Information Assurance and the United States, GCSE Coursework Example
Abstract
Certification and Accreditation (A&A) has historically played a pivotal role in information security and management. This is due in large part to the the Federal Information Security Management Act of 2002 (FISMA),a United States federal law enacted in 2002. To date, the policies have not been followed, put in place to enforce (FISMA), specifically certification and accreditation protocols within Federal Information Security Management, have not been followed. The primary issue problem is the way the present C&A policy is structured to manage information security is structured the U.S. Government’s security policies do not have the necessary guidelines in place to run an efficient certify and accredit system. This can include software, computer hardware, firmware, and environment or even people. Assessment and Authorization (A&A) provides the opportunity for these components to be operational under single controlled administrative oversight in order to be the best possible result from an intended objective. A&A should accomplish the development of key security standards and guidelines in order to provide support for system compliance with the Federal Information Security Management Act. The following will assess the nature of A&A and the faulty way in which it’s been implemented by government agencies, as well as assess methods through which A&A protocols can be improved for quality results. In doing this research, I found that the letter of the law is not comprehensive and conscious of the real application necessary for A&A. A&A should be executed and monitored as frequently as necessary without taking up too much time or leading to unnecessary bureaucracy. To cut through red tape, the certification as well as accreditation process within the government should be consolidated to a few trusted sources, through which all material can secure.
I personally think the answer to improving the standards of care with which the federal government secures information, it is necessary to satisfy some fundamental needs that would be relevant for any business facing information security issues. On core argument I found often mentioned was that there was a lack of incentive for government employees to comply with FISMA, and this was largely attributed to the fact that government agencies tend to have limited funding. Corporations in the private sector on the other hand, already have their incentive integrated within their actions as the more secure their information, the better competitive edge they have within their industries. Higher quality A&A initiatives leads to better profits. For this reason I recommend that Federal Agencies sparingly do trial periods of outsourcing A&A to third parties completely, while keep the majority of other agencies maintaining A&A in-house to experiment with more innovative guidelines.
Why A&A is desirable
Assessment and Authorization is desirable because it enables FISMA legislation to meet core objectives which focus on integrity, confidentiality, and availability. Information has become more readily available in the digital age and its value is more critical than ever before, which makes it vulnerable to corruptions. A&A is valuable because it poses an effective alternative to C&A. According to FISMA, there are three primary security objectives which the policy seeks to fulfill within the technical realm of information systems and the dissemination and management of information. defines these three security objectives within the law for information and information systems. In regards to confidentiality the law states that it is the goal of protocols like C& A to preserve authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” (FIPS 199, 2004, p.2). This is the reason why information is disclosed in an unauthorized way when information is disclosed to eternal sources within and information network. In regards to integrity A&A ensures integrity through, “guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” (FIPS 199, 2004, p.2). The loss of information integrity involves modifications of information and A&A is expected to make that information readily available to users. The expectation of A&A to ensure this information is available entails “ensuring timely and reliable access to and use of information…” (FIPS 199, 2004, p2). When information is not readily available for use, it’s seen as a lack of integrity within the system, or a disruption of information systems. INFOSEC specifically refers to “the protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit. INFOSEC also includes protection against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats” (NCSC, 1996: viii).
Assessment and Authentication Tasks
A^A tasks are often implemented in tasks and phases which involve the initiation phase, the authentication phase, the assessment phase and the monitoring phase. Authors note that “certification verifies and validates the security assurance for a system associated with an environment. Accreditation evaluates whether the operational impacts associated with any residual system weaknesses are tolerable or unacceptable. Life-cycle assurance requirements provide a framework for secure system design, implementation, and maintenance” (NCSC-TG-031, 1996, p.2).The phases are divided into four phases because they usually involve four different groupies within one information network.
Applicability of A&A
National & State
The Federal Information Security Management Act of 2002 functioned as an additional supplement to part of Title III of the E-Government Act of 2002. This is essentially a national law that identifies the significance of information and the impact it plays in establishing the secure exchange of data and the dissemination and transition of that information to knowledge in a way that protects it from corruption or cyber-attacks. In this way A&A becomes an essential and relevant model for enhancing the effectiveness of these objectives.
The act requires all federal agencies to file develop and implement programs that secure information systems and information systems that supplement operations and assets of the agency. The law also applies to agencies with contractors, from state to state. As stated in FIPS 200, “FISMA directed the promulgation of federal standards for: (i) the security categorization of federal information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (ii) minimum security requirements for information and information systems in each such category” (FIPS 200, 2006, p.iv). The FIPS 200 was published by the National Institute of Standards and Technology(NIST) as a guideline for security standards when dealing with federal information. The legislation goes on to note that:
“all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2)” (FIPS 200, 2006, p.vi).
This legislation is the foundation for how A&A can be applied to improve where C&A failed. It most importantly can create uniform data security protocols across all federal agencies.
Local
On a local level, A&A can be more effective than A&A if implemented with distcint boundaries and strict authentication parameters. It is most critical to identify authentication boundaries that will best encompass the full scope of federal objectives. It is important that emphasis is placed on stakeholders and the role they play in the dissemination of information as well as its secure exchange. Defense Information Infrastructure (DII) is also a critically important factor related to location of the A&A process in regards to security risks and their limitation. Location boundaries of Defense Information Infrastructure entails hardware, software and Government furnished equipment, like terminals local wiring, local area networks (LANs), modems, and wide area networks (WAN). A common rule when identifying authentication boundary parameters is to ensure that there is configuration controls capable of managing all equipment within the boundary that can regulate al equipment within network infrastructure.
What do you think the A&A process should avoid doing or becoming?
The A&A process should avoid turning into an overly bureaucratic system. The result of an overly bureaucratic system can be seen with many of the setbacks, complications and pitfalls that have led to inefficiency and lack of productivity. Federal government bureaucracy under FISMA and how it has impacted C&A protocols to date. In his study, “Rethinking FISMA and Federal Information Security Policy”, Silvers (2006) assesses the wide range of critiques surrounding the statutory scheme that regulates how the federal government must secure data on its information systems.
Who Should perform the assessment?
Problems Silver addresses introduce complications in respect who should be responsible for performing the authentication. When operations are handled internally, they utilize more security, but as Silver notes, when bureaucracy becomes an inherent part of the federal policy it complicate the effectiveness of programs and public innitiatives. This can especially be seen with Defense Information Infrastructure and how itoperates. It can also be argued that the incorporation of third private parties to deal with the work can leave sensitive data vulnerable to more threats than before. This is not just true not for the federal government but all other organizations that might be looking to utilize an effective Authentication and Assessment program. This is why it is essential to seek cell trained individuals familiar with advanced cyber security protocls. Currently,Federal government implements C&A, which represents a cross between two options that fail to realistically integrate policy to real life application of handling information. To ensure there is no red tape and that bureaucracy is not an element that impedes progress it’s ideal that there are only a few select managers with security clearance so data can be consolidated and the authentication and assessment process can be more lean and efficient. This also serves in making sure that government institutions can better serve as secure resources.
Who should authorize the system for use?
Whether it’s an individual company or a federal institution, the Chief Information Officer CIO should be the only person authorized to perform the final assessment of approving the system. Even if, the CIO delegates supplemental tasks to a support team, the CIO takes on full responsibility for results and therefore should have final say on assessments. In regards to the Federal government the CIO is assigned this authority within the system to manage from their location in the Defense Security Service Office (DSS).
The decision on who should be given the authority to perform the assessment is an adaptation of the FISMA policy as it offers some considerations on who should handle assessment system approval:
‘‘(a) The head of each agency shall—‘‘(1) be responsible for —‘‘(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—‘‘(i) information collected or maintained by or on behalf of the agency; and ‘‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;‘‘(B) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines…” (FISMA, 2002, p.4).
The main issue that arises with this the vagueness of how the but the letter of the law is defined. very vague; it states that
Within C&A, the ODAA was made responsible for much more than just A&A as noted by the DoD, “the ODAA is also responsible for managing MOUs/MOAs between government agencies. It also works as the liaison between the information security industry and the Secret Internet Protocol Router Network (SIPRNET) Connection Approval Office (SCAO)” (U.S. Department of Defense, 2014, p.1). The DoD works as an information medium between the private sector and the public sector where information security initiatives can be applied within a public setting that are common used in private corporations. This is most valuable in regards to applying cyber-security, as the documents further notes that, the DoD will establish and use an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) that includes and integrates DoD mission areas (MAs) pursuant to DoDD 8115.01 (Reference (m)) and the governance process…” (DoD 8510, 2014, p.1). This means that the DoD is the core resource for mediating information that is exchange between the private and public sector which plays and equal role in innovation and industry, as well as national security.
When A&A should be done Frequency?
A&A should be monitored and executedas often as the conditions require depending on the frequency with which information is disseminated. This could mean agencies exchange information by the day, by the hour or by the minute. This could be impacted by the size and scope of a particular information network as all employees and operatiosn need to be tracked, monitored and kept secure.
Where should the A&A boundaries be (size/scope)?
Boundaries should be limited to the capacity of reach of system configurations. Boundaries should be set with optimum effectiveness in mind . System boundaries specifically in this case refers to limitation of resources such as equipment or location in this respect refers to location, but could also include the limitations of equipment or resources, like software, hardware, people, and interfaces. The authentication boundary specifically entails the system boundary, in addition to Government-furnished equipment.
How many resources should be put into the A&A effort?
There are a variety of resources that can be utilized to supplement the effectiveness of A&A. Currently, many of the resources that are already in use are affiliated with C&A and failures that have occurred within FISMA policy. An example of this can be seen with funding Silver points out FISMA “does not directly bring new funding to the agencies. So, while agencies must perform more work-often with the assistance of costly private contractors-they must effectively do so within the constraints of their preexisting budgets” (Silver, 2006, p.1859 ). The further points out that limited funding for additional work can harbor resentment in employees, which can lead to unforeseen conflict
Conclusion
In sum, A&A can offer essential new improvements to information security and management in areas where C&A has failed.
References
Bui, S., Enyeart, M., & Luong, J. (2003). Issues in Computer Forensics. Santa Clara University Computer Engineering, USA.
Directive, D. (2005). 8115.01,“. Information Technology Portfolio Management,” October, 10.
DoD P. (2014). 8510.01. Department of Defense Instruction.: Risk Management Framework (RMF) for DoD Information Technology (IT), 1-3, Retrieved May 22, 2014 from: http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
Domain, I. S. S. E. (2005). Certification and Accreditation. Official (ISC) 2® Guide to the CISSP®-ISSEP® CBK®, 281.
FIPS, P. (2004). 199. Standards for Security Categorization of Federal Information and Information Systems, 2-3. Retrieved May 22, 2014: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
FIPS, P. (2006). 200, Minimum Security Requirements for Federal Information and Information Systems. NCSD March. Retrieved May 22, 2014: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
FISMA P. (2002) The Federal Information Security Management Act (FISMA). Retrieved from: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
Flinn, W. P. (2005). Certification and Accreditation.
Kubba, S. (2009). LEED practices, certification, and accreditation handbook. Butterworth-Heinemann.
National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems (FIPS 200) (Mar. 9, 2006)
NCSC-TG-031 (1996). National Computer Security Center. Defense Information Systems Agency
Silvers, R. (2006). Rethinking FISMA and Federal Information Security Policy. NYUL Rev., 81, 1844.
U.S. Department of Defense. (2014). Defense Security Service.Retrieved May 22, 2014, from http://www.dss.mil/isp/odaa/odaa.html
Time is precious
don’t waste it!
Plagiarism-free
guarantee
Privacy
guarantee
Secure
checkout
Money back
guarantee