InfoDevSec

What is NIST Special Publication 800-18 about?

NIST 800-18 :: Guide for Developing Security Plans for Federal Information Systems

NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system. The controls selected or planned must be documented in a system security plan. This document provides guidance for federal agencies for developing system security plans for federal information systems.

Who

  • Program managers
  • system owners
  • security personnel

What

  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.
  • Information system inventory
  • Identification of common security controls and scoping guidance.
  • System security develpment
  • Steps of system security plan development
  • system security plan template
  • a glossary of terms and definitions
  • [NIST SP 800-37] COMMON TERMS AND DEFINITIONS
  • Accreditation
    • The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
  • Accreditation Boundary
    • All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter.
  • Adequate Security
    • Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
  • Authentication
    • Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
  • Authenticity
    • The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or
  • Official
    • Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
  • Availability
    • Ensuring timely and reliable access to and use of information.
  • Certification
    • A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Certification Agent
    • The individual, group, or organization responsible for conducting a security certification.
  •  Chief Information Officer
    • Agency official responsible for:
      • (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, executive orders, directives, policies, regulations, and priorities established by the head of the agency;
      • (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency;
      • (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.
  • Common Security Control
    • Security control that can be applied to one or more agency information systems and has the following properties:
      • (i) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner);
      • (ii) the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied. Compensating Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST SP 800-53, that provide equivalent or comparable protection for an information system.
  • Confidentiality
    • Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
  • Configuration Control
    • Process for controlling modifications to hardware, firmware, software, and documentation to ensure that the information system is protected against improper modifications before, during, and after system implementation.
  • Countermeasures 
    • Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
  • Federal Enterprise Architecture [FEA Program Management Office]
    • A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.
  • Federal Information System
    • An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
  • General Support System
    • An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.
  • High-Impact System 
    • An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.
  • Information Owner
    • Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
  • Information Resources 
    • Information and related resources, such as personnel, equipment, funds, and information technology.
  • Information Security
    • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
  • Information Security Policy
    • Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
  • Information System
    • A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
  • Information System Owner
    • Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
  • Information System Security Officer
    • Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.
  • Information Technology
    • Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.

admin

Leave a Reply

Your email address will not be published. Required fields are marked *