This website uses cookies to ensure you have the best experience. Learn more

Understanding Nist 800‐37  Fisma Requirements  Essay

2451 words - 10 pages


White Paper

Understanding NIST 800‐37  FISMA Requirements   





  Overview ................................................................................................................................. 3  I. The Role of NIST in FISMA Compliance ................................................................................. 3  II. NIST Risk Management Framework for FISMA ..................................................................... 4  III. Application Security and FISMA .......................................................................................... 5  ...view middle of the document...

 NIST Special  Publications (SP) 800‐series combined with NIST’s FIPS 199 and FIPS 200 create the risk‐based  framework which federal agencies use to assess, select, monitor and document security controls for  their information systems.    NIST standards and guidelines are organized as follows:  • Federal Information Processing Standards (FIPS) are developed by NIST in accordance with  FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for  federal agencies. Since FISMA requires that federal agencies comply with these standards,  agencies may not waive their use.   Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800‐ series. Office of Management and Budget (OMB) policies (including OMB Memorandum M‐06‐ 20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and  Agency Privacy Management) state that for other than national security programs and systems,  agencies must follow NIST guidance.1   Other security‐related publications, including interagency and internal reports (NISTIRs), and  ITL Bulletins, provide technical and other information about NIST's activities. These publications  are mandatory only when so specified by OMB. 




II. NIST Risk Management Framework for FISMA 
NIST has created a set of standards and guides which create a Risk Management Framework for  agencies to manage organizational risk in accordance with FISMA requirements.  This framework sets  forth an approach to security control selection and specification with consideration to effectiveness,  efficiency, and constraints.  Federal agencies must undertake the following steps to maintain an  effective information security program: 

Figure 1 NIST Framework 


• • • • • • • •

Step 1 ‐  Define criticality /sensitivity of information system according to potential impact of loss  Step 2 ‐ Select baseline (minimum) security controls to protect the information system; apply  tailoring guidance as appropriate  Step 3 ‐ Use risk assessment results to supplement the tailored security control baseline as  needed to ensure adequate security and due diligence  Step 4 ‐ Document in the security plan, the security requirements for the information system  and the security controls planned or in place  Step 5 ‐ Implement security controls; apply security configuration settings  Step 6 ‐ Determine security control effectiveness (i.e., controls implemented correctly,  operating as intended, meeting security requirements)  Step 7 ‐ Determine risk to agency operations, agency assets, or individuals and, if acceptable,  authorize information system operation  Step 8 ‐ Continuously track changes to the information system that may affect security controls  and reassess control effectiveness  4 



III. Application Security and FISMA 
Federal agencies have aggressively moved towards an eGovernment model, adapting and migrating ...

Other assignments on Understanding Nist 800‐37  Fisma Requirements 

Quality Management Essay

2408 words - 10 pages . Some process variations are stable and some are not. Stable variations are consistent in their patterns and are sometimes random in nature.” Unstable variations change over time and are unpredictable, (Nist Sematech, 2011 p.2). Understanding these concepts is vital if we want to use the right tools. Now that we understand the different types of variations that can occur in an organization we can see what tools we will discuss and the purpose

Wgu Capstone Essay

8774 words - 36 pages are as follows; the new operating system and equipment must provide better performance and processing time so that they can increase their productivity. The new equipment must provide the reliability that users need to process and access the new software. The new security policies must provide a understanding of what is required by the end user to ensure they are adhering to security requirements. The new security policy must provide the user


7926 words - 32 pages communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet. Within the context of any application-to-application communication, there are some specific security requirements, including: * Authentication: The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are name

Data Security

8305 words - 34 pages I. ------------------------------------------------- Chapter 2: Context and Background I n this chapter, we introduce the main concepts related to the problem we are addressing, in order to provide the casual reader with the necessary background information for this dissertation. As the title of this thesis is “Analysis of Security and QoS in Network with time constraints”, it is clear that our work requires a deep understanding of three main


9549 words - 39 pages . –2,900 00,000 6,100 + 1,700 2. +1,300 –1,300 7,400 + 400 3. –800 00,000 6,600 + 400 4. +2,500 +5,500 9,100 + 5,900 Copyright © 2011 John Wiley & Sons, Inc. 5. –1,000 00,000 8,100 + 5,900 6. –2,900 00,000 PROBLEM 1-2A 5,200 + 5,900 7. 000,000 00,000 5,200 + 5,900 8. +10,000 Weygandt, IFRS, 1/e, Solutions Manual $15,200 + $5,900

Private And Public Security

5214 words - 21 pages public police to give it priority (Gerden, 1998). With cutbacks to police budgets occurring just as the public’s demand for security seems to be growing, the use of private security has been increasing. Police officers differ considerably from private security personnel in the work they perform, the basic job requirements and training. Both police and private security play a role in society; however, the line between the two security professions

Why Should Students Choose Uk As The Higher Education Destination?

2913 words - 12 pages guidelines. Hence, these agencies can be crucial to the financial stability of students. Universities in the United Kingdom cater to different needs of students enrolled in their schools by providing various kinds of services. All United Kingdom universities have an understanding of the Disability and Equality Act 2010 and its legislative requirements. Hence, universities are bound to provide for the needs of disabled students. The

Hands Out For Typhoon

1185 words - 5 pages Understanding typhoon OVERVIEW : The atmosphere of the earth is a layer of gases that surround it.This gaseous layer protects life on earth by absorbing ultraviolet radiation, and warming the suface through heat retention (called green house effect) .Air is the name given to the atmosphere that living things breathe and is used for photosynthesis. TROPICAL TYPHOON: -Is a storm system characterized by counterclockwise rotating air mass around

Training And Development Mini Paper

1715 words - 7 pages issues TWC is experiencing, understanding the opportunities for development in this area are key to the mission of the organization. Which is to give customers control in ways that are simple and easy, this all starts with customer service. In Colorado Springs, Colorado TWC operates its largest customer service call center. With over 800 employees on this site it’s a prime location to complete an employee survey and interviews. Both of these

Fatma Reporting

5814 words - 24 pages United States, you may leave this field blank. Consult with the person requesting this form if you are uncertain if the financial institution is subject to these requirements. A requester may indicate that a code is not required by providing you with a Form W-9 with “Not Applicable” (or any similar indication) written or printed on the line for a FATCA exemption code. A—An organization exempt from tax under section 501(a) or any individual


1903 words - 8 pages Understanding the Hallmark-Sonali Bank Loan Scandal By Daniel Sabet and Ahmed S. Ishtiaque January 2013 Monthly Current Events Analysis Series Purpose of the report This month’s Current Events News Analysis takes up an issue that has been well documented and discussed in a variety of news sources: the Hallmark-Sonali Bank loan scandal. As with other hot topics, important information is scattered across a variety of different articles

Similar Documents

Security Awareness Essay

2691 words - 11 pages against dumpster diving vulnerability. National Institute of Standards and Technology (NIST) Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) and the Office of Management and

Hipaa Essay

3778 words - 16 pages that automatically calculates|not considered all-inclusive or |organization has in place. The |requirements. Many of the documents | |.1=Low; .5=Medium; | |this for you (NIST SP 800-30): |one-size-fits all. Your practice |spreadsheet is currently sorted by |are P&Ps you may use as a template to| |1=High | |1-10=Low; |should tailor the controls

Risk Management Essay

421 words - 2 pages information resulting from some purposeful or accidental event that negatively impacts the process or the related information. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.i 3.1 Threats One of the most widely used definitions of threat and threat-source can be found in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-30, Risk

Cyberlaw Task 1 Essay

750 words - 3 pages combination of upper and lowercase letters, numbers and special characters increases this time to 12 years (Sherrill, 2012). NIST SP 800-53, ISO/IEC 27001 & 27002:2013 section 9 are industry standards that justify this policy change (Improving Critical Infrastructure Cybersecurity Executive Order 13636, 2013). In summary, to help maintain our compliance with U.S> Federal Privacy laws, HIPAA, HITECH, and GLBA – these policies must be implemented