The document summarizes a presentation on using the NIST Risk Management Framework to meet requirements for FISMA, HIPAA, and data privacy laws. It outlines the 6 steps of the NIST RMF: 1) categorize information assets, 2) select security controls, 3) implement controls, 4) assess controls, 5) authorize systems, and 6) continuously monitor security. NIST publications provide guidance for each step. Following the NIST RMF allows organizations to efficiently comply with multiple regulatory requirements through a standardized process.
1. NIST, FISMA, HIPAA and
Data Privacy –
Where to Begin
Candy Alexander, CISSP CISM
SecureWorld Expo Boston
March 24, 2010
Room 104
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
2. Topics
Setting the stage for a Case Study
Understanding the requirements
How can NIST help
Closer look at NIST
Summary
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
3. Setting the Stage
Organization driven by multiple requirements
FIMSA
HIPAA*
Data Privacy (45 states and the Feds)
MA 201 CMR17
Small organization with minimal resources
Need to work smart
Identify 1 size to fit all requirements (framework)
Existing work based on HIPAA Privacy & Security rules
Redirect into the NIST framework to meet *all* requirements
* Additional push with new HITECH Act – Summary of changes at end of slides
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
4. Understanding the
Requirements…
Need to understand business requirements
Compliance (just enough or to protect)
Big budget or barely enough
Frameworks available
ISO ($$$)
COBIT ($$)
NIST (free)
Do it yourself ($?)
All of these + Notification process*
Federal Contractor, we used
NIST Risk Management Framework (RMF) for SP800-53
SP800-66-Rev.1
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
5. Using the NIST Risk Management Framework (RMF)*
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
* NIST SP800-66 Rev. 1 October 2008
6. Step 1 – Categorize
Information and Assets
FIPS199 to identify CIA (confidentiality, Integrity and
Availability) rating score
Great tool for communicating risk to businesses.
PHI (Protected Health Information) the “C” and “I” should be
high – availability is up to process owner
Identify PII (Personal Identifiable Information) and business
owner (supports data privacy requirements)
Identify “where” in the organization PII/PHI is
(applications, folders, etc.)
Supports the PHI tracking requirement for HIPAA
Use NIST SP800-60 for guidance
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
7. Step 2 – Security Controls
Use FIPS 200 to identify the minimum baseline
Select controls to be used
Identified in SP800-53 (Rev.3) that are appropriate to
the environment (risk approach)
Document controls/requirements into a security plan
for each IT System.
NIST SP800-18 Guide for Developing Security Plans for
Federal Information Systems
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
8. Step 3 – Implement Security
Controls
Uses various automated tools and manual
processes
Operating system controls
Application controls
System Development Life Cycle
Full array of publications available to provide
guidance to the specific topic/requirement
See http://csrc.nist.gov
Special Pubs, FIPS pubs, IR (internal reports),
and ITL (Info Tech Lab) Bulletins
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
9. Step 4 - Assess Controls
Evaluate the controls with SP800-53A
Internal Audits
External Audits
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
10. Step 5 – Authorize Information
System
Authorization to Operate (ATO)
Primarily for FISMA compliance
Essentially Designation Authority reviews controls
and evaluation of controls – then authorizes use
with an explicit decision to accept the risk
Not a BAD idea for getting executives to
understand, review and accept the risk
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
11. Step 6 – Monitor Security
Continuous monitoring
Threats & vulnerabilities
Controls put into place to mitigate risk
Ensure all is effective and as intended
Ensure documentation is updated
Conduct impact analysis
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
12. FISMA… Certification &
Accreditation
What is Certification and Accreditation?
Certification and Accreditation is a process that ensures that
systems and major applications adhere to formal and established
security requirements that are well documented and authorized. 1
Sound a little like MA 201 CMR17?
Obtaining the C&A removes the uncertainty of
compliance
Much like a ISO, PCI and SAS70 Type II?
Auditors appreciate the structure
1 e-Articles.info on ask.com
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
13. FISMA/NIST C&A
C&A guidance available through SP800-37
Provides accrediting authority ( and auditors) high degree of
confidence that the managerial, technical and op security
controls work as intended & that the information processed,
stored and transmitted with the system is protected.
Controls based on FIPS 199, 200 and NIST SP800-66 (HIPAA)
and SP800-53
C&A should be completed prior to production and re-accredited
when significant change occurs, as directed by the agency
contract/ authorizing official or at minimum every three years.
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
14. C & A Phases
Consists of 4 distinct phases
1. Initiation Phase
2. Security Certification Phase
3. Security Accreditation Phase
4. Continuous Monitoring Phase
Each phase has a detailed list of tasks and
subtasks, documents and artifacts that are
used to support the next phase
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
15. Certification Package*
1. Updated System Security Plan
2. Completed Security Risk Assessment
3. Updated Config. Mgmt Plan
4. Contingency Mgmt Plan(s)
5. Security Test & Eval. Report
6. User Manuals
7. Interconnection Security Agreements or MOUs
(Business Associates Agreements for HIPAA)
8. Privacy Impact Assessments
9. Federal Register System of Record Notice
10. Plan of Action & Milestones
*Exact contents are defined by Information System Owner
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
16. Accreditation Package
1. Security Assessment Report
2. Security Accreditation Decision Letter
3. System Security Plan
4. Plan of Action & Milestones
SecureWorld Expo - Boston - March 24, 2010 -
Room 104
17. HITECH Act - Tougher HIPAA
From Privacy/Security Perspective:
Breach Notification (tougher requirements)
Wider scope – including BAs (2/17/10)
Account of disclosures (more rigorous)
Enforcement (2/17/10) – increased $$$
State AG’s enforcement
SecureWorld Expo - Boston - March 24, 2010 -
Room 104