Foundational Basis for the Assessment of NASA Information Systems

January 12, 2017

Presented by: Cybersecurity and Integration Division (CSID) Code 710

Information Technology & Communications Directorate (ITCD)Code 700

2Code 7XX DSR 11/05/14

Summary

To provide a thorough understanding of all relevant Federal mandates and guidance regarding the continuous monitoring of NASA Federal Information Systems through the process of independent annual security control assessments.

3Code 7XX DSR 11/05/14

Overview

Legislative basis for Federal governance of security within NASA Information Systems

4

Federal Laws

The Federal Information Systems Management Act of 2002 (Public Law 107-347) and Federal Information Systems Modernization Act of 2014 (Public Law 113-283), known as FISMA 2002 and FISMA 2014 respectively, require the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) to issue regulations as per the security of federally managed information systems.

5

FISMA 2002

Mandates the head of each federal agency to be responsible for “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction.”

To achieve this end, FISMA 2002 requires that “senior agency officials” accomplish the following objectives:• Assess risk and magnitude of harm that could result from a breach of

security;• Determine the appropriate level of security on a system-by-system basis;• Implement policies and practices to reduce risk; and• Periodically test and evaluate information security controls and techniques

to ensure that they are effectively implemented.

6

FISMA 2014Updates FISMA 2002 by mandating that each independent assessment shall include:• Each year, each agency shall have performed an independent evaluation of

the information security program and practices of that agency to determine the effectiveness of such programs and practices;

• Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems;

• An assessment of the effectiveness of the information security policies, procedures, and practices of the agency; and

• Separate presentations, as appropriate, regarding information security relating to national security systems.

7

FISMA 2014 (cont.)

Mandates that security assessments be either carried out by the Office of the Inspector General or by an “independent external auditor” engaged by the head of the agency.

As such, any assessment performed by a stakeholder within the organization of the information system does not meet the legal requirement for independent annual assessments of federal information systems.

8

Federal Directives (DHS)DHS Binding Operational Directives (BODs)

DHS BOD-15-01 Addresses the cybersecurity landscape from a national security perspective and provides directives to stake holders in federal information systems.

Prescribes “identifying and mitigating vulnerabilities in the information technology (IT) environment” as a key mechanism in reducing the “risk of attackers penetrating their networks and stealing their information.”

9

Federal Instructions (OMB)

OMB Instruction documents regarding security assessments for federal information systems are OMB Circular No. A-130, OMB Memo 15-01, OMB Memo 14-03, and OMB Memo 10-28.

The OMB mandates enhance the aforementioned laws by specifying that agencies shall “regularly review and address risk regarding processes, people and technology” by using the guidance provided by the National Institute of Standards and Technology (NIST) as well as Federal Information Processing Standards (FIPS).

10

Federal Instructions (OMB) cont.OMB Memo 15-01 specifically mandates that agencies are to “assess information security risks on an ongoing basis” and that each agency is required to “develop an Information Security Continuous Monitoring Strategy (ISCM).”

OMB Memo 14-03 states that it is the purpose of the ISCM Strategy to support and enhance “the process of ongoing authorization by providing authorizing officials with sufficient information regarding the current security state of their information systems and environments of operations, including the security controls employed within, and inherited by, the systems.”

Furthermore OMB Memo 14-03 states, "Continuous monitoring-generated information used to support ongoing authorizations must satisfy the independence requirements defined in NIST Special Publication (SP) 800-37 and SP 800-53.

11

NIST

• The National Institute of Standards and Technology (NIST) is empowered by DHS and OMB to create the tools and processes by which the security of these systems are measured.

• Adherence to the NIST guidance is mandated by both OMB and DHS.

12

NASA Agency Governance

• NASA annually issues a strategic plan for the securing of federal information systems and regularly updates a series of IT Security Handbooks (ITS-HBKs) which provide specific guidance on how all aforementioned requirements are met.

• The fifth goal of the NASA ITCD Strategic Plan for 2016 is to, “Enhance and strengthen information security to ensure the integrity, availability, and confidentiality of NASA’s critical data and risk management solutions.”

• NASA publishes the ITS-HBK series which provides detailed information and guidance regarding the processes to meet the NASA security program requirements. These handbooks are authorized as official Agency guidance by NASA Policy Directive (NPD) 2810.1e and NASA Procedural Requirement (NPR) 2810.1a.

13Code 7XX DSR 11/05/14

Summary of Publications and Resources

Federal Laws• Public Law 107-347

(FISMA 2002)• Public Law 113-283

(FISMA 2014)

OMB Instructions• OMB Circular No. A-130• OMB Memorandum 10-28• OMB Memorandum 14-03• OMB Memorandum 15-01

DHS Directives• DHS Binding Operational

Directive 15-01NIST Special Publications (SPs)• NIST SP 800-37

Guide for Applying the Risk Management Framework to Federal Information Systems

• NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• NIST SP 800-53AAssessing Security and Privacy Controls in Federal Information Systems and Organizations

14Code 7XX DSR 11/05/14

NASA Governance Documents• NASA Information Technology and Communications Division Strategic Plan for 2016

• NASA Policy Directive 2810.1eNASA Information Security Policy

• NASA Procedural Requirement 2810.1aSecurity of Information Technology

• NASA IT Security Handbook 2810.02Security Assessment and Authorization

• NASA IT Security Handbook 2810.04Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values