FISMA Certification and Accreditation Handbook
eBook - ePub

FISMA Certification and Accreditation Handbook

  1. 504 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

FISMA Certification and Accreditation Handbook

About this book

The only book that instructs IT Managers to adhere to federally mandated certification and accreditation requirements.This book will explain what is meant by Certification and Accreditation and why the process is mandated by federal law. The different Certification and Accreditation laws will be cited and discussed including the three leading types of C&A: NIST, NIAP, and DITSCAP. Next, the book explains how to prepare for, perform, and document a C&A project. The next section to the book illustrates addressing security awareness, end-user rules of behavior, and incident response requirements. Once this phase of the C&A project is complete, the reader will learn to perform the security tests and evaluations, business impact assessments system risk assessments, business risk assessments, contingency plans, business impact assessments, and system security plans. Finally the reader will learn to audit their entire C&A project and correct any failures.* Focuses on federally mandated certification and accreditation requirements* Author Laura Taylor's research on Certification and Accreditation has been used by the FDIC, the FBI, and the Whitehouse* Full of vital information on compliance for both corporate and government IT Managers

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access FISMA Certification and Accreditation Handbook by L. Taylor,Laura P. Taylor in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2006
Print ISBN
9781597491167
eBook ISBN
9780080506531
Topic
Business
Subtopic
Information Management
Index
Business
Chapter 1 What Is Certification and Accreditation?
Topics in this chapter:
image
Terminology
image
Audit and Report Cards
image
A Standardized Process
image
Templates, Documents, and Paperwork
image
Certification and Accreditation Laws Summarized
ā€œThe law cannot be enforced when everyone is an offender.ā€
ā€”Chinese Proverb

Introduction

Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accreditation is the ultimate output of a C&A initiative, and a system or application cannot be accredited unless it meets specific security guidelines, clearly the goal of C&A is to force federal agencies to put into production systems and applications that are secure.
FISMA, also known as Title III of the Eā€“Government Act (Public Law 107ā€“347), mandates that all U.S. federal agencies develop and implement an agency-wide information security program that explains its security requirements, security policies, security controls, and risks to the agency. The requirements, policies, controls, and risks are explained formally in a collection of documents known as a Certification Package. The Certification Package consists of a review and analysis of applications, systems, or a siteā€”basically whatever it is that the agency wants accredited. New applications and systems require accreditation before they can be put into production, and existing applications and systems require accreditation every three years.
Each agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sourceā€¦
ā€”Federal Information Security Management Act of 2002
Laws for U.S. federal departments and agencies mandate C&A; however, private organizations can also take advantage of C&A methodologies to help mitigate risks on their own information systems and networks. In fact, about 90 percent of the nationā€™s critical infrastructure is on private networks that are not part of any U.S. federal department or agency. The nationā€™s critical infrastructure includes those information technology systems that run electrical systems, chemical systems, nuclear systems, transportation systems, telecommunication systems, banking and financial systems, and agricultural and food and water supply systems to name only a few.
The entire C&A process is really nothing more than a standardized security audit, albeit a very complete standardized security audit. Having worked in both private industry and on government networks, my experience indicates that contrary to what you read in the news, most private and public companies do not put nearly as much time, effort, and resources into documenting their security as government agencies do. All the C&A methodologies described in this book can be adopted and used by private industry. Though federal departments and agencies seem to get repeated criticisms belittling their security initiatives, itā€™s my experience and belief that the criticisms are largely exaggerated and that their security conscientiousness far exceeds that of private industry.
The C&A model is a methodology for demonstrating dueā€“diligence in mitigating risks and maintaining appropriate security controls. Any enterprise organization can adopt best practice C&A methodologies. A special license is not required, and no special tools are required to make use of the modelā€”it is simply a way of doing things related to security.

Terminology

Certification refers to the preparation and review of an applicationā€™s, or systemā€™s, security controls and capabilities for the purpose of establishing whether the design or implementation meets appropriate security requirements. Accreditation refers to the positive evaluation made on the Certification and Accreditation Package by the evaluation team.
Different documents written by different federal agencies have their own definitions of certification and accreditation, and though the definitions are similar, they are each slightly different. NIST Special Publication 800ā€“371 defines certification as:
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
The guidance written by NIST is intended for information systems that process unclassified data, more commonly known as SBU dataā€”Sensitive But Unclassified. The Committee on National Security Systems, Chaired by the Department of Defense, defines certification in the National Information Assurance Glossary,2 Revision June 2006 as:
A comprehensive evaluation of the technical and nontechnical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
You can see that even experts among us donā€™t necessarily agree on a concrete definition. However, since experts in most professions typically bring their own uniqueness to the table, I donā€™t see the differences in definitions as being a show stopper for getting the job done. The definitions are similar enough.
An evaluation team reviews a suite of documents known as a Certification Package and makes recommendations on whether it should be accredited. The evaluation team may be referred to by different names in different agencies. You should think of the evaluators as specialized information security auditors; often they are referred to as certifying agents. Each agency may refer to their own auditors with slightly different names, so you shouldnā€™t get hung up on what to call these folks. The main thing to know is that each agency has their own set of auditors that have the power either ...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. VISIT US AT
  5. Copyright
  6. Acknowledgments
  7. Author
  8. Contributing Author
  9. Technical Editor
  10. Foreword
  11. Preface
  12. Chapter 1: What Is Certification and Accreditation?
  13. Chapter 2: Types of Certification and Accreditation
  14. Chapter 3: Understanding the Certification and Accreditation Process
  15. Chapter 4: Establishing a C&A Program
  16. Chapter 5: Developing a Certification Package
  17. Chapter 6: Preparing the Hardware and Software Inventory
  18. Chapter 7: Determining the Certification Level
  19. Chapter 8: Performing and Preparing the Self-Assessment
  20. Chapter 9: Addressing Security Awareness and Training Requirements
  21. Chapter 10: Addressing End-User Rules of Behavior
  22. Chapter 11: Addressing Incident Response
  23. Chapter 12: Performing the Security Tests and Evaluation
  24. Chapter 13: Conducting a Privacy Impact Assessment
  25. Chapter 14: Performing the Business Risk Assessment
  26. Chapter 15: Preparing the Business Impact Assessment
  27. Chapter 16: Developing the Contingency Plan
  28. Chapter 17: Performing a System Risk Assessment
  29. Chapter 18: Developing a Configuration Management Plan
  30. Chapter 19: Preparing the System Security Plan
  31. Chapter 20: Submitting the C&A Package
  32. Chapter 21: Evaluating the Certification Package for Accreditation
  33. Chapter 22: Addressing C&A Findings
  34. Chapter 23: Improving Your Federal Computer Security Report Card Scores
  35. Chapter 24: Resources
  36. FISMA
  37. OMB Circular A-130: Appendix III
  38. FIPS 199
  39. Index