NIST SP 800-37r1dF Footnotes
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets.
The term agency is used in this publication in lieu of the more general term organization only in those circumstances where its usage is directly related to other source documents such as federal legislation or policy.
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB policy, there is flexibility in how agencies apply the guidance. Federal agencies should apply the security concepts and principles articulated in the NIST Special Publications in accordance with and in the context of the agency's missions, business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB definition of adequate security for federal information systems. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators, auditors, and assessors should consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission/business responsibilities, operational environment, and unique organizational conditions.
The term organization is used in this publication to describe an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements).
Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.
OMB Circular A-130, Appendix III, describes adequate security as security commensurate with risk. This risk includes both the likelihood and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of the likelihood of the circumstance or event occurring and of the resulting adverse impacts.
Security authorization is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
Reciprocity of security authorization results is the mutual agreement among participating organizations to accept each other's security assessments in order to reuse information system resources and/or to accept each other's assessed security posture in order to share information. Reciprocity is best achieved by promoting the concept of transparency (i.e., making sufficient evidence regarding the security state of an information system available, so that an authorizing official from another organization can use that evidence to make credible, risk-based decisions regarding the operation and use of that system or the information it processes, stores, or transmits).
An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the term executive agency is synonymous with the term federal agency.
Interconnection of federal information systems with information systems operated by state, local, and/or tribal governments requires the application of the information security standards and guidelines described in this publication. Information security requirements and the terms and conditions of the system interconnections, are expressed in the Memorandums of Understanding and Interconnection Security Agreements established by participating organizations.
NIST Special Publication 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (projected for publication in 2010), will provide guidance on the holistic approach to risk management.
Other types of risk include, for example: (i) acquisition risk (cost, schedule, performance); (ii) compliance and regulatory risk; (iii) financial risk; (iv) legal risk; (v) operational (mission/business) risk; (vi) political risk; (vii) program/project risk; (viii) reputational risk; (ix) safety risk; (x) strategic planning risk; and (xi) supply chain risk.
Federal Enterprise Architecture Reference Models and Segment and Solution Architectures are defined in the OMB Federal Enterprise Architecture (FEA) Program, FEA Consolidated Reference Model Document, Version 2.3, October 2003 and OMB Federal Segment Architecture Methodology (FSAM), January 2009, respectively.
The allocation of security controls can take place at all three tiers in the risk management hierarchy. For example, security controls that are identified as common controls may be allocated at the organization, mission/business process, or information system level. See Section 2.4 for additional information on security control allocation.
Appendix I provides additional guidance regarding external service providers and the provision of security controls in external environments.
There are typically five phases in a generic system development life cycle including: (i) system initiation; (ii) system development/acquisition; (iii) system implementation; (iv) system operations/maintenance; and (v) system disposition.
Organizations may employ a variety of system development life cycle processes including, for example, waterfall, spiral, or agile development.
Resource requirements include funding for training organizational personnel to ensure that they can effectively carry out their assigned responsibilities.
Integrated project teams are multidisciplinary entities consisting of individuals with appropriate skills and expertise to help facilitate the development of information systems that meet the requirements of the organization.
Information resources consist of information and related resources including personnel, equipment, funds, and information technology.
A subsystem is a major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.
Similarity of operating environments includes, for example, consideration of threat, policy, and management.
Tightly coupled subsystem components may introduce inadvertent weak links in a complex information system (system of systems). For example, if a large organizational intranet is decomposed by enterprise services into smaller subsystems (e.g., severable components such as local area network segments) and subsequently categorized individually, the specific protections at the subsystem level may allow a vector of attack against the intranet by requiring security controls commensurate with a lower impact level, than the rest of the system. To avoid this situation, organizations are encouraged to carefully examine the interfaces among subsystem components and to take appropriate actions to eliminate potential vulnerabilities in this area, thus helping to ensure that the information system is adequately protected.
A net-centric architecture is a complex system of systems comprised of subsystems and services that are part of a continuously-evolving, complex community of people, devices, information and services interconnected by a network that enhances information sharing and collaboration.
Security plans, security assessment reports, and plans of action and milestones are critical outputs from the RMF used to manage risk associated with the operation of information systems. See Appendix F for additional information.
The process for managing risk from information systems described in this publication can be tailored to meet the needs of many communities of interest within the federal government including, for example, the Civil, Defense, and Intelligence Communities. Tailoring provides flexibility in applying the concepts of the RMF in a manner that is most suitable for the organizations and the information systems involved.
At the discretion of the organization, security control assessors may be given additional duties or responsibilities for the post-processing and analysis of security control assessment findings and results, including for example, making specific recommendations and determinations to authorizing officials (also known as certification recommendations or certification determinations).
Security status reports can take whatever form the organization deems most appropriate. The goal is cost-effective and efficient ongoing communication with senior leaders conveying the current security state of the information system and its environment of operation with regard to organizational missions and business functions.
Caution should be exercised when one individual fills multiples roles in the risk management process to ensure that the individual retains an appropriate level of independence and remains free from conflicts of interest.
For example, the system development life cycle role of system developer or program manager can be aligned with information system owner; mission owner/manager can be aligned with authorizing official; and system/software engineers are complementary roles to information system security engineers.
Authorizing officials may have narrow or localized perspectives in rendering authorization decisions, in some cases without fully understanding or explicitly accepting the risks being incurred from such decisions. The responsibility of authorizing officials described in FIPS 200, was extended in NIST Special Publication 800-53 to include risks to other organizations and the Nation.
When an organization has not designated a formal chief information officer position, FISMA requires the associated responsibilities to be handled by a comparable organizational official.
Federal information is an asset of the Nation, not of a particular federal agency or its subordinate organizations. In that spirit, many federal agencies are developing policies, procedures, processes, and training needed to end the practice of information ownership and implement the practice of information stewardship. Information stewardship is the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.
Organizations can have multiple common control providers depending on how information security responsibilities are allocated organization-wide. Common control providers may also be information system owners when the common controls are resident within an information system. Common controls are described in Section 2.4.
The information system owner serves as the focal point for the information system. In that capacity, the information system owner serves both as an owner and as the central point of contact between the authorization process and the owners of components of the system including, for example: (i) applications, networking, servers, or workstations; (ii) owners/stewards of information processed, stored, or transmitted by the system; and (iii) owners of the missions and business functions supported by the system). Some organizations may refer to information system owners as program managers or business/asset owners.
The responsibility for deciding who has access to specific information within an information system (and with what types of privileges or access rights) may reside with the information owner/steward.
Depending on how the organization has organized its security authorization activities, the authorizing official may choose to designate an individual other than the information system owner to compile and assemble the information for the security authorization package. In this situation, the designated individual must coordinate the compilation and assembly activities with the information system owner.
Security control assessors may be called certification agents in some organizations. At the discretion of the organization, security control assessors may be given additional duties/responsibilities for the post processing and analysis of security control assessment findings and results. This may include, for example, making specific determinations for or recommendations to authorizing officials (known in some communities of interest as certification recommendations or certification determinations).
The authorizing official determines what additional supporting documentation or references may be required to be included in the security authorization package. Appropriate measures are employed to protect information contained in security authorization packages in accordance with federal and organizational policy.
The security plan is a conceptual body of information which may be accounted for within one or more repositories and include documents (electronic or hard copy) that come from a variety of sources produced throughout the system development life cycle. For example, information system owners inheriting common controls can either list the controls in their respective security plans or reference the controls contained in the security plans of common control providers.
Organizations may choose to develop an executive summary from the detailed findings that are generated during a security control assessment. An executive summary provides an authorizing official with an abbreviated version of the security assessment report focusing on the highlights of the assessment, synopsis of key findings, and recommendations for addressing weaknesses and deficiencies in the security controls.
Organizations may choose to document the specific measures implemented to correct weaknesses or deficiencies in security controls in the plan of action and milestones, thereby providing an historical record of actions completed.
In general, risk exposure is the degree to which an organization is threatened by the potential adverse effects on organizational operations and assets, individuals, other organizations, or the Nation.
Organizations document their rationale for accepting security control weakness or deficiencies.
An interim authorization to test is a special type of authorization decision allowing an information system to operate in an operational environment for the express purpose of testing the system with actual operational (i.e., live) data for a specified time period. An interim authorization to test is granted by an authorizing official only when the operational environment or live data is required to complete specific test objectives.
Some organizations may choose to use the term interim authorization to operate to focus attention on the increased risk being accepted by the authorizing official in situations where there are significant weaknesses or deficiencies in the information system, but an overarching mission necessity requires placing the system into operation or continuing its operation.
Authorization decision documents may be digitally signed to ensure authenticity.
Organizations may choose to employ automated tools to support the development, distribution, and archiving of risk management documentation to include artifacts associated with the security authorization process.
Continuous monitoring is described in Appendix G.
The specific conditions under which security-related information can be effectively reused in security authorization, ongoing authorization, and reauthorization is described in NIST Special Publication 800-53A.
The decision to initiate a formal reauthorization action can be based on a variety of factors, including for example, the acceptability of the previous authorization information provided in the authorization package, the length of time since the previous authorization decision, the risk tolerance of the new authorizing official, and current organizational requirements and/or priorities.
A continuous monitoring program within an organization involves a different set of activities than Security Incident Monitoring or Security Event Monitoring programs.
Near real-time risk management of information systems can be facilitated by employing automated support tools to execute various steps in the RMF including authorization-related activities. In addition to vulnerability scanning tools, system and network monitoring tools, and other automated support tools that can help to determine the security state of an information system, organizations can employ automated security management and reporting tools to update critical documents in the authorization package including the security plan, security assessment report, and plan of action and milestones. The documents in the authorization package are considered “living documents” and updated accordingly based on actual events that may affect the security of the information system. Transitioning to a near real-time risk management environment will require the increased use of automated support tools over time as organizations integrate these technologies into their information security programs in accordance with available resources.
Although the primary focus of continuous monitoring activities is on the effectiveness of security controls employed within and inherited by an information system, there are other equally important external factors in the environment of operation for a system that also require monitoring on an ongoing basis. These factors include, for example, changes in the organization's missions or business processes, changes in the threat space, and changes in tolerance for previously accepted risks).
Through the use of automation, it is possible to monitor a greater number of security controls on an ongoing basis than is feasible using manual processes. As a result, organizations may choose to monitor a greater number of security controls with increased frequency.
Organizations have significant latitude and flexibility in the breadth, depth, and formality of security status reports. At a minimum, security status reports describe or summarize key changes to security plans, security assessment reports, and plans of action and milestones. At the discretion of the organization, security status reports on information systems can be used to help satisfy the FISMA reporting requirement for documenting remedial actions on any security-related weaknesses or deficiencies.
References to federal agencies include organizations that are subordinate to those agencies.
Organizations that use or operate an information system on behalf of a federal agency or one of its subordinate organizations can include, for example, other federal agencies or their subordinate organizations, state and local government agencies, contractors, and academic institutions.
Organizations ensure that requirements for conducting the specific tasks in the RMF are included in appropriate contractual vehicles, including requirements for independent assessments, when appropriate.
The level of trust that an organization places in an external service provider can vary widely, ranging from those who are highly trusted (e.g., business partners in a joint venture that share a common business model and common goals) to those who are less trusted and represent greater sources of risk (e.g., business partners in one endeavor who are also competitors in another market sector).
Commercial providers of commodity-type services typically organize their business models and services around the concept of shared resources and devices for a broad and diverse customer base. Therefore, unless organizations obtain fully dedicated services from commercial service providers, there may be a need for greater reliance on compensating security controls to provide the necessary protections for the information system that relies on those external services. The organization's risk assessment and risk mitigation activities reflect this situation.
For example, a procurement originator could authorize an information system providing external services to the federal government under specific terms and conditions of the contract. A federal agency requesting information system services under the terms of the contract would not be required to reauthorize the information system when acquiring such services (unless the request included services outside the scope of the original contract).