timely manner before the certification and accreditation process begins. Mitigating security vulnerabilities in the information system as soon as possible before the vulnerabilities rise to higher levels of significance or seriousness ensures that the interim authorization to operate remains a viable option. information systems, especially mission- critical or high-impact systems as described in FIPS 199, should not be operating with significant security vulnerabilities requiring extended remediation time.

33

The initial risk assessment, included as an appendix to the system security plan or referenced in the plan, is updated by the Information System Owner prior to the final assembly of the security accreditation package.

34

Security accreditation packages can be submitted in either paper or electronic format. Appropriate measures should be employed to protect the information contained in accreditation packages (electronic or paper format) in accordance with agency policy.

35

At the discretion of the agency, the security status reports on agency information systems can be used to help satisfy the FISMA reporting requirement for documenting remedial actions for any security-related deficiencies.

36

NIST Special Publication 800-53A provides guidance for assessing the security controls in an information system.

37

FIPS 199 security categorizations should be used to determine agency priorities and importance of information systems.

38

Supplemental guidance is not provided for all subtasks in the certification and accreditation process. Guidance for scaling the level of effort applied to the development of system security plans, the selection of security controls, and the conduct of risk assessments is beyond the scope of this publication.

39

Agencies have significant flexibility in assigning security certification and accreditation responsibilities. Some agencies may employ a shared model of responsibility with the Senior Agency Information Security Officer called upon to assist the Information System Owner in carrying out security certification and accreditation tasks/subtasks. The delineation and assignment of specific security certification and accreditation responsibilities is handled by agencies on a case-by-case basis in accordance with their organizational structures.

40

The Information System Owner may assume the role of the independent Certification Agent when a self-assessment of the information system security controls is appropriate. The Information System Owner may also seek the assistance of other designated individuals (including contractors) in carrying out self-assessment activities.