IT Security Procedural Guide: Moderate Impact Software as ...

[Pages:17]IT Security Procedural Guide: Moderate Impact Software as a Service

(MiSaaS) Security Authorization Process

CIO-IT Security-18-88

Initial Release June 6, 2018

Office of the Chief Information Security Officer

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

VERSION HISTORY/CHANGE RECORD

Change Person Posting

Number

Change

Change

Initial Release ? June 6, 2018

1

Dean/Klemens Initial Draft

Reason for Change N/A

Page Number of Change

N/A

U.S. General Service Administration

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

Approval

IT Security Procedural Guide: Moderate Impact Software as a Service (MiSaaS) Security Authorization Process, CIO-IT Security-18-88, Initial Release is hereby approved for distribution.

6/14/2018

X Kurt Garbars

Kurt D. Garbars Chief Information Security Officer Signed by: KURT GARBARS

Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division, at ispcompliance@.

U.S. General Service Administration

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

Table of Contents

1 Introduction ...............................................................................................................................2

1.1 Purpose ......................................................................................................................................... 2 1.2 Scope ............................................................................................................................................ 2 1.3 References .................................................................................................................................... 3

2 Moderate Impact SaaS Security Authorization Process ................................................................3

2.1 RMF Step 1 ? Categorize Information System .............................................................................. 4 2.2 RMF Step 2 ? Select Security Controls.......................................................................................... 5 2.3 RMF Step 3 ? Implement Security Controls and Cloud Service Provider Customer Responsibilities ..................................................................................................................................... 6 2.4 RMF Step 4 ? Assess Security Controls ......................................................................................... 7 2.5 RMF Step 5 ? Authorize Information System ............................................................................... 9 2.6 RMF Step 6 ? Monitor Security Controls .................................................................................... 10

Appendix A: MiSaaS ATO Package ....................................................................................................12

Appendix B: Security Controls for MiSaaS .........................................................................................13

Table 2-1: CSF Functions Mapped to NIST SP 800-37 RMF Steps...........................................................4

U.S. General Services Administration

i

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

1 Introduction

The General Services Administration (GSA) Moderate Impact Software as a Service (MiSaaS) Security Authorization Process is specific to new GSA information systems pursuing an agile development methodology and residing on infrastructures that has, or is in the process of obtaining, a Federal Risk and Authorization Management Program (FedRAMP) provisional authorization to operate (ATO). The process in this guide allows for a Federal Information Processing Standard (FIPS) Publication (PUB) 199, "Standards for Security Categorization of Federal Information and Information Systems," FIPS 199 Moderate impact system to be granted a one year ATO after completing the tailored National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) processes detailed in this guide.

The MiSaaS security authorization process leverages the inherent flexibility in the application of security controls noted in NIST Special Publication (SP) 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," described as tailoring in NIST SP 800-37, Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach." This approach has been used to more closely align with GSA business requirements (i.e., DevOps and agile development) and environments of operation (i.e., environments that have or are pursuing a FedRAMP provisional ATO.) The process is focused on operational security from both a functional and assurance perspective and not on adherence to static checklists or the generating of large volumes of security authorization paperwork.

Executive Order (EO) 13800, "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" requires all agencies to use "The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) or any successor document to manage the agency's cybersecurity risk." This NIST document is commonly referred to as the Cybersecurity Framework (CSF). The CSF complements, and does not replace, an organization's risk management process and cybersecurity program. GSA uses NIST's RMF as its foundation for managing risk. Further information on how the CSF relates to GSA's MiSaaS security authorization process is contained in Section 2. For more information on GSA's alignment of the RMF to the CSF, refer to CIO-IT Security-06-30, "Managing Enterprise Risk."

1.1 Purpose

This procedural guide defines a security authorization process for FIPS 199 Moderate Impact SaaS systems to be granted a one year ATO upon successfully completing the processes detailed in Section 2.

1.2 Scope

The requirements outlined within this guide apply to and must be followed by all GSA Federal employees and contractors who oversee/protect GSA information systems and data. This procedural guide provides GSA Federal employees and contractors with significant security

U.S. General Services Administration

1

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

responsibilities, as identified in GSA Order CIO 2100.1, "GSA Information Technology (IT) Security Policy," and other IT personnel involved in performing A&A activities for systems, the specific processes to follow for accomplishing A&A activities for systems under their purview following the MiSaaS Security Authorization Process.

1.3 References

Federal Regulations/Guidance:

Executive Order 13800, "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure"

NIST Cybersecurity Framework, "Framework for Improving Critical Infrastructure Cybersecurity"

NIST SP 800-37, Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"

NIST SP 800-47, "Security Guide for Interconnecting Information Technology Systems" NIST SP 800-53, Revision 4, "Security and Privacy Controls for Federal Information

Systems and Organizations" FIPS 199, "Standards for Security Categorization of Federal Information and Information

Systems" NIST SP 800-60 Volume I, Revision 1, Volume I, "Guide for Mapping Types of Information

and Information Systems to Security Categories" NIST SP 800-60 Volume II, Revision 1, Volume II, "Appendices to Guide for Mapping

Types of Information and Information System to Security Categories"

GSA Guidance:

GSA Order CIO 2100.1, "GSA Information Technology (IT) Security Policy"

The GSA CIO-IT Security Procedural Guides listed below are available on the IT Security Procedural Guides InSite page.

CIO-IT Security-06-30, "Managing Enterprise Risk" CIO-IT Security-09-44, "Plan of Action and Milestones" CIO-IT Security-11-51, "Conducting Penetration Test Exercises" CIO-IT Security-12-66, "Information Security Continuous Monitoring Strategy"

2 Moderate Impact SaaS Security Authorization Process

The key activities in the MiSaaS authorization process are listed in the steps below and the following sub-sections.

RMF Step 1 ? Categorize Information System RMF Step 2 ? Select Security Controls RMF Step 3 ? Implement Security Controls RMF Step 4 ? Assess Security Controls

U.S. General Services Administration

2

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

RMF Step 5 ? Authorize Information System RMF Step 6 ? Monitor Security Controls

The MiSaaS security authorization process is a tailored version of the NIST RMF. The MiSaaS RMF steps do not include all of the tasks in the NIST RMF steps. The MiSaaS steps have been sequentially numbered, therefore a MiSaaS RMF step may have a different number than that same step in the NIST RMF process.

In accordance with EO 13800, GSA has aligned its risk management processes with the CSF. The five core CSF Functions are listed in Table 2-1, the second column lists the RMF Steps aligned with the CSF functions. For more information on GSA's alignment of the RMF to the CSF, refer to CIO-IT Security-06-30.

Table 2-1: CSF Functions Mapped to NIST SP 800-37 RMF Steps

CSF Function

RMF Steps

Identify (ID): Develop the organizational understanding to RMF Step 1: Categorize Information System manage cybersecurity risk to systems, assets, data, and RMF Step 2: Select Security Controls capabilities.

Protect (PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

RMF Step 2: Select Security Controls RMF Step 3: Implement Security Controls

Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

RMF Step 3: Implement Security Controls RMF Step 4: Assess Security Controls RMF Step 6: Monitor Security Controls

Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

RMF Step 3: Implement Security Controls RMF Step 4: Assess Security Controls RMF Step 5: Authorize Information Systems RMF Step 6: Monitor Security Controls

Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

RMF Step 3: Implement Security Controls RMF Step 4: Assess Security Controls RMF Step 5: Authorize Information Systems RMF Step 6: Monitor Security Controls

2.1 RMF Step 1 ? Categorize Information System

The first step in the RMF process is to determine the FIPS 199 security categorization level of the information system. The MiSaaS security authorization process is applicable only to FIPS 199 Moderate Impact SaaS systems, any other categorization or type of system would require following one of the other A&A processes in CIO-IT Security-06-30.

TASK 1-1: Security Categorization - Categorize the information system using the FIPS 199 Security Categorization Template and document the results of the security categorization in the system security plan (SSP); use the template listed in Appendix A. The security categorization process is carried out by the Data Owner in cooperation and collaboration with appropriate organizational officials with information security/risk management responsibilities including but not limited to the Authorizing Official (AO), Information System Security Manager (ISSM),

U.S. General Services Administration

3

CIO-IT Security-18-88, Initial Release

MiSaaS Security Authorization Process

Information System Security Officer (ISSO), and the System Owner. The process for determining the appropriate impact level is outlined in FIPS 199 and its associated NIST publications: NIST SP 800-60 Volume I, Revision 1, Volume I, "Guide for Mapping Types of Information and Information Systems to Security Categories" and NIST SP 800-60 Volume II, Revision 1, Volume II, "Appendices to Guide for Mapping Types of Information and Information System to Security Categories." Please refer to the template and these documents to categorize the information system.

TASK 1-2: Information System Description - Describe the MiSaaS solution (including its boundary) and document the description in the SSP. The SSP provides an overview of the security requirements for the MiSaaS solution and describes the security controls in place or planned for meeting those requirements. Descriptive information about the MiSaaS solution is documented in sections 1-11 of the SSP. The following sections should be sufficiently detailed:

Section 1 identifies the system name and unique identifier. Section 2 provides the FIPS 199 categorization of the system. It must be supported by a

FIPS 199 Security Categorization Template. Sections 3-8 identify roles/points of contact and system operational status and type. Section 9 describes the function or purpose of the MiSaaS solution and its processes. Section 10 describes the technical system including an inventory of all software in the

MiSaaS solution's authorization boundary. Section 11 lists interconnections to other systems including details such as type of

connection, security of the connection, and points of contact.

Note: Many interconnections require an Interconnection Security Agreement/Memorandum of Understanding/Memorandum of Agreement (ISA/MOU/MOA). Per GSA IT Security Policy 2100.1, "Written management authorization for system interconnection, based upon the acceptance of risk to the IT system, must be obtained from the Authorizing Officials of both systems prior to connecting a system not under a single Authorizing Official's control in accordance with NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems. Per NIST 800-47, an interconnection is the direct connection of two or more IT systems for the purpose of sharing data and other information resources through a pipe, such as ISDN, T1, T3, DS3, VPN, etc."

TASK 1-3: Information System Registration - Register the information system with the appropriate organizational program/management offices and the OCISO.

The ISSM shall coordinate with OCISO ISP to have the system added to the official GSA IT System Inventory repository.

2.2 RMF Step 2 ? Select Security Controls

TASK 2-1: Security Control Selection - The security controls required for the MiSaaS authorization process are identified in Appendix B. The MiSaaS tailored baseline, as necessary, can be supplemented with additional controls and/or control enhancements to address unique

U.S. General Services Administration

4

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download