NIST SP-800-53 r5 –The Control Reference Layer: Taming the ...
Report from the NIST 800-53 Trenches
-
Upload
miriam-nolan -
Category
Documents
-
view
90 -
download
0
description
Transcript of Report from the NIST 800-53 Trenches
![Page 1: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/1.jpg)
Supporting Advanced Scientific Computing Research • Basic Energy Sciences • Biological and Environmental Research • Fusion Energy
Sciences • High Energy Physics • Nuclear Physics
Report from the NIST 800-53 Trenches
Dan PetersonESnet Security Officer
![Page 2: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/2.jpg)
Report from the NIST 800-53 Trenches
• Agenda– ESnet overview
• ESnet Mission• ESnet the network • ESnet infrastructure• ESnet, an Enclave of LBNL
– FISMA– Assessing ESnets Risk– Documenting Risk and Controls– Demo
• FIPS 199• Controls• Procedures• LBNL Policies• Artifacts
– Discussion Topics
2
![Page 3: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/3.jpg)
ESnet’s Mission
• Primary mission is to enable the large-scale science that is the mission of the Department of Energy’s Office of Science by:– Facilitating the sharing of massive amounts of data– Networking thousands of collaborators world-wide– Enabling distributed data processing / management, simulation,
visualization, and computational steering
• To accomplish this mission, ESnet provides reliable, high-bandwidth, networking and collaborative services to thousands of researchers across the country, whose work supports the Department of Energy’s goal of scientific innovation– ~45 end user sites (16+ are NNSA or joint sponsored)– Between 75,000 – 100,000 users
3
![Page 4: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/4.jpg)
ESnet4 – May 2009
4
![Page 5: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/5.jpg)
ESnet Infrastructure
• ESnet infrastructure is comprised of: – 30+ Full time Staff (we are currently staffing up)
• Three engineers are located in remote facilities
– 400+ hosts (UNIX, Windows, Apple and more)– 100+ routers and switches
• Services provided by ESnet:– Networking, DNS, NTP, etc…– Authentication and Trust Federation (DOE grids
CA)
– Video/Audio Conferencing (ECS)5
![Page 6: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/6.jpg)
ESnet as an Enclave of LBNL
6
![Page 7: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/7.jpg)
FISMA
• Not sure about FISMA compliance?– Adam Stone (LBNL) did a good talk about FISMA
requirements and risk assessment at SEC 2009 • Play NISTY for me (see references for link)
• The take away:– Avoid check box security– Take a holistic approach
• Risk Assessment• Policies • Dynamic Procedures• Artifacts
7
![Page 8: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/8.jpg)
Assessing ESnet Risk Level
• Define level of system risk– NIST 800-37 procedure– Computer Security Protection Plan (CSPP) – FIPS 199
• FIPS 199– A FIPS 199 security categorization serves as the starting point for the
selection of security controls for an agency’s information system—controls that are commensurate with the importance of the information and information system to the agency.
– Three security objectives in the FIPS 199: • Confidentiality; Low, Moderate, High• Integrity; Low, Moderate, High• Availability; Low, Moderate, High
• ESnet is defined as, low, low, low– Defined by Office of Science (SC) Project Manager
8
![Page 9: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/9.jpg)
Documenting Risk and Controls
• Set up two TWIKI webs– Controls web
• Documented ESnet risk level (FIPS 199)• Converted the NIST 800-53 document to TWIKI format• Documented ESnet policies
– Including ATF controls specific to PKI
• Linked to Procedures
– Procedures web• Document procedures and artifacts• Cross referenced procedures with the 800-53 control
ID
9
![Page 10: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/10.jpg)
DEMO
• FIPS 199• Controls• Procedures• LBNL Policies• Artifacts
10
![Page 11: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/11.jpg)
FIPS 199
11
![Page 12: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/12.jpg)
Catalog of Controls
12
![Page 13: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/13.jpg)
Controls
13
![Page 14: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/14.jpg)
Procedures
14
![Page 15: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/15.jpg)
Control ID to Procedure
15
![Page 16: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/16.jpg)
Procedures
16
![Page 17: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/17.jpg)
Artifacts
17
![Page 18: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/18.jpg)
LBNL Regulations and Procedures Manual
Computing and Communications 9.01
18
![Page 19: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/19.jpg)
Conclusion
• Realistically define the risk level for the system• Use the 800-53 as a place to document what policies are in place for your
organization– Capture how security is done in both the policy and procedures– Address the NIST 800-53 control enhancements when writing the policy
• Policies and procedures that address a high level of control– Put them in the 800-53 ; its okay to answer higher controls if there is a policy or
procedure already in place – Don’t answer controls outside your assessed risk level just because they are
there
• Allow the procedures to be dynamic– Give sys-admin ownership of the procedure (as long as it meets the policy goals)– System administrators or service owners need to write the procedures and
collect the artifacts– The sys-admins need to understand and follow the procedures to make them
truly effective
19
![Page 20: Report from the NIST 800-53 Trenches](https://reader036.fdocuments.us/reader036/viewer/2022081501/56812cf2550346895d91bec6/html5/thumbnails/20.jpg)
References
• Adam Stone, Play NISTY for me http://net.educause.edu/SEC09/Program/1020687?PRODUCT_CODE=SEC09/SESS15
• NIST 800-37– http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
• FIPS 199– http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
• NIST 800-53 rev3– http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final-errata.pd
f
• Special thanks to:– The NERSC security team
– Adam Stone • [email protected] 20