Part 2: Cybersecurity and the U.S. Government

Part 2 of this tutorial overview of cybersecurity (sometimes information security or information assurance) discusses the prominent role of the U.S. Government in this field. The reader will become acquainted with non-national security organizations such as US-CERT, and commonly encountered terms and references such as FISMA, FIPS, NIST SP 800-53, TIC 2.0, MTIPS, Einstein, etc.

Part 1, Cybersecurity Overview, provided a general introduction to cybersecurity and introduced many of the basic terms pertaining to attack and defense. Part 3 looks at elements of cybersecurity (or information assurance, IA) pertaining to the U.S. Department of Defense (DoD).

Introduction to FISMA

Facing the rising impact of the Internet and importance of information security to the interests of the U.S., the E-Government Act of 2002, including Title III of it, the Federal Information Security Management Act (FISMA), initiated an active role by the U.S. government in promoting cybersecurity. Formally, the U.S. government refers to cybersecurity as Information Security.

FISMA (44 U.S.C., Section 3542) requires federal agencies to develop, document, and maintain agency-wide programs to provide information security, cost-effectively to a level of acceptable risk, for the information and information systems that support agency operations and assets, including those provided by external parties. FISMA also assigned specific responsibilities for information security across the Government, notably to National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), and the Office of Management and Budget (OMB).  An update to FISMA in 2014 codified DHS’ role in developing and administering security policies, as well as overseeing compliance with them.

FISMA defined three security objectives for information and information systems: Confidentiality, Integrity, and Availability (referenced as CIA or C, I and A):

  • Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” A loss of confidentiality is the unauthorized disclosure of information.
  • Integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” A loss of integrity is the unauthorized modification or destruction of information.
  • Availability: “Ensuring timely and reliable access to and use of information…” A loss of availability is the disruption of access to or use of information or an information system.

These objectives are referenced throughout Government cybersecurity activities, including now even in the Department of Defense.

Key U.S. Government Cybersecurity Organizations (non-national security)

The U.S. Government is highly active in issuing warnings and recommended responses to newly discovered cyber threats, as well as in the development and distribution of cybersecurity standards. Two prominent non-national security organizations are “US-CERT” and “NIST CSD”.

US-CERT

The DHS is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. The United States Computer Emergency Readiness Team (US-CERT) is the 24-hour operational arm of the DHS’ National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC website contains an organizational chart showing US-CERT and its peer organizations. US-CERT leads efforts to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the nation.

US-CERT distributes vulnerability and threat information through its National Cyber Awareness System (NCAS), sponsors a Vulnerability Notes Database to provide technical descriptions of system vulnerabilities, and co-sponsors the Common Vulnerabilities and Exposures (CVE) dictionary of publicly known information security vulnerabilities and exposures.  You may see vulnerabilities described as having a Common Vulnerability Scoring System or CVSS score, with 10 being the most severe. The CVSS is an open and standardized method for rating IT vulnerabilities, thereby suggesting the urgency of response. It is produced by the Forum of Incident Response and Security Teams (FIRST), an international consortium of trusted computer incident response teams.

US-CERT also operates the National Cybersecurity Protection System (NCPS), operationally known as Einstein, which provides intrusion detection and prevention capabilities to covered federal departments and agencies. A visit to US-CERT’s website will prove highly informative – and possibly a little unsettling.

NIST CSD

Among the duties of NIST, part of the U.S. Department of Commerce, is the advancement of standards and technology. Within NIST’s Information Technology Laboratory (ITL) is the Computer Security Division (CSD), which is responsible for developing standards, guidelines, tests and metrics for the protection of non-national security federal information and communications infrastructure. Many of the standards discussed herein were developed within CSD and are available from the Computer Security Resource Center.

Such as it is, NIST CSD maintains the United States Government Configuration Baseline (USGCB), which are forms of Secure Host Baselines (SHB). These are pre-configured and security hardened machine-ready images that contain an organization’s common OS and application software. They are akin to DoD Security Technical Implementation Guides (STIGs), which are discussed in Part 3.

NIST CSD maintains a thorough dictionary of cybersecurity terms that is a great source to tap should you need something defined; for example, the NIST definition of an Advanced Persistent Threat.

Fundamental NIST Security Standards and Guidelines in Government Information Security

FISMA launched NIST to produce several foundational security standards and guidelines for the Government. Now well known, these publications include Federal Information Processing Standards (FIPS) PUBS 199 and 200 (“FIPS 199 and FIPS 200”, both mandated by FISMA), and NIST Special Publications (SP) 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60 and 800-137. These are listed below and Figure 1 depicts their applicability within the Risk Management Framework (RMF) set forth in SP 800-37:

(For reference: hyperlinks to all FIPS and all NIST SP 800 series publications.)

Risk Management Framework (RMF) per NIST SP 800-37 within Government cybersecurity tutorial.

Figure 1. Foundational standards in the Risk Management Framework.

We will explore FIPS 199, FIPS 200 and SP 800-53 as they are so widely referenced. Summarizing them:

  • FIPS 199: sets forth security categorization standards for information and information systems and requires agencies to categorize their systems, and defines three levels of potential impact (LOW, MODERATE, HIGH) on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).
  • FIPS 200: specifies minimum security requirements for information and information systems supporting federal government executive agencies, and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.
  • SP 800-53: provides guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200. (Security controls are safeguards or countermeasures prescribed to protect the confidentiality, integrity, and availability of an information system and its information.) SP 800-53 also serves as the baseline for security controls for National Security Systems (NSS).

In terms of a process flow, organizations first determine the security category of their information system in accordance with FIPS 199; then derive the information system impact level from the security category in accordance with FIPS 200; and then apply the appropriately tailored set of baseline security controls per SP 800-53. Steps 4 and 5 of Figure 1 encompass the processes of Certification and Accreditation (C&A).

FIPS 199: Standards for Security Categorization of Federal Information and Information Systems (February 2004)

To be used by federal agencies, FIPS 199 develops standards to categorize information and information systems by potential impact level based on the objectives of providing appropriate levels of information security according to a range of risk levels. It defines three levels of potential impact (LOW, MODERATE, HIGH) on organizations or individuals should there be a breach of security (i.e., a loss of Confidentiality, Integrity, or Availability – C, I or A). Potential impact is:

  • LOW if the loss of C, I or A could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
  • MODERATE if the loss of C, I or A could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
  • HIGH if the loss of C, I or A could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

These definitions are applied within the context of the organization and the overall national interest.

FIPS 199 sets forth generalized formats for expressing the Security Category (SC) of an information type or of an information system as follows:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},

where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE, but NOT APPLICABLE can only apply to confidentiality.

An example for an information type of an SC determination taken from FIPS 199:

“A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate. The resulting security category, SC, of this information type is expressed as:

SC investigative information = {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}.”

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},

where the acceptable values for potential impact are LOW, MODERATE, or HIGH. Note that the SC of an information system follows the concept of a high water mark. This concept is employed because of the significant dependencies among the security objectives of C, I and A. In most cases, a compromise in one security objective ultimately affects the others. Therefore, in a low-impact information system, all three of the security objectives are low, and in a moderate-impact information system at least one of the security objectives is moderate and no security objective is greater than moderate. Accordingly, in a high-impact information system at least one security objective is high.

An example directly from FIPS 199 for SC determination for information system highlighting both the concept of the high water mark that applies to systems and that Security Categories can be raised if the situation merits:

“A power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation. The SCADA system contains both real-time sensor data and routine administrative information. The management at the power plant determines that: (i) for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability. The resulting security categories, SC, of these information types are expressed as:

SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)}, and,

SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.

The resulting security category of the information system is initially expressed as:

SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)},

representing the high water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system. However, the management at the power plant chooses to increase the potential impact from a loss of confidentiality from low to moderate reflecting a more realistic view of the potential impact on the information system should there be a security breach due to the unauthorized disclosure of system-level information or processing functions. The final security category of the information system is expressed as:

SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}.”

Therefore, this scada system is a HIGH-impact information system because at least one security objective is HIGH (indeed, two of three are HIGH).

For its importance and as often as it is cited, examining FIPS 199 might be time well spent as it is straightforward and only a few pages in length.

FIPS 200: Minimum Security Requirements for Federal Information and Information Systems (March 2006)

FIPS 200 specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.

The minimum security requirements cover 17 security-related areas (families) with regard to protecting the confidentiality, integrity and availability of federal information systems and the information processed, stored, and transmitted by those systems. These 17 families represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems. The security control families, with their identifiers (which are used and seen frequently), are:

Security Control Families defined in FIPS 200 and used in NIST SP 800-53.

Definitions for the families are in the FIPS 200 specification, but, as an example, the definition of Access Control (AC) is:

Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

After deriving the minimum security requirements from FIPS 200, organizations must satisfy them by selecting the appropriate security controls and assurance requirements described in SP 800-53. This means that LOW impact information systems will have to satisfy the low-impact control set in SP 800-53, and the MODERATE and HIGH impact information systems will have to meet their respective SP 800-53 control sets.

FIPS 200 is also cited often, so examining it might be time well spent – it also is straightforward and only a few pages in length.

SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations (Rev. 4, April 2013 and updated January 2014)

The combination of FIPS 200 and SP 800-53 ensure that appropriate security requirements and security controls are applied to all federal information and information systems. As noted above, security controls are safeguards or countermeasures prescribed to protect the confidentiality, integrity, and availability of an information system and its information. For example, the requirement to change a password is a very simple control. Controls can be management, operational, or technical in nature.

SP 800-53 provides a comprehensive set of security controls, three security control baselines (LOW, MODERATE, and HIGH impact), and guidance for tailoring the appropriate baseline to specific needs according to the organization’s missions, environments of operation, and technologies used. The controls are grouped within the 17 families defined in FIPS 200, plus an 18th one, Program Management, PM.

SP 800-53 is a fundamental reference document for information security controls across the government. It is used as the basis for the Federal Risk and Authorization Management Program (FedRAMP), the government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is discussed further below.

SP 800-53 is now the basis for security controls for DoD systems with Committee on National Security Systems Instruction (CNSSI) 1253 providing guidance for additional controls, which is discussed in Part 3.

Despite its fundamental role and size, SP 800-53 is well conceived and organized, readable, and informative. Much of the information is presented in tables that follow the security control families defined in FIPS 200. We provide images of portions of some of the tables to assist you gain a sense of SP 800-53’s layout.

In Appendix D, Security Control Baselines – Summary, implementation priorities are introduced and summarized in Table D-1, which is replicated below:

SP 800-53 Table D-1: Security Control Prioritization Codes.

Table D_1 from NIST SP 800-53 showing priorities.

Lengthy Table D-2 provides a summary of the security controls and control enhancements for the 17 families introduced in FIPS 200. These controls and control enhancements are taken from the (large) Appendix F, Security Control Catalog, and have been allocated to the initial security control baselines (i.e., LOW, MODERATE, and HIGH). The image below of a portion of Table D-2 shows the controls associated with the first control family, Access Control (AC), and which controls must be implemented per LOW, MODERATE and HIGH control baselines. For example, for AC-2, Account Management, we see that for the LOW baseline, the basic AC-2 Control (detailed in Appendix F) must be implemented, and for the MODERATE and HIGH baselines, not only must this basic AC-2 Control be implemented, but also several Control Enhancements (numbered in parentheses), which also are detailed in Appendix F. Appendix F also presents Supplemental Guidance per Control and per Control Enhancement.

SP 800-53 Table D-2 (Partial): Security Controls for Access Control (AC).

Portion of Table D-2 from NIST SP 800-53 from Government cybersecurity tutorial.
Tables D-3 through D-19 present details of Control Enhancements per control family. As an example, here is the Control Enhancement table for Risk Assessment (RA):

SP 800-53 Table D-16: Control Enhancements for Risk Assessment (RA).

Table D-16 from NIST SP 800-53 as part of Government cybersecurity tutorial.

SP 800-53 Appendices G and J define other control families. Controls in these families are applied regardless of the system’s FIPS 199 categorization. Appendix G, Information Security Programs, defines the Program Management (PM) Controls, which provide controls for information security programs themselves. Appendix J, Privacy Control Catalog, defines several privacy control families: Authority and Purpose (AP); Accountability, Audit, and Risk Management (AR); Data Quality and Integrity (DI); Data Minimization and Retention (DM); Individual Participation and Redress (IP); Security (SE); Transparency (TR); and Use Limitation (UL).

Appendix H, International Information Security Standards, presents security control mappings between SP 800-53 and ISO/IEC 27001 and 15408. Quoting Appendix H: “The mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information technology–Security techniques–Information security management systems–Requirements and ISO/IEC 15408, Information technology — Security techniques — Evaluation criteria for IT security.”

As mentioned, despite its size, SP 800-53 is a highly readable, well-ordered document, and worth a review.

FedRAMP

As noted, the Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach promotes a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments.

The FedRAMP security controls use SP 800-53 Rev3, controls for LOW, MODERATE and (as of June 2016) HIGH impact systems as the basis, and then add further controls and enhancements to address the unique elements of cloud computing. Note however that the FedRAMP Program Management Office (PMO) is actively fostering a transition to a Rev 4 baseline now only accepts materials aligned to Rev 4 standards. (We will note in Part 3 that for Department of Defense cloud security, the Defense Information Systems Agency (DISA) specifies further controls and enhancements to the FedRAMP controls.).

In the model, Cloud Service Providers (CSPs) must implement the FedRAMP security requirements on their environment and then hire a FedRAMP- approved third party assessment organization (3PAO) to perform an independent auditing assessment of the cloud system and to provide a security assessment package for review. The FedRAMP Joint Authorization Board (JAB) will review the security assessment package based on a prioritized approach and may grant a provisional authorization (Provisional Authority to Operate, P-ATO). The option exists for CSPs to pursue a more narrow, agency-based ATO. Federal agencies can leverage CSP authorization packages for review when granting their own ATO, saving time and money.

As a part of the FedRAMP requirements, Federal agencies must implement a continuous monitoring program for any cloud system they deploy.

The FedRAMP website has a documents section where you can pull a Guide to Understanding FedRAMP.

Trusted Internet Connections

In November 2007, the OMB launched (Memorandum M-08-05) the Trusted Internet Connection (TIC) initiative toward creating a common Internet solution for the Government. Benefits of doing so would be the optimization and standardization of the security of external network connections, and a reduction in the number of Internet points of presence. The initiative included an enhanced role for US-CERT in improving the Government’s cybersecurity posture vis-à-vis the Internet.

Agencies would be able to secure Internet access in one of three ways: be a TIC Access Provider (TICAP), something envisioned for larger agencies; participate through a multiservice TICAP; or procure a managed security service, Managed Trusted Internet Protocol Service (MTIPS), through a GSA certified and authorized provider though the General Services Administration’s Networx contract. Working with cross-agency teams, the DHS has released its original reference architecture and an updated version, the Trusted Internet Connections (TIC) Reference Architecture Document Version 2.0 (called TIC 2.0). Reproduced from that document, the Conceptual TIC Architecture is shown below. As of June 2015, the FedRAMP PMO and TIC Initiative are examining a FedRAMP-TIC Overlay to allow more flexibility as agencies move to the cloud. The overlay will enable mobile users to directly connect to Federal cloud system without utilizing a TIC Access Provider (TICAP) or Managed Trusted IP Service (MTIPS).

Conceptual Architecture of the TIC (Trusted Internet Connections)

Figure 2. TIC conceptual architecture.

Figure 3 below, also from the document, highlights the security pattern and operational framework for dealing with external traffic. Note the correspondence of many of the functions to topics discussed in Part 1, Cybersecurity Overview.

TIC External Connection Security Pattern (Government cybersecurity tutorial)

Figure 3. TIC 2.0 security pattern and operational framework for external traffic.

Shown in Figure 3, the National Cybersecurity Protection System (NCPS), operationally known as Einstein (or EINSTEIN), is an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing. Einstein 1 only monitored traffic. Einstein 2 detected unwanted or suspicious traffic. Einstein 3A (E3A) prevents unwanted intrusions and exfiltrations by known bad actors, and can identify unwanted intrusions or exfiltrations with the use of classified information. E3A is the platform upon which new technology will block suspected bad actors.

These capabilities provide a technological foundation that enables the DHS to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. As a supplement of Einstein, DHS and GSA manage the Continuous Diagnostics and Mitigation (CDM) Program under which Continuous Monitoring as a Service (CMaaS) is made available to civilian “.gov” organizations. There are CDM pages on the DHS and GSA websites, but many find US-CERT’s CDM page more informative.

Summary of Part 2

Part 2 of our three-part cybersecurity tutorial has focused on the role of the civilian side of the U.S. Government in fostering and promoting cybersecurity. If you want to watch the video version of Part 2, look for it at the bottom of the cybersecurity landing page.

The passage of the E-Government Act, including FISMA, created the basis for an active Government role in cybersecurity. Key civilian organizations we have looked at are US-CERT within the DHS, and the Computer Security Division within NIST. The latter is the focal point for the development of cybersecurity standards, and we have noted many of the foundational ones, including discussions of FIPS 199, FIPS 200 and SP 800-53 (security controls) and the overall RMF. SP 800-53 has become the baseline security controls standard upon which FedRAMP and Department of Defense build.

OMB’s TIC initiative has moved the civilian side of the Government toward a common Internet solution and more secure Internet access. Part 3 examines elements pertaining to the U.S. Department of Defense.

© Solutions Reservoir LLC. Bethesda, MD, USA