DOCSLIB.ORG

An Introduction to Computer Security: the NIST Handbook

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Introduction to Computer Security: the NIST Handbook Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-12 Title: An Introduction to Computer Security: the NIST Handbook Publication Date(s): October 1995 Withdrawal Date: June 21, 2017 Withdrawal Note: SP 800-12 is superseded in its entirety by the publication of SP 800-12 Revision 1. Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-12 Revision 1 Title: An Introduction to Information Security Author(s): Michael Nieles; Kelley Dempsey; Victoria Yan Pillitteri Publication Date(s): June 2017 URL/DOI: https://doi.org/10.6028/NIST.SP.800-12r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Laboratory) Latest revision of the SP 800-12 Rev. 1 (as of June 21, 2017) attached publication: Related information: Withdrawal N/A announcement (link): Date updated: :ƵŶĞϮϭ͕ϮϬϭϳ HATl INST. OF STAND & TECH R.I.C. NIST PUBLICATIONS AlllOB SEDS3fl NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards Barbara Guttman and Edward A. Roback and Technology COMPUTER SECURITY Contingency Assurance User 1) Issues Planniii^ I&A Personnel Trairang f Access Risk Audit Planning ) Crypto \ Controls O Managen»nt U ^ J Support/-"^ Program Kiysfcal ~^Tiireats Policy & v_ Management Security Operations i QC 100 Nisr .U57 NO. 800-12 1995 The National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in the development of technology . needed to improve product quality, to modernize manufacturing processes, to ensure product reliability . and to facilitate rapid commercialization ... of products based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units and their principal activities are listed below. For more information contact the Public Inquiries Desk, 301-975-3058. Office of the Director Manufacturing Engineering Laboratory • Advanced Technology Program • Precision Engineering • Quality Programs • Automated Production Technology • International and Academic Affairs • Intelligent Systems • Manufacturing Systems Integration Technology Services • Fabrication Technology • Manufacturing Extension Partnership • Standards Services Electronics and Electrical Engineering • Technology Commercialization Laboratory • Measurement Services • Microelectronics • Technology Evaluation and Assessment • Law Enforcement Standards • Information Services • Electricity • Semiconductor Electronics Materials Science and Engineering • Electromagnetic Fields' Laboratory • Electromagnetic Technology' • Intelligent Processing of Materials • Optoelectronics' • Ceramics • Materials Reliability' Building and Fire Research Laboratory • Polymers • Structures • Metallurgy • Building Materials • Reactor Radiation • Building Environment • Fire Safety Chemical Science and Technology • Fire Science Laboratory • Biotechnology Computer Systems Laboratory • Chemical Kinetics and Thermodynamics • Office of Enterprise Integration • Analytical Chemical Research • Information Systems Engineering • Process Measurements • Systems and Software Technology • Surface and Microanalysis Science • Computer Security • Thermophysics^ • Systems and Network Architecture • Advanced Systems Physics Laboratory • Electron and Optical Physics Computing and Applied Mathematics • Atomic Physics Laboratory • Molecular Physics • Applied and Computational Mathematics^ • Radiometric Physics • Statistical Engineering^ • Quantum Metrology • Scientific Computing Environments^ • Ionizing Radiation • Computer Services • Time and Frequency' • Computer Systems and Communications^ • Quantum Physics' • Information Systems 'At Boulder. CO 80303. ^Some elements at Boulder, CO 80303. NIST Special Publication 800-12 An IlltrOdUCtion tO CompUtCr Security: The NIST Handbook Barbara Guttman and Edward Roback COMPUTER SECURITY Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-0001 October 1995 U.S. Department of Commerce Ronald H. Brown, Secretary Technology Administration Mary L. Good, Under Secretary for Technology National Institute of Standards and Technology Arati Prabhakar, Director Reports on Computer Systems Technology The National Institute of Standards and Technology (NIST) has a unique responsibility for computer systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) devel- ops standards and guidelines, provides technical assistance, and conducts research for computers and related telecommunications systems to achieve more effective utilization of Federal information technol- ogy resources. CSL's responsibilities Include development of technical, management, physical, and ad- ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified Information processed In Federal computers. CSL assists agencies in developing security plans and in Improving computer security awareness training. This Special Publication 800 series reports CSL re- search and guidelines to Federal agencies as well as to organizations In industry, government, and academia. National Institute of Standards and Technology Special Publication 800-12 Natl. Inst. Stand. Technol. Spec. Publ. 800-12, 272 pages (Oct. 1995) CODEN: NSPUE2 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1995 For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 Table of Contents I. INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1.1 Purpose 3 1.2 Intended Audience 3 1.3 Organization 4 1.4 Important Terminology 5 1.5 Legal Foundation for Federal Computer Security Programs 7 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2.1 Computer Security Supports the Mission of the Organization 9 2.2 Computer Security is an Integral Element of Sound Management 10 2.3 Computer Security Should Be Cost-Effective 11 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit 12 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations 12 2.6 Computer Security Requires a Comprehensive and Integrated Approach 13 2.7 Computer Security Should Be Periodically Reassessed. 13 2.8 Computer Security is Constrained by Societal Factors. 14 iii Chapter 3 ROLES AND RESPONSIBILITIES 3.1 Senior Management 16 3.2 Computer Security Management 16 3.3 Program and Functional Managers/Application Owners 16 3.4 Technology Providers 16 3.5 Supporting Functions 18 3.6 Users 19 Chapter 4 COMMON THREATS: A BRIEF OVERVIEW 4.1 Errors and Omissions 22 4.2 Fraud and Theft 23 4.3 Employee Sabotage 24 4.4 Loss of Physical and Infrastructure Support 24 4.5 Malicious Hackers 24 4.6 Industrial Espionage 26 4.7 Malicious Code 27 4.8 Foreign Government Espionage 27 4.9 Threats to Personal Privacy 28 II. MANAGEMENT CONTROLS Chapter 5 COMPUTER SECURITY POLICY 5.1 Program Policy 35 5.2 Issue-Specific Policy 37 5.3 System-Specific Policy 40 iv 5.4 Interdependencies 42 5.5 Cost Considerations 43 Chapter 6 COMPUTER SECURITY PROGRAM MANAGEMENT 6.1 Structure of a Computer Security Program 45 6.2 Central Computer Security Programs 47 6.3 Elements of an Effective Central Computer Security Program 51 6.4 System-Level Computer Security Programs 53 6.5 Elements of Effective System-Level Programs 53 6.6 Central and System-Level Program Interactions 56 6.7 Interdependencies 56 6.8 Cost Considerations 56 Chapter 7 COMPUTER SECURITY RISK MANAGEMENT 7.1 Risk Assessment 59 7.2 Risk Mitigation 63 7.3 Uncertainty Analysis 67 7.4 Interdependencies 68 7.5 Cost Considerations 68 Chapter 8 SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE 8.1 Computer Security Act Issues for Federal Systems 71 8.2 Benefits of Integrating Security in the Computer System Life Cycle 72 8.3 Overview of the Computer System Life Cycle 73 V 8.4 Security Activities in the Computer System Life Cycle 74 8.5 Interdependencies 86 8.6 Cost Considerations 86 Chapter 9 i ASSURANCE 9.1 Accreditation and Assurance 90 9.2 Planning and Assurance 92 9.3 Design and Implementation Assurance 92 9.4 Operational Assurance 96 9.5 Interdependencies 101 9.6 Cost Considerations 101 III. OPERATIONAL CONTROLS Chapter 10 PERSONNEL/USER ISSUES 10.1 Staffing 107 10.2 User Administration 110 10.3 Contractor Access Considerations
Load more

Recommended publications
  • Analyzing Cyber Trends in Online Financial Frauds Using Digital Forensics Techniques Simran Koul, Yash Raj, Simriti Koul
    International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-9, July 2020 Analyzing Cyber Trends in Online Financial Frauds using digital Forensics Techniques Simran Koul, Yash Raj, Simriti Koul Online frauds refer to the usage of Internet services or other Abstract: Online financial frauds are one of the leading issues open-source software requiring Internet access to frame users in the fields of digital forensics and cyber-security today. Various or to otherwise take advantage of them. Finance-related flaws online firms have been employing several methodologies for the are becoming quite commonplace today. The most common prevention of finance-related malpractices. This domain of criminal activity is becoming increasingly common in the present types of online financial frauds include: cyberspace. In this paper, we will try to implement an online Phishing: Here, the fraudsters acquire users’ sensitive data financial fraud investigation using the digital forensics tool: such as passwords and credit card credentials through email Autopsy. A few existing cyber-security techniques for the messages, fraud websites, and phone calls. investigation of such crimes, namely the Formal Concept Analysis Card Skimming: This crime involves the illegal extraction and Confirmatory Factor Analysis; have been analyzed and of the user’s sensitive financial details on the magnetic stripe reviewed. These techniques are primarily based on mathematical cyber-security concepts. Henceforth, it has been tried to find out from ATMs, debit, and credit cards. This is usually done by whether the investigation of similar crimes can be done the installation of malware on the card reader used by the satisfactorily using the readily-accessible digital forensics tool: victim.
    [Show full text]
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)
    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
    [Show full text]
  • BEST PRACTICES in Anti-Terrorism Security for Sporting and Entertainment Venues RESOURCE GUIDE
    Command, Control and Interoperability Center for Advanced Data Analysis A Department of Homeland Security University Center of Excellence BEST PRACTICES in Anti-Terrorism Security for Sporting and Entertainment Venues RESOURCE GUIDE July 2013 Table of Contents Introduction to the Project ............................................................................................................7 Background...................................................................................................................................8 Identifying Best Practices in Anti-Terrorism Security in Sports Venues ......................................8 Identifying the Key Best Practices and Developing Metrics for Each .........................................11 Developing a Best Practices Resource Guide .............................................................................13 Testing the Guid e ........................................................................................................................13 Executive Summary....................................................................................................................13 Chapter 1 – Overview.................................................................................................................15 1.1 Introduction...........................................................................................................................15 1.2 Risk Assessment ...................................................................................................................15
    [Show full text]
  • 193 194 Chapter 17
    National Institute of Standards and Technology Technology Administration U.S. Department of Commerce An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 User Contingency Assurance I & A Issues Planning Personnel Training Access Risk Crypto Controls Audit Planning Management Support Physical Program Threats Policy & Management Security Operations Table of Contents I. INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1.1 Purpose .................................................... 3 1.2 Intended Audience .......................................... 3 1.3 Organization ............................................... 4 1.4 Important Terminology ..................................... 5 1.5 Legal Foundation for Federal Computer Security Programs . 7 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2.1 Computer Security Supports the Mission of the Organization. 9 2.2 Computer Security is an Integral Element of Sound Management. .............................................. 10 2.3 Computer Security Should Be Cost-Effective. ............... 11 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit. .......................................... 12 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations. ........................................ 12 2.6 Computer Security Requires a Comprehensive and Integrated Approach. ................................................. 13 2.7 Computer Security Should Be Periodically Reassessed. ...... 13 2.8 Computer Security is Constrained by Societal
    [Show full text]
  • Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
    NIST Special Publication 800-160 VOLUME 1 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems RON ROSS MICHAEL McEVILLEY JANET CARRIER OREN This publication contains systems security engineering considerations for ISO/IEC/IEEE 15288:2015, Systems and software engineering — System life cycle processes. It provides security-related implementation guidance for the standard and should be used in conjunction with and as a complement to the standard. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-160v1 NIST Special Publication 800-160 VOLUME 1 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems RON ROSS Computer Security Division National Institute of Standards and Technology MICHAEL McEVILLEY The MITRE Corporation JANET CARRIER OREN Legg Mason This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-160v1 November 2016 INCLUDES UPDATES AS OF 03-21-2018: PAGE XIII U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director SPECIAL PUBLICATION 800-160, VOLUME 1 SYSTEMS SECURITY ENGINEERING A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ________________________________________________________________________________________________ Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.
    [Show full text]
  • Malware Information
    Malware Information Source: www.onguardonline.gov Malware Quick Facts Malware, short for "malicious software," includes viruses and spyware to steal personal information, send spam, and commit fraud. Criminals create appealing websites, desirable downloads, and compelling stories to lure you to links that will download malware – especially on computers that don't use adequate security software. But you can minimize the havoc that malware can wreak and reclaim your computer and electronic information. If you suspect malware is on your computer: • Stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. • Confirm that your security software is active and current. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. • Once your security software is up-to-date, run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem. • If you suspect your computer is still infected, you may want to run a second anti-virus or anti-spyware program – or call in professional help. • Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do to avoid it in the future. Malware is short for "malicious software;" it includes viruses – programs that copy themselves without your permission – and spyware, programs installed without your consent to monitor or control your computer activity. Criminals are hard at work thinking up creative ways to get malware on your computer. They create appealing web sites, desirable downloads, and compelling stories to lure you to links that will download malware, especially on computers that don't use adequate security software.
    [Show full text]
  • Practicing a Science of Security a Philosophy of Science Perspective
    Practicing a Science of Security A Philosophy of Science Perspective Jonathan M. Spring Tyler Moore David Pym University College London The University of Tulsa University College London Gower Street 800 South Tucker Drive London WC1E 6BT London WC1E 6BT Tulsa, OK 74104-9700 Alan Turing Institute [email protected] [email protected] [email protected] ABSTRACT Experiments Structured observations of the empirical are untenable world Our goal is to refocus the question about cybersecurity re- Reproducibility Evaluate by repetition, replication, varia- search from ‘is this process scientific’ to ‘why is this scientific is impossible tion, reproduction, and/or corroboration process producing unsatisfactory results’. We focus on five No laws of common complaints that claim cybersecurity is not or can- Mechanistic explanation of phenomena nature not be scientific. Many of these complaints presume views to make nature intelligible No single associated with the philosophical school known as Logical Em- Specialization necessitates translation ontology piricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathe- ‘Just’ Both science and engineering are neces- matical modeling methods, provides constructive resources engineering sary to mitigate all purported challenges to a science of security. Table 1: Five common complaints raised by the science of cy- Therefore, we argue the community currently practices a bersecurity community and positive reframing from the phi- science of cybersecurity. A philosophy of science perspective losophy of science literature. suggests the following form of practice: structured observa- tion to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within Its proponents claim a science of security is needed for ongo- their own expertise, inter-translating where necessary.
    [Show full text]
  • Cybersecurity & Computing Innovations
    Cybersecurity & Computing Innovations: Notes In this lesson: - Online Security - Legal & Ethical Concerns - Computing Innovations Online Security: ● Personal identifiable information (PII) is information about an individual that identifies links, relates, or describes them. ● Examples of PII include: ○ Social Security Number ○ Age ○ Race ○ Phone numbers ○ Medical information ○ Financial information ○ Biometric data (fingerprint and retinal scans) ● Search engines can record and maintain a history of search made by users. ○ Search engines can use search history to suggest websites or for targeted marketing. ● Websites can record and maintain a history of individuals who have viewed their pages. ○ Devices, websites, and networks can collect information about a user’s location. ● Technology enables the collection, use, and exploitation of information about by and for individuals, groups and institutions. ● Personal data such as geolocation, cookies, and browsing history, can be aggregated to create knowledge about an individual. ● Personal identifiable information and other information placed online can be used to enhance a user’s experiences. ● Personal identifiable information stored online can be used to simplify making online purchases. ● Commercial and government curation (collection) of information may be exploited if privacy and other protections are ignored. ● Information placed online can be used in ways that were not intended and that may have a harmful effect. ○ For example, an email message may be forwarded, tweets can be retweeted, and social media posts can be viewed by potential employers. ● Personal identifiable information can be used to stalk or steal the identity of a person or to aid in the planning of other criminal acts. ● Once information is placed online, it is difficult to delete.
    [Show full text]
  • DDS Security Specification Will Have Limited Interoperability with Implementations That Do Implement the Mechanisms Introduced by This Specification
    An OMG® DDS Security™ Publication DDS Security Version 1.1 OMG Document Number: formal/2018-04-01 Release Date: July 2018 Standard Document URL: https://www.omg.org/spec/DDS-SECURITY/1.1 Machine Consumable Files: Normative: https://www.omg.org/spec/DDS-SECURITY/20170901/dds_security_plugins_spis.idl https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd https://www.omg.org/spec/DDS-SECURITY/20170901/dds_security_plugins_model.xmi Non-normative: https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance_example.xml https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions_example.xml Copyright © 2018, Object Management Group, Inc. Copyright © 2014-2017, PrismTech Group Ltd. Copyright © 2014-2017, Real-Time Innovations, Inc. Copyright © 2017, Twin Oaks Computing, Inc. Copyright © 2017, THALES USE OF SPECIFICATION – TERMS, CONDITIONS & NOTICES The material in this document details an Object Management Group specification in accordance with the terms, conditions and notices set forth below. This document does not represent a commitment to implement any portion of this specification in any company's products. The information contained in this document is subject to change without notice. LICENSES The companies listed above have granted to the Object Management Group, Inc. (OMG) a nonexclusive, royalty-free, paid up, worldwide license to copy and distribute this document and to modify this document and distribute copies of the modified version. Each of the copyright holders listed above has agreed that no person shall be deemed to have infringed the copyright in the included material of any such copyright holder by reason of having used the specification set forth herein or having conformed any computer software to the specification.
    [Show full text]
  • A Cybersecurity Testbed for Industrial Control Systems
    A Cybersecurity Testbed for Industrial Control Systems R. Candell, D.M. Anand, and K. Stouffer National Institute of Standards and Technology, Gaithersburg MD, U.S.A [rick.candell, dhananjay.anand, keith.stouffer]@nist.gov Abstract — The National Institute of Standards and Technology (NIST) is developing a cybersecurity testbed for industrial control systems (ICS). The goal of this testbed is to measure the performance of an ICS when instrumented with cybersecurity protections in accordance with practices prescribed by prevailing standards and guidelines. This paper outlines the testbed design and lists research goals, use cases, and performance metrics currently being considered. The paper is also intended to initiate discussion between control and security practitioners – two groups that have had little interaction in the past. Research outcomes from the testbed will highlight specific cases where security technologies impact control performance, as well as motivate methods by which control engineers can leverage security engineering to design control algorithms that extend safety and fault tolerance to include advanced persistent threats. Keywords — industrial control systems, robotics, chemical process control, cybersecurity, industrial security, process resilience, penetration testing, process performance, measurement science, testbed, robotics, robot control, safety, supervisory control and data acquisition (SCADA) I. Introduction Given the increasing interest in security of industrial control systems (ICS) and the evolving nature of advanced persistent threats against critical industrial infrastructure [1], the National Institute of Standards and Technology (NIST) has been actively involved in developing standards for cyber and control systems security via several standards bodies. Examples of such standards and guidelines include [2] and [3]. A research testbed, currently in development at NIST, will provide a platform on which to apply cybersecurity strategies to use cases that are practically relevant to industry.
    [Show full text]
  • Fedramp SECURITY ASSESSMENT FRAMEWORK
    FedRAMP SECURITY ASSESSMENT FRAMEWORK Version 2.4 November 15, 2017 EXECUTIVE SUMMARY This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that intends to save costs, time, and staff required to conduct redundant Agency security assessments and process monitoring reports. FedRAMP was developed in collaboration with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS). Many other Government Agencies and working groups participated in reviewing and standardizing the controls, policies and procedures. | i DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR Major revision for NIST SP 800-53 Revision 4. 06/06/2014 2.0 All FedRAMP PMO Includes new template and formatting changes. Formatting changes throughout. Clarified distinction 12/04/2015 2.1 All between 3PAO and IA. Replaced Figures 2 and 3, and FedRAMP PMO Appendix C Figures with current images. 06/06/2017 2.2 Cover Updated logo FedRAMP PMO Removed references to CSP Supplied Path to 11/06/2017 2.3 All Authorization and the Guide to Understanding FedRAMP PMO FedRAMP as they no longer exist. 11/15/2017 2.4 All Updated to the new template FedRAMP PMO HOW TO CONTACT US Questions about FedRAMP or this document should be directed to [email protected]. For more information about FedRAMP, visit the website at http://www.fedramp.gov.
    [Show full text]
  • Cyber Security Engineering, Bs
    2016-2017 Volgenau School of Engineering CYBER SECURITY ENGINEERING, B.S. 2016 - 2017 Cyber Security Engineering is concerned with the development of cyber resilient systems which include the protection of the physical as well as computer and network systems. It requires a proactive approach in engineering design of physical systems with cyber security incorporated from the beginning of system development. Cyber security engineering is an important quantitative methodology to be used in all industries to include, but not limited to, transportation, energy, healthcare, infrastructure, finance, government (federal, state, and local), and defense. The program is focused on the cyber security engineering of integrated cyber-physical systems. This degree provides a foundation in cyber security engineering, and is most appropriate for students with a strong mathematics and science background. The program is administered by the Dean's Office, Volgenau School of Engineering. Cyber security engineers are part of integrated design and development teams for physical systems that require embedded cyber security design, working with engineers from other disciplines (e.g. civil, mechanical, electrical, systems engineers as well as computer scientists and software engineers). Cyber security engineers are engineers who know technology, but who also have in-depth exposure to the application/domain area. Not only do they provide technological solutions to cyber security problems of engineering systems posed by others, but by having an understanding of the application/domain, they can formulate potential security threats, propose appropriate solutions, and then provide leadership in the design of a system to resist and survive these threats. Because of their interdisciplinary training, cyber security engineers are expected to play an increasing role in attacking some of the most pressing current cyber security issues in the country.
    [Show full text]