You can edit almost every page by Creating an account and confirming your email.

CNSSI 1253

From EverybodyWiki Bios & Wiki






Introduction and background

Within U.S. government IT systems, especially classified IT systems, various official documents have been released defining cybersecurity requirements. As of 2019, the U.S. government utilizes the Risk Management Framework approach to cybersecurity, which includes various documents, to include CNSSI 1253. These documents can be complex but provide the needed foundation to implement cybersecurity protections on U.S. government systems. The criticisms section further elaborates on alleged shortcomings of this approach to cybersecurity for U.S. government IT systems.

This entry covers CNSSI 1253, which is a compliance document that defines cybersecurity requirements for U.S. government IT systems.[1] CNSSI 1253 is a foundational document within the Risk Management Framework cybersecurity framework that includes various other documents such as National Institute of Standards and Technology special publications as well as Committee on National Security Systems Instructions.[1] Despite efforts and funding, adoption of CNSSI 1253 security controls and the Risk Management Framework in general has yielded mixed results for U.S. Department of Defense IT systems.[2]

Overview

CNSSI 1253 is the Committee on National Security Systems Instruction 1253.[3]  This Instruction was last updated on March 27, 2014, and is titled “Security Categorization and Control Selection for National Security Systems".[3]  CNSSI 1253 provides direction for the first two steps of the Risk Management Framework process for national security systems.[3]  These first two steps are categorize information system and select security controls.[3]  CNSSI provides direction for information systems security managers, security control assessors, information system owners, and other stakeholders.[3]  This direction predominately consists of the exact security controls from NIST SP 800-53 that must be implemented based on the information systems security categorization.[3]  CNSSI 1253 also specifies additional NIST SP 800-53 controls within scope based on applicable control overlays found within CNSSI 1253.[3]

Content

CNSSI 1253 is the authoritative document issued by the Committee on National Security Systems that directs national security systems’ cybersecurity protections be based upon the Risk Management Framework, to include NIST SP 800-53, NIST SP 800-37, NIST SP 800-60, and FIPS 199.[3] National Security Systems include but are not limited to information systems that process classified information.[4] CNSSI 1253's direction to use the above NIST Special Publications ensures that the Risk Management Framework is used, to include the six step RMF process.[3][5]  Of special consideration is that CNSSI 1253 takes precedence over NIST SP 800-53 concerning security control selection based on information security categorization.[3]  However, CNSSI 1253 uses NIST-SP 800-53 as the foundation to create an applicable security control set for national security systems.[3][6]

This applicable security control set, customarily added to a security controls traceability matrix, is supplemented with security control overlays as specified by CNSSI 1253.[3] These supplemental control sets are referred to as overlays because they are additional controls to complement the applicable baseline sourced from NIST SP 800-53 via the security categorization of the information system.[3] The five overlays specified by CNSSI 1253 are

-Space Platform

-Cross domain solution

-intelligence

-classified information

-privacy

Of these overlays, the privacy overlay offers gradations of low, medium, and high.[7]

Impacts

CNSSI 1253 facilitates the creation of the security control baseline for all national security systems for compliance purposes.[3] [6] A significant impact of CNSSI 1253 is that it directs the security compliance approach to gaining an authorization to operate classified systems for government agencies and defense contractors.[8]  CNSSI 1253 is the directive that creates the actionable association between NIST SP 800-53 and the tailored security control traceability matrix for each national security system.[3][5][6][7][9][10]

Criticisms

CNSSI 1253 and more broadly, the Risk Management Framework, have been criticized for a rigid compliance-based approach to cybersecurity that doesn't adequately address availability and integrity in the event of information system compromise.[11] The concept of cyber resiliency includes the goals of anticipate, withstand, recover, and evolve.[11] Given the compliance-based approach taken by CNSSI 1253 and the Risk Management Framework, cyber resiliency has been introduced as a proposed solution to the Risk Management Framework's alleged shortcomings.[11]

Additional Authoritative Documents

The Defense Security Service Assessment and Authorization Process Manual is an authoritative document, in addition to CNSSI 1253, which addresses Defense Security Service requirements for protecting collateral classified information.[12][3]  For defense contractor purposes, collateral classified information is classified information in which the defense contractor has the authority to determine need-to-know.[13]

The Joint SAP Implementation Guide (JSIG) is an authoritative document, in addition to CNSSI 1253, which provides Department of Defense further guidance on the security control baseline created from the NIST SP 800-53 and CNSSI 1253.[14][3][6]  The JSIG specifically applies to Department of Defense special access programs.[14]

References

  1. 1.0 1.1 "Classical FISMA versus the Risk Management Framework System Categorization and Control Selection". BSC Systems. 2017-05-18. Retrieved 2019-02-25.
  2. Williams, By Lauren C.; Nov 30, 2018. "DOD struggles with Risk Management Framework adoption -". Defense Systems. Retrieved 2019-02-25.
  3. 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.07 3.08 3.09 3.10 3.11 3.12 3.13 3.14 3.15 3.16 "Security Categorization and Control Selection For National Security Systems" (PDF). www.dss.mil. 2014-03-27. Retrieved 2019-02-20.
  4. "Is Your System a National Security System (NSS)? and How Does That Affect RMF Efforts?". 2017-10-17. Retrieved 2019-02-20.
  5. 5.0 5.1 "Guide for Applying the Risk Management Framework to Federal Information Systems" (PDF). nvlpubs.nist.gov. December 2018. Retrieved 2019-02-20.
  6. 6.0 6.1 6.2 6.3 "Security and Privacy Controls for Federal Information Systems and Organizations" (PDF). nvlpubs.nist.gov. April 2013. Retrieved 2019-02-20.
  7. 7.0 7.1 "Privacy Overlays". www.cnss.gov. 2015-04-20. Retrieved 2019-02-20.
  8. "Navigating the US Federal Government Agency ATO Process for IT Security Professionals". www.isaca.org. Retrieved 2019-02-20.
  9. "Space Platform Overlay". www.cnss.gov. Retrieved 2019-02-20.
  10. "Classified Information Overlay". www.cnss.gov. 2014-05-19. Retrieved 2019-02-20.
  11. 11.0 11.1 11.2 "Cyber Resiliency FAQ" (PDF). www.mitre.org. 2017. Retrieved 2019-02-20.
  12. "Defense Security Service Assessment and Authorization Process Manual" (PDF). www.dss.mil. 2018-06-04. Retrieved 2019-02-20.
  13. "Security Clearance FAQs | ClearedJobs.Net". clearedjobs.net. Retrieved 2019-02-20.
  14. 14.0 14.1 "Department of Defense Joint Special Access Program Implementation Guide" (PDF). 2016-04-11. Retrieved 2019-02-20.


This article "CNSSI 1253" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:CNSSI 1253. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.