Review of FISMA Certification and Accreditation Handbook by Laura Taylor
By Stephen Northcutt
Laura Taylor is the chief technology officer and founder of Relevant Technologies, Inc., an information security and IT professional services firm headquartered north of Boston. Her research has been sought out by the FDIC, the FBI, the Whitehouse, and numerous private sector organizations, and publicly held Fortune 500 companies. We have exchanged email from time to time and when she was getting ready to write this book, I was able to introduce her to Andrew from Syngress, which is now part of the O'Reilly family. So, I am not entirely unbiased with this review.
"Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation."
Now there are various flavors of C&A, the insider way of describing Certification and Accreditation, such as the DIACAP. This book is focused on the Federal Information Security Management Act Implementation Project (FISMA) flavor of accreditation, but would be applicable to a large extent to DIACAP. Various flavors of accreditation are discussed in chapter 2 of the book.
As we have already stated, the official that approves the certification is responsible for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. But this cannot be absolute; the questions - how bad could it be and how likely events are to occur - are the foundation for risk management. "The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk---that is, the risk to the organization or to individuals associated with the operation of an information system. The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system---the security controls necessary to protect individuals and the operations and assets of the organization." The book covers risk and privacy assessment in chapters 13 and 14, as well as 17, and does as good of a job of keeping the concepts approachable as I have seen. After completing chapter 17, you ought to be able to complete a system risk assessment.
Security controls is where organizations often miss the boat, and without them, C&A becomes purely a paperwork exercise. A good place to start is Appendix D of the NIST SP 800-53. Also, the Internet Technology Process Institute sells a benchmark; they did over 900 hours of research to identify 21 control families that have the greatest impact. Chapter 8 of the book has a great set of questions to help you determine the presence, absence and effectiveness of security controls.
The bottom line: this book is complete, comprehensive, and accurate. I could not find one single example of the obtuse writing that tends to show up in the NIST and other government documents. It gives you a path through the Federal certification and accreditation maze. However, I am not an expert on DIACAP, so I do not know how much one should rely on this book for DIACAP accreditation.