Nist Sp 800-59
Total Page:16
File Type:pdf, Size:1020Kb
Guideline for Identifying an Information System as a National Security System NIST Special Publication 800-59 Guideline for Identifying an Information System as a National Security System William C. Barker I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 August 2003 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director Guideline for Identifying an Information System as a National Security System Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure for information technology. ITL develops tests, test methods, reference data, proof of concept implementations and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800 series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology, Special Publication 800-59 Natl. Inst. Stand. Technol. Spec. Publ. 800-59, 21 pages (August 2003) SP 800-59 PAGE ii Guideline for Identifying an Information System as a National Security System GUIDELINE FOR IDENTIFICATION OF INFORMATION SYSTEMS AS NATIONAL SECURITY SYSTEMS Table of Contents Table of Contents.....................................................................................iii 1.0 Introduction ........................................................................................1 2.0 Basis for Identification of National Security Systems............................3 3.0 Method for Identifying National Security Systems...............................5 3.1 Determination of Responsibilities............................................................................. 5 3.2 National Security System Identification Checklist ................................................... 6 3.3 Dispute Resolution.................................................................................................... 6 Appendix A: National Security System Identification Checklist..................7 A.1 Minimum Question Set ........................................................................................... 7 A.1.1 Intelligence Activities ....................................................................................... 7 A.1.2 Cryptologic Activities ....................................................................................... 8 A.1.3 Command and Control of Military Forces........................................................ 8 A.1.4 Weapons and Weapons Systems ....................................................................... 8 A.1.5 Systems Critical to the Direct Fulfillment of Military or Intelligence Missions ..................................................................................................................................... 8 A.1.6 Classified Systems ............................................................................................ 9 A.2 Optional Checklist Material..................................................................................... 9 A.3 Checklist................................................................................................................ 10 Appendix B: References.......................................................................... 11 Appendix C: Glossary of Terms .............................................................. 13 SP 800-59 PAGE iii Guideline for Identifying an Information System as a National Security System This page intentionally left blank. SP 800-59 PAGE iv Guideline for Identifying an Information System as a National Security System 1.0 Introduction This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for information security, superseding the Government Information Security Reform Act and the Computer Security Act. FISMA both provides a framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets and provides for the maintenance of minimum controls required to protect Federal information and information systems. Federal agencies are responsible for providing information security protection of information collected or maintained by or on behalf of the agency and information systems used or operated by or on behalf of the agency. The head of each Federal agency is also responsible for (1) assessing the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems that support operations or assets under their control; (2) determining the levels of information security appropriate to protect such information and information systems; (3) implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and (4) periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented. Except for national security systems as defined by FISMA, the Secretary of Commerce is responsible for prescribing standards and guidelines pertaining to Federal information systems on the basis of standards and guidelines developed by NIST. The Committee on National Security Systems (CNSS) along with Federal agencies that operate systems falling within the definition of national security systems provide security standards and guidance for national security systems. In addition to defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an information system as a national security system. As stated in the House Committee report, “This guidance is not to govern such systems, but rather to ensure that agencies receive consistent guidance on the identification of systems that should be governed by national security system requirements.” Report of the Committee on Government Reform, U. S House of Representatives, Report 107-787, November 14, 2002, p. 85. The Department of Defense and the Director, Central Intelligence have authority to develop policies, guidelines, and standards for national security systems. The Director, Central Intelligence is responsible for policies relating to systems processing intelligence information. The Committee for National Security Systems, whose executive agent is the National Security Agency, was established to develop operating policies, procedures, guidelines, instructions and standards as necessary to implement provisions of the National Policy for the Security of National Security Telecommunications and SP 800-59 PAGE 1 Guideline for Identifying an Information System as a National Security System Information Systems (see NSTISSD Number 502). The Director of the Office of Management and Budget (OMB) retains responsibility for oversight of national security system information security policies and practices with respect to: • Overseeing agency compliance with the requirements of Subchapter III of Chapter 35 of Title 44, United States Code, including through any authorized action under Title 40, United States Code, section 11303, to enforce accountability for compliance with such requirements; and • Reporting to Congress no later than March 1 of each year on agency compliance with the requirements of Subchapter III of Chapter 35 of Title 44 United States Code, including – o A summary of the findings of evaluations required by 44 U.S.C. 3545; o An assessment of the development, promulgation, and adoption of, and compliance with, standards developed under 15 USC 278g-3 and promulgated under 40 U.S.C. 11331; o Significant deficiencies in agency information security practices; o Planned remedial action to address such deficiencies; and o A summary of, and OMB views on, the report prepared by NIST under 15 USC 278g-3. Accordingly, the purpose of these guidelines is not to establish requirements for national security systems, but rather to assist agencies in determining which, if any, of their systems are national security systems as defined by FISMA and are to be governed by applicable requirements for such systems, issued in accordance with law and as directed by the President. SP 800-59 PAGE 2 Guideline for Identifying an Information System as a National Security System 2.0 Basis for Identification of National Security Systems The basis for the identification of 'national security systems' is the definition provided in law (44 U.S.C. 3542(b)(2), which was established by FISMA, Title III, Public