Term
|
Definition
National Information Assurance Partnership
USG initiative designed to meet security testing, evaluation and assessment needs. Partnership between NIST and NSA. |
|
|
Term
H.R. 145 Public Law 100-235
1/8/1998 |
|
Definition
Computer Security Act of 1987
* NIST responsible for developing guidelines and standards for federal computer systems (assisted by NSA where appropriate)
* Requires establishment of security plans by all operators federal computer systems that process sensitive info
* Requires periodic training for all people using, managing or operating federal computer systems that have sensitive info |
|
|
Term
Chapt 35 of Title 44, USC
Government Info Sec Reform Act |
|
Definition
* Replaced by FISMA
* Amended paper work reduction act
* Built on Computer Security Act of 1987 and Clinger Cohen Act
* Requires security for all info systems in their technology plane and budget
* |
|
|
Term
|
Definition
| Authorized NIST and NSA to provide guidance for security planning and engineering |
|
|
Term
GISRA
Creates management framework for: |
|
Definition
* Agency wide program practiced throughout management lifecycle
* Incident response
* Annual program review
* Reporting significant deficiencies
* Annual agency performance plan |
|
|
Term
GISRA
Security Program Components |
|
Definition
1. Management
2. Implementation
3. Evaluation |
|
|
Term
|
Definition
| At its core, security is a management function |
|
|
Term
|
Definition
| * Codified OMB Security Policies |
|
|
Term
|
Definition
| Program officials and CIOs perform annual reviews of all systems |
|
|
Term
H.R. 2458-48, Chapt 35 of Title 44, USC Title III
FISMA |
|
Definition
|
|
Term
|
Definition
1. Comprehensive framework for ensuring effectiveness of security controls over federal info sys
2. Coordinates info sec efforts across civil, intel, and law enforcement, while managing risks
3. development and maintain minimum controls to protect fed info sys
4. Improve oversight of federal info sys
5. Recognize COTS IA products as important to national defense and economic security
6. Lets agencies select specific hardware and software |
|
|
Term
| FISMA Federal Info Sec Center |
|
Definition
| US-CERT established to meet requirement of operating a Fed Info Sec Center |
|
|
Term
|
Definition
| Coordinates defense against and response to cyber attacks |
|
|
Term
|
Definition
| FISMA authorized NIST to create federal security standards and guidelines |
|
|
Term
| FISMA and Security Training |
|
Definition
| FISMA requires each agency to provide periodic IA training |
|
|
Term
|
Definition
| All DoD Telecom products must be certified secure before purchase |
|
|
Term
EO 13231
Critical Infrastructure Protection in the Info Age |
|
Definition
| US policy to protect operation of info sys for critical infrastructure |
|
|
Term
|
Definition
1. Business, government, and national defense all rely on interdependent, networked, critical infrastructures. Protection is essential to critical infrastructure
2. US protects against disruption of info sys for critical infrastructure. This includes voluntary public-private partnership |
|
|
Term
| EO 13231 - Critical Infrastructure |
|
Definition
1. Telecom
2. Energy
3. Financial Services
4. Manufacturing
5. Water
6. Transportation
7. Health Care
8. Emergency Services |
|
|
Term
|
Definition
| Per Paper Work Reduction Act, provides uniform, government wide info resources management policies |
|
|
Term
|
Definition
Policy framework for Fed Info Sys
Created in 1985
Updated in 1993, 1996, 2000 |
|
|
Term
| A-130 - November 2000 Update |
|
Definition
1. Focus info resource planning to support strategic missions
2. Capital management and investment controls linked to budget
3. Rethink and restructure work before investing in info sys |
|
|
Term
| A-130 - Adequate Security |
|
Definition
Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to modification of information.
Includes effective operation of apps, and appropriate C I A |
|
|
Term
|
Definition
General Support System
Interconnected set of info resources under same direct management control, that shares common functionality. |
|
|
Term
|
Definition
Major Application
Application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the info in the app |
|
|
Term
|
Definition
Must:
* Assign responsibility for security
* Have system security plan, with a set of rule of behavior for users of each GSS)
* Review of security controls
* Authorized processing (C&A) |
|
|
Term
| A-130 Additional responsibilities |
|
Definition
* Correction of deficiencies
* Incident response
* Continuity of support
* Technical security
* System interconnection
* Review of security controls
* Authorize processing
* Information sharing (only MA's)
* Public access controls
* Assignment of responsibilities
* Reports |
|
|
Term
| A-130 Major factors in risk management |
|
Definition
* Value of the system or application
* Threats
* Vulnerabilities
* Effectiveness of safeguards |
|
|
Term
A-130, Revised, Transmittal memo 4, November 2000
Section 3 |
|
Definition
* Priortize key systems
* Apply OMB policies, using NIST guidance
* Make security's role explicit in IT investments
* Systems that don't do this won't be funded |
|
|
Term
| OMB M-99-18: Privacy policies and data collection on fed web sites |
|
Definition
| Provides guidance on how to post privacy policies on fed web sites |
|
|
Term
| OMB M-00-13 Updated Privacy policies and data collection on fed web sites |
|
Definition
Extends requirements to contractors of agencies
* Clear privacy policies on web site entry points
* Privacy policies clearly and easily accessed
* Sets requirements for the use of persistent cookies
* Must comply with Children's Online Privacy Act when collection PI at websites directed to children |
|
|
Term
| OMB M-01-08 Guidance on implementing the Gov Info Sec Reform Act (Jan 2001) |
|
Definition
1. Annual agencies reviews
2. Annual inspector general evals
3. Reporting results of reviews and evals to OMB
4. Annual OMB report to congress, summarizing results of reviews and evals |
|
|
Term
| OMB M-03-19 Reporting Instructions for the Fed Info Sec Management Act & Updated on Quarterly IT Sec Reporting (August 6, 2003) |
|
Definition
Provides guidance for implementing FISMA
1. Attachment A - Substantive changes implemented by FISMA
2. Attachment B - FY03 FISMA reporting instructions
3. Attachment C - Directions for quarterly reporting on IT sec efforts
4. Attachment D - Definitions in law and policy cited by guidance |
|
|
