Dec 31 2009

3 Steps for Successfully Implementing C&A in your Agency

The Library of Congress fine-tunes its C&A work so that it's a security benefit rather than a burden.

Want to see a systems security professional cringe? Just mention the certification and accreditation process.

Despite years of mandated systems C&A, many agencies find that the process doesn’t increase security. In fact, it often takes resources away from remediation efforts, which can decrease overall security. But C&A does not have to be a high-cost, low-value proposition. When properly used, it can be an integral part of a mature, well-managed information technology security program.

There are two major issues with C&A for most agencies. It’s inefficient: It costs a lot to perform. It’s ineffective: The output is a thick document that sits on a shelf and is never read again.

Technically, the Library of Congress, a legislative branch agency, is not covered by the mandates of the Federal Information Security Management Act and other executive branch requirements, but in reality it makes sense for the Library to mesh with the IT practices prevalent across government. So here are techniques the Library has adopted to implement C&A and derive security benefits.

ONE: Control C&A Scope

Focusing the scope of C&A processes makes it efficient. There are two ways to control scope. First, security analysts who conduct C&A should not perform design and development of security controls. Second, establish hosting environments for enterprise applications.

Often, C&A ends up being costly because the analysts brought in to perform security design also do C&A. Instead, consider establishing a standardized security advisement process. To make this work, the Library selects security advisers from its enterprise IT Security Group to act as in-house consultants on systems projects. The advisers work with the project team and information owners to categorize the information (based on risk levels established by the National Institute of Standards and Technology in FIPS 199), perform an initial risk assessment and then provide base security requirements to the project team. During design and development efforts, the advisers answer questions from the team and review project deliverables.

To address the issue of handling C&A when systems use shared enterprise resources, the Library has hosting environments for its hardware, operating systems, networks and physical security concerns. The Enterprise Computing Group manages the hosting environments, and the Library conducts separate C&A for these environments. That way, C&A for any systems that use these environments can focus on just the applications and their associated controls and subsystems. There’s also no repetitive testing of the host systems.

Once the actual certification effort begins, the security advisers work with the security analysts performing C&A, providing them with standardized templates and tools, and answering questions. The templates help reduce the time to produce the accreditation package and ensure consistency, but the biggest gain in efficiency has been improvement in the risk assessment methodology.

TWO: Create Risk Assessment Zones

Traditional risk assessments require a substantial investment of time from an agency’s business and technical experts in addition to its security analysts. Moreover, the group performing the analysis and their knowledge of the environment tends to bias an assessment. Risk assessments for IT security also tend to be qualitative and, because of this, typically give results as low, medium or high levels of risk, and contractors often perform them.

When the output of a risk assessment is a low, medium or high level of risk for a particular vulnerability, the risk to similar systems will nearly always be the same for the same vulnerability.

In fact, an analysis at the Library found that each system’s impact level and location within our enterprise network really drove the difference in risk between systems.

Based on that information, the Library created an organizationwide approach to risk assessment. The security team identified different “threat zones” across the enterprise network that are dependent on general security controls (for example, firewalls and intrusion detection systems) and types of threats (direct access from the Internet, for instance).

The next step involved defining vulnerabilities using NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems. The security team grouped threats into four categories: external intentional, internal intentional, in­ternal unintentional, and natural or environmental. Then, for each vulnerability, the IT Security Group evaluated two things:

  • likelihood of occurrence for each threat against the threat zone, both with and without associated mitigating controls;
  • impact of the vulnerability being exploited for confidentiality, integrity and availability for each impact value, both with and without associated mitigating controls.

The team came up with 24 possible likelihood values and 18 possible impact values for each of 266 vulnerabilities. Using that data, we created a Risk Assessment Tool and set up a Microsoft Access database program to manage data gathered during the assessment process. The tool also contains mitigation strategies that project teams can use to address the vulnerabilities.

The tool does not assess risk per se, but instead contains the results of the organizationwide assessment. A C&A team can then assess risk for any given system by entering three sets of data about the system into the tool:

  • results of the security test and evaluation;
  • security categorization of the system based on FIPS 199;
  • the threat zone in which the system resides.

The tool then provides detailed risk matrices, a statement of residual risk, and a plan of action and milestones. The methodology and output are compliant with NIST SP 800-30: Risk Management Guide for Information Technology Systems.

This approach saves time. Risk assessments that used to take longer than a week now require only a day’s worth of time spent reviewing the tool’s output and formatting a plan of action and milestones. Moreover, by applying the tool, assessment results are consistent across systems, and the Library can manage risk on an organizational level.

THREE: Increase C&A Effectiveness

Finally, to make C&A a useful tool in ensuring an effective security posture within an organization, an agency needs to treat it as a strategic element of the larger IT security lifecycle. To do this, the Library ties C&A directly to remediation efforts and provides governance for these efforts.

The most important output of the certification process is the plan of action and milestones (POAM) that’s developed as part of the risk assessment. At the Library, each POAM is formally assigned in writing to a system’s owner. As part of the security advisement process, the enterprise IT Security Group then works with the Library’s senior managers to make sure system owners have adequate resources to respond to weaknesses found during the C&A process.

There are two governance mechanisms used to manage security remediation. The first manages the technical details; the second ties remediation directly to Library management. Quarterly and annually, the IT security program manager for each Library business unit reports directly to the enterprise IT Security Group on progress made in meeting the POAM. Annually, the enterprise IT Security Group reports directly to Library upper management on security across the organization.

To ensure that individual managers are aware of IT security risks to their business units, they must report on remediation efforts through the Library’s Internal Control Program. Overseen by the Strategic Planning Office, this program team — which assesses the effectiveness, efficiency and compliance of business units within the Library — collects information throughout the year and reports annually to the management team.

An Integrated Approach

The key to making C&A work is using an integrated approach. Understanding that it’s a tool to determine risks and tie remediation efforts to managers capable of effecting these changes is what can make C&A effective. Automating the repetitive aspects and focusing your efforts can make C&A efficient.