Joint task force transformation initiative

assurance and trustworthiness

Yüklə 5,64 Mb.

səhifə	40/186
tarix	08.01.2019
ölçüsü	5,64 Mb.
	#93199

1 ... 36 37 38 39 40 41 42 43 ... 186

assurance and trustworthiness

MEASURES OF CONFIDENCE FOR INFORMATION SYSTEMS

Security assurance is a critical aspect in determining the trustworthiness of information systems. Assurance is the measure of confidence that the security functions, features, practices, policies, procedures, mechanisms, and architecture of organizational information systems accurately mediate and enforce established security policies.⁹⁴ The objective of this appendix is:

To encourage organizations to include assurance requirements in procurements of information systems, system components, and services;
To encourage hardware, software, and firmware developers to employ development practices that result in more trustworthy information technology products and systems;
To encourage organizations to identify, select, and use information technology products that have been built with appropriate levels of assurance and to employ sound systems and security engineering techniques and methods during the system development life cycle process;
To reduce information security risk by deploying more trustworthy information technology products within critical information systems or system components; and
To encourage developers and organizations to obtain on an ongoing basis, assurance evidence for maintaining trustworthiness of information systems.

Minimum security requirements for federal information and information systems are defined in FIPS Publication 200.These requirements can be satisfied by selecting, tailoring, implementing, and obtaining assurance evidence for the security controls in the low, moderate, or high baselines in Appendix D.⁹⁵ The baselines also include the assurance-related controls for the minimum assurance requirements that are generally applicable to federal information and information systems.⁹⁶ However, considering the current threat space and the increasing risk to organizational operations and assets, individuals, other organizations, and the Nation, posed by the advanced persistent threat (APT), organizations may choose to implement additional assurance-related controls from Appendix F. These additional controls can be selected based on the tailoring guidance provided in Section 3.2. Organizations can also consider developing high-assurance overlays for critical missions/business functions, specialized environments of operation, and/or information technologies (see Section 3.3 and Appendix I). When assurance-related controls cannot be satisfied, organizations can propose compensating controls (e.g., procedural/operational solutions to compensate for insufficient technology-based solutions) or assume a greater degree of risk with regard to the actual security capability achieved.

The New Look for Assurance

While previous versions of Special Publication 800-53 addressed minimum assurance requirements, the focus was on higher-level, more abstract requirements applied to the low, moderate, and high baselines. This revision takes a fundamentally different approach to assurance by defining specific assurance-related security controls in Appendix F that can be implemented by organizations based on the security categorizations of their information systems—making the assurance requirements more actionable and providing opportunities for increasing the levels of assurance based on mission and business needs, current/projected threats, unique operating environments, or the use of new technologies. The identification of specific assurance-related controls in the low, moderate, and high baselines in easy-to read tables (Tables E-1, E-2, E-3) helps organizations to quickly define controls necessary to satisfy minimum assurance requirements. The optional assurance-related controls in Table E-4 provide organizations with specification language to use in acquisitions targeted at the developers of information systems, system components, and information system services. The controls address specific methodologies, techniques, design, and architectural considerations as well as sound system and security engineering principles to fundamentally improve the quality of hardware, software, and firmware components that will be integrated into organizational information systems or the critical infrastructure. The designation of assurance-related controls is not intended to imply a greater level of importance for such controls. Achieving adequate security for organizational information systems requires the correct combination of both functionality- and assurance-related security controls. Only by understanding the importance of the concept of assurance and recognizing which security controls are more assurance-oriented versus functionality-oriented can organizations select the most appropriate combination of controls to protect their organizational operations and assets, individuals, other organizations, and the Nation.

The following sections provide a description of the assurance-related controls that are included in each of the security control baselines in Appendix D. The criteria for whether a security control is assurance-related or functionality-related is based on the overall characteristics of the control. In general, assurance-related controls are controls that: (i) define processes, procedures, techniques, or methodologies for designing and developing information systems and system components (i.e., hardware, software, firmware); (ii) provide supporting operational processes including improving the quality of systems/components/processes; (iii) produce security evidence from developmental or operational activities; (iv) determine security control effectiveness or risk (e.g., audit, testing, evaluation, analysis, assessment, verification, validation, monitoring); or (v) improve personnel skills, expertise, and understanding (e.g., security awareness/training, incident response training, contingency training).

Security controls may be designated as assurance-related controls even when the controls exhibit some functional characteristics or properties (e.g., SI-4, Information System Monitoring). The distinction between functionality and assurance is less important when describing the assurance-related controls in the baselines—primarily because the security controls in the three baselines after the tailoring process is applied, become part of the security plans for information systems and for organizations.⁹⁷ However, the distinction becomes more important when organizations exercise the option of selecting additional security controls to increase the level of assurance (or the degree of confidence) in the security functionality and security capability.

Minimum Assurance Requirements – Low-Impact Systems

Assurance Requirement: The organization, based on its security requirements, security policies, and needed security capabilities, has an expectation of: (i) a limited strength of security functionality; and (ii) a limited degree of confidence supported by the depth and coverage of associated security evidence, that the security functionality is complete, consistent, and correct.

Supplemental Guidance: Security functionality and assurance for low-impact systems are achieved by the implementation of security controls from the tailored low baseline in Appendix D. Assurance requirements for low-impact systems (including the information technology components that are part of those systems), align with that which is readily achievable with unmodified, commercial off-the-shelf (COTS) products and services. Due to the limited strength of functionality expected for low-impact systems, the depth/coverage of security evidence⁹⁸ produced is minimal and is not expected to be more than what is routinely provided by COTS manufacturers, vendors, and resellers. The depth/coverage evidence is further supplemented by the results of security control assessments and the ongoing monitoring of organizational information systems and environments in which the systems operate. For other than technology-based functionality, the emphasis is on a limited degree of confidence in the completeness, correctness, and consistency of procedural and/or operational security functionality (e.g., policies, procedures, physical security, and personnel security). Assurance requirements specified in the form of developmental and operational assurance controls for low-impact systems are listed in Table E-1. Organizations, through the tailoring process (including an organizational assessment of risk), may choose to add other assurance-related controls and/or control enhancements to the set included in Table E-1.

TABLE E-1: ASSURANCE-RELATED CONTROLS FOR LOW-IMPACT SYSTEMS⁹⁹

ID	CONTROLS	ID	CONTROLS
AC	AC-1	MP	MP-1
AT	AT-1, AT-2, AT-3, AT-4	PE	PE-1, PE-6, PE-8
AU	AU-1, AU-6	PL	PL-1, PL-2, PL-4
CA	CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CA-9	PS	PS-1, PS-6, PS-7
CM	CM-1, CM-2, CM-4, CM-8	RA	RA-1, RA-3, RA-5
CP	CP-1, CP-3, CP-4	SA	SA-1, SA-2, SA-3, SA-4, SA-4 (10), SA-5, SA-9
IA	IA-1	SC	SC-1, SC-39
IR	IR-1, IR-2, IR-5	SI	SI-1, SI-4, SI-5
MA	MA-1	SI	SI-1, SI-4, SI-5

Minimum Assurance Requirements – Moderate-Impact Systems

Assurance Requirement: The organization, based on its security requirements, security policies, and needed security capabilities, has an expectation of: (i) a moderate strength of security functionality; and (ii) a moderate degree of confidence supported by the depth and coverage of associated security evidence, that the security functionality is complete, consistent, and correct.

Supplemental Guidance: Security functionality and assurance for moderate-impact systems are achieved by the implementation of security controls from the tailored moderate baseline in Appendix D. Assurance requirements for moderate-impact systems (including the information technology components that are part of those systems) add to the expectations at the low-assurance level by: (i) incorporating COTS security functionality with greater strength of mechanism and capability than the strength of mechanism and capability achieved in low-impact systems; (ii) requiring perhaps, some special development; (iii) establishing more secure configuration settings; and (iv) requiring some additional assessment of the implemented capability. Due to the moderate strength of functionality expected for moderate-impact systems, the depth/coverage of security evidence¹⁰⁰ produced is more substantial than the minimal evidence produced for low-impact systems but still in the range of what can be provided by COTS manufacturers, vendors, and resellers. The depth/coverage evidence is further supplemented by the results of additional security control assessments and the ongoing monitoring of organizational information systems and environments of operation. For other than technology-based functionality, the emphasis is on a moderate degree of confidence in the completeness, correctness, and consistency of procedural and/or operational security functionality (e.g., policies, procedures, physical security, and personnel security). Assurance requirements in the form of developmental and operational assurance controls for moderate-impact systems are listed in Table E-2. Organizations, through the tailoring process (including an organizational assessment of risk), may choose to add other assurance-related controls and/or control enhancements to the set included in Table E-2.

TABLE E-2: ASSURANCE-RELATED CONTROLS FOR MODERATE-IMPACT SYSTEMS¹⁰¹

ID	CONTROLS	ID	CONTROLS
AC	AC-1	MP	MP-1
AT	AT-1, AT-2, AT-2 (2), AT-3, AT-4	PE	PE-1, PE-6, PE-6 (1), PE-8
AU	AU-1, AU-6, AU-6 (1), AU-6 (3), AU-7, AU-7 (1)	PL	PL-1, PL-2, PL-2 (3), PL-4, PL-4 (1), PL-8
CA	CA-1, CA-2, CA-2 (1), CA-3, CA-5, CA-6, CA-7, CA-7 (1), CA-9	PS	PS-1, PS-6, PS-7
CM	CM-1, CM-2, CM-2 (1), CM-2 (3), CM-2 (7), CM-3, CM-3 (2), CM-4, CM-8, CM-8 (1), CM-8 (3), CM-8 (5)	RA	RA-1, RA-3, RA-5, RA-5 (1), RA-5 (2), RA-5 (5)
CP	CP-1, CP-3, CP-4, CP-4 (1)	SA	SA-1, SA-2, SA-3, SA-4, SA-4 (1), SA-4 (2), SA-4 (9), SA-4 (10), SA-5, SA-8, SA-9, SA-9 (2), SA-10, SA-11
IA	IA-1	SC	SC-1, SC-2, SC-39
IR	IR-1, IR-2, IR-3, IR-3 (2), IR-5	SI	SI-1, SI-4, SI-4 (2), SI-4 (4), SI-4 (5), SI-5, SI-7, SI-7 (1), SI-7 (7), SI-10, SI-16
MA	MA-1	SI

Minimum Assurance Requirements – High-Impact Systems

Assurance Requirement: The organization, based on its security requirements, security policies, and needed security capabilities, has an expectation of: (i) a high strength of security functionality; and (ii) a high degree of confidence supported by the depth and coverage of associated security evidence, that the security functionality is complete, consistent, and correct.

Supplemental Guidance: Security functionality and assurance for high-impact systems are achieved by the implementation of security controls from the tailored high baseline in Appendix D. Assurance requirements for high-impact systems (including the information technology components that are part of those systems), add to the expectations at the moderate assurance level by: (i) incorporating higher-end COTS security capabilities that result from the application of commonly accepted best commercial development practices for reducing latent flaw rates, some special development, and additional assessment of the implemented capability. Due to the high strength of functionality expected for high-impact systems, the depth/coverage of security evidence¹⁰² produced is more comprehensive than the evidence produced for moderate-impact systems. Although the evidence may still be in the range of what can be provided by COTS manufacturers, vendors, and resellers, greater assurance from independent assessment providers may be required. The depth/coverage evidence is supplemented by the results of additional security control assessments and the ongoing monitoring of organizational information systems/environments of operation. For other than technology-based functionality, there is a high degree of confidence in the completeness, correctness, and consistency of procedural and/or operational security functionality (e.g., policies, procedures, physical security, and personnel security). Assurance requirements in the form of developmental and operational assurance controls for high-impact information systems are listed in Table E-3. Organizations, through the tailoring process (including an organizational assessment of risk), may choose to add other assurance-related controls and/or control enhancements to the set included in Table E-3.

TABLE E-3: ASSURANCE-RELATED CONTROLS FOR HIGH-IMPACT SYSTEMS¹⁰³

ID	CONTROLS	ID	CONTROLS
AC	AC-1	MP	MP-1
AT	AT-1, AT-2, AT-2 (2), AT-3, AT-4	PE	PE-1, PE-6, PE-6 (1), PE-6 (4), PE-8
AU	AU-1, AU-6, AU-6 (1), AU-6 (3), AU-6 (5), AU-6 (6), AU-7, AU-7 (1), AU-10	PL	PL-1, PL-2, PL-2 (3), PL-4, PL-4 (1), PL-8
CA	CA-1, CA-2, CA-2 (1), CA-2 (2), CA-3, CA-5, CA-6, CA-7, CA-7 (1), CA-8, CA-9	PS	PS-1, PS-6, PS-7
CM	CM-1, CM-2, CM-2 (1), CM-2 (2), CM-2 (3), CM-2 (7), CM-3, CM-3 (1), CM-3 (2), CM-4, CM-4 (1), CM-8, CM-8 (1), CM-8 (2), CM-8 (3), CM-8 (4), CM-8 (5)	RA	RA-1, RA-3, RA-5, RA-5 (1), RA-5 (2), RA-5 (4), RA-5 (5)
CP	CP-1, CP-3, CP-3 (1), CP-4, CP-4 (1), CP-4 (2)	SA	SA-1, SA-2, SA-3, SA-4, SA-4 (1), SA-4 (2), SA-4 (9), SA-4 (10), SA-5, SA-8, SA-9, SA-9 (2), SA-10, SA-11, SA-12, SA-15, SA-16, SA-17
IA	IA-1	SC	SC-1, SC-2, SC-3, SC-7 (18), SC-7 (21), SC-24, SC-39
IR	IR-1, IR-2, IR-2 (1), IR-2 (2), IR-3, IR-3 (2), IR-5, IR-5 (1)	SI	SI-1, SI-4, SI-4 (2), SI-4 (4), SI-4 (5), SI-5, SI-5 (1), SI-6, SI-7, SI-7 (1), SI-7 (2), SI-7 (5), SI-7 (7), SI-7 (14), SI-10, SI-16
MA	MA-1	SI

Security Controls to Achieve Enhanced Assurance

While the assurance-related controls allocated to the low, moderate, and high baselines in the previous sections, represent minimum assurance requirements, organizations can, over time, choose to raise the level of assurance in their information systems—increasing the level of trustworthiness accordingly. This is accomplished by adding assurance-related controls to the controls in the baselines to increase both the strength of security functionality and degree of confidence that the functionality is correct, complete, and consistent—making the functionality highly resistant to penetration, tamper, or bypass. Security functionality that is highly resistant to penetration, tamper, and bypass requires a significant work factor on the part of adversaries to compromise the confidentiality, integrity, or availability of the information system or system components where that functionality is employed.

Since high-assurance information technology products may be more costly and difficult to obtain, organizations may choose to partition their information systems into distinct subsystems to isolate the critical components and focus the high-assurance efforts on a more narrowly defined subset of information resources. Organizations that find it difficult to achieve high-assurance information technology solutions may have to rely to a greater extent on procedural or operational protections to ensure mission and business success. This includes, for example, reengineering critical mission and business processes to be less susceptible to high-end threats. Table E-4 provides additional developmental and operational activities (e.g., in the SA, SI, and CM security control families), that organizations can select to achieve an enhanced level of assurance (up to and including high assurance). The list of assurance-related controls is not intended to be exhaustive. Organizations, during the tailoring process, may choose to designate other security controls as assurance-related and add to the exemplar set in Table E-4.

TABLE E-4: SECURITY CONTROLS FOR ENHANCED ASSURANCE¹⁰⁴

ID	CONTROLS	ID	CONTROLS
AC	AC-25	MP	No additional controls.
AT	AT-2 (1), AT-3 (all enhancements)	PE	PE-6 (2), PE-6 (3)
AU	AU-6 (4), AU-6 (7), AU-6 (8), AU-6 (9), AU-6 (10), AU-10 (all enhancements), AU-11 (1), AU-13 (plus enhancements), AU-14 (plus enhancements)	PL	PL-8 (all enhancements), PL-9
CA	CA-2 (3), CA-5 (1), CA-7 (3), CA-8 (all enhancements), CA-9 (1)	PS	PS-6 (2), PS-6 (3)
CM	CM-2 (6), CM-4 (2), CM-8 (6), CM-8 (7), CM-8 (8), CM-8 (9)	RA	RA-5 (3), RA-5 (6), RA-5 (8), RA-5 (10), RA-6
CP	CP-3 (2), CP-4 (3), CP-4 (4), CP-12	SA	SA-4 (3), SA-4 (5), SA-4 (6), SA-4 (7), SA-4 (8), SA-9 (1), SA-9 (3), SA-9 (4), SA-9 (5), SA-10 (all enhancements), SA-11 (all enhancements), SA-12 (all enhancements), SA-13, SA-14, SA-15 (all enhancements), SA-17 (all enhancements), SA-18 (plus enhancements), SA-19 (plus enhancements), SA-20, SA-21 (plus enhancement), SA-22 (plus enhancement)
IA	No additional controls.	SC	SC-2 (1), SC-3 (all enhancements), SC-6, SC-7 (22), SC-11 (plus enhancement), SC-29 (plus enhancement), SC-30 (plus enhancements), SC-31 (plus enhancements), SC-32, SC-34 (plus enhancements), SC-36 (plus enhancement), SC-37 (plus enhancement), SC-38, SC-39 (all enhancements)
IR	IR-3 (1)	SI	SI-4 (1), SI-4 (3), SI-4 (7), SI-4 (9), SI-4 (10), SI-4 (11), SI-4 (12), SI-4 (13), SI-4 (14), SI-4 (15), SI-4 (16), SI-4 (17), SI-4 (18), SI-4 (19), SI-4 (20), SI-4 (21), SI-4 (22), SI-4 (23), SI-4 (24), SI-7 (3), SI-7 (6), SI-7 (8), SI-7 (9), SI-7 (10), SI-7 (11), SI-7 (12), SI-7 (13), SI-7 (15), SI-7 (16), SI-10 (all enhancements), SI-13 (plus enhancements), SI-14 (plus enhancement), SI-15, SI-17
MA	No additional controls.	SI

appendix f

Yüklə 5,64 Mb.

Dostları ilə paylaş:

1 ... 36 37 38 39 40 41 42 43 ... 186