This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283
Noticing a common text structure across all of the NIST guides. Another shout out to FISMA
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.
Definition of FCI
Potential Impact on Organizations and Individuals
Low = limited moderate = serious high = severe or catastrophic
Security Objectives
FISMA outlines three objectives around security:
The low, medium, and high refer what risk of potential impact would the data have in any of the three got breached.
pprove accreditation criteria for third-party assessment organizations (3PAOs) to provide independent assessments of CSPs’ implementation of the FedRAMP security authorization requirements9
This is similar to the C3PAO model in cmmc
Federal Risk and Authorization Management Program (FedRAMP)
Created in 2011 by the OMB in compliance with FISMA act of 2002.
The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC);10
System Development Life Cycle,
thing to stress requires a continuous monitoring and reporting system in place.
Executive Order (E.O.) 13800 requires federal agencies to modernize their IT infrastructure and systems and recognizes the increasing interconnectedness of federal information systems and networks.
People will need to know the requirement to modernize federal IT
OMB Circular A-130,Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII).
How we have to manage PII
he Common Criteria Recognition Arrangement (CCRA).
precursor to FISMA and NIST
The SEI team dug into the CERT Resilience Management Model (CERT-RMM), the SEI's foundational process improvement approach to operational resilience management.
People will need to know the process maturity approach derived from CERT-RMM
Process maturity is stickiness, or how well the technical practices are embedded in the organization.
Definition of process maturity. history of cmmc
retain all the practices from NIST 800-171, and find a way for DIB members of varying cyber-sophistication to participate without POAMs.
history of cmmc, two requirements and the connection to nist-800-171
Executive Order 13800 of May 11, 2017
Make connection to NIST-39 and RMF
blication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.
Find the FISMA act
Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.
Only 1%! Yikes!