HackingTheUniverse

You are browsing the archives of fisma.

NIST (National Institute of Standards and Technology) has provided Federal Agencies with all the tools they need to get cyber-security done right. But obviously, it’s not being done right yet at most agencies. Why not? Failure to understand the threat level – this was certainly once the top problem… maybe not so much anymore with [...]

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005. The impact level baseline information bar that was removed in the Final [...]

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, the changes [...]

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family: 800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES Control: The organization develops, disseminates, and periodically reviews/updates: (i) [...]

Categorization is the process of selecting an Impact Level according to FIPS 199, which is a public law and must be adhered to. FIPS 199 sets three impact levels of HIGH, MODERATE and LOW. They are selected according to a consideration of the potential impact level on an organization if a security event jeopardizes the [...]

Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination

Here are some processes across the SDLC Framework and related controls.
(…more)

The SDLC framework is a multi-step outline that describes the life cycle of an information system.
(…more)

Each control in 800-53 has the following components:
(…more)

FISMA – Federal Information Security Management Act of 2002 (aka Title III of E-Govt Act of 2002, pub law 107-347) Key documents associated with FISMA: FIPS 199 – Security Categorization – [csrc.nist.gov] FIPS 200 – Minimum Security Requirements – [csrc.nist.gov] NIST SP 800-53 – Security Controls – [csrc.nist.gov] SEE ALSO: Introduction to 800-53 Controls FIPS [...]