Agency System Security Authorization Program Overview

Final Research Paper
Agency System Security Authorization Program
IA 500 – Seminar on Public Sector Security
Shawn Nicolen
3/17/2015

Agency System Security Authorization Program 2
Contents
Agency Charter...................................................................................................................................6
Overview ...........................................................................................................................................6
Program Objectives ............................................................................................................................7
The Risk Management Framework.......................................................................................................8
Information Categorization .................................................................................................................8
Types of Information Systems..........................................................................................................9
Notable Information Types ........................................................................................................10
Security Controls ..............................................................................................................................15
Access Control (AC).......................................................................................................................16
AC-2 Account Management .......................................................................................................16
AC-18 Wireless Access...............................................................................................................17
Awareness and Training (AT) .........................................................................................................17
AT-2 Security Awareness............................................................................................................17
Audit and Accountability(AU)........................................................................................................18
AU-2 Auditable Events...............................................................................................................18
AU-13 Monitoringfor Information Disclosure .............................................................................18
Certification, Accreditation, and Security Assessments(CA).............................................................19
CA-5 Plan of Action and Milestones............................................................................................19
Configuration Management (CM) ..................................................................................................19
CM-2 Baseline Configuration......................................................................................................19

Contingency Planning(CP).............................................................................................................20
CP-2 Contingency Plan...............................................................................................................20
Identification and Authentication(IA) ............................................................................................20
IA-2 Identification and Authentication (Organizational Users) ......................................................20
Incident Response (IR)...................................................................................................................21
IR-2 Incident Response Training .................................................................................................21
Maintenance (MA)........................................................................................................................22
MA-6 Timely Maintenance.........................................................................................................22
Media Protection (MP)..................................................................................................................22
MP-4 Media Storage..................................................................................................................22
Physical and Environmental Protection (PE)....................................................................................23
PE-11 Emergency Power............................................................................................................23
Planning (PL).................................................................................................................................23
PL-2 System Security Plan ..........................................................................................................23
Personnel Security (PS)..................................................................................................................24
PS-3 Personnel Screening...........................................................................................................24
Risk Assessment (RA) ....................................................................................................................24
RA-2 Security Categorization......................................................................................................24
RA-3 Risk Assessment................................................................................................................25
System and ServicesAcquisition (SA) .............................................................................................25

SA-2 Allocation of Resources......................................................................................................25
System and Communications Protection(SC)..................................................................................26
DC-9 Transmission Confidentiality..............................................................................................26
System and Information Integrity (SI).............................................................................................27
SI-4 Information System Monitoring...........................................................................................27
Risk Assessment...............................................................................................................................27
Threat..........................................................................................................................................28
Vulnerability.................................................................................................................................28
Impact..........................................................................................................................................28
A Note on Measurement...............................................................................................................29
System Security Authorization...........................................................................................................29
Plan of Action and Milestones .......................................................................................................29
Security Authorization Package......................................................................................................30
Risk Determination .......................................................................................................................31
Risk Acceptance............................................................................................................................31
Information System Monitoring.........................................................................................................32
Asset Management.......................................................................................................................32
Configuration Management...........................................................................................................32
Event and Incident Management...................................................................................................32
Information Management.............................................................................................................33

License Management....................................................................................................................33
Malware Detection.......................................................................................................................33
Network Management..................................................................................................................33
Software Assurance ......................................................................................................................33
Vulnerability and Patch Management ............................................................................................34
References.......................................................................................................................................35

Agency Charter
The Office forLunar and Martian Affairs(OLMA) wasfoundedin1964 to addressgrowingconcerns
surroundingcolonial political tensions withinthe UnitedStates Lunarand Martian colonies established
by EdwinHubble andThe ExplorersClubin1932. In additiontoadministratingthe daytoday
operational andmissionbasedobjectivesof these coloniesthe agencywasalsochargedwith the
separate butequallyimportanttaskof keepingknowledge of the coloniesasecretfromthe general
publicof planetEarth,per Executive Order1111A issuedbypresidentKennedyinhisaddresstothe
JointChiefsof Staff onNovember3,1963 (OLMA, STIMU DocumentLibrary).
Overview
Thisdocumentdescribesthe policiesgoverninginformationtechnologyusage andsecurityatOLMA in
compliance withdirectionsestablishedbyfederallaws,policies,andregulations. In1996 the Office of
ManagementandBudget statedthat federal agencies mustprovide,“security commensuratewiththe
riskand magnitude of the harmresultingfromthe loss,misuse,orunauthorizedaccesstoor
modificationof information”(OMBA-130, Page 5). Thiswas furtherenforcedbythe Federal Information
SecurityManagementActof 2002 (FISMA),whichrequiredfederalagenciesto,“provide a
comprehensive frameworkforensuringthe effectivenessof informationsecuritycontrolsover
informationresourcesthatsupportFederal operationsandassets”(FISMA,Section3541).
In compliance withthesedirectives OLMA hasadoptedthe standardsfor informationsecuritydescribed
inthe following:
 Federal InformationProcessingStandards (FIPS) Publication199: StandardsforSecurity
Categorization of FederalInformation and Information Systems andPublication200: Minimum
SecurityRequirementsforFederal Information and Information Systems.

 The National Institute of StandardsandTechnology(NIT) Special Publication800series
pertainingtocomputersecurity, especiallythose on the riskmanagementframework(SP800-
37), informationsystemcategorization(SP800-67), andsecuritycontrols (SP800-53).
It shouldbe notedthatthe policiesandpracticesinthisdocumentdonotapplyto systemsdesignated
as national securitysystemsorinformationdesignatedas classifiedasdescribedinExecutive Order
13526, Classified NationalSecurityInformation anditsamendments.Forguidance inidentifyingthese
national security systemspleaserefertoNISTSP800-59, Guideline forIdentifying an Information System
as a NationalSecurity System.
Program Objectives
The goal of processesoutlined inthisdocumentisto provide governanceineffortstosecure the
informational resourcesof the OLMA inaccordance withfederal directivesandstandards. This
documentderivesitsprocessesfromthose establishedbyNISTinsupportof the Federal Information
SecurityManagementActof 2002 (FISMA).
FISMA chargedNISTwiththe developmentof three keydirectivesinsupportof informationsecurity
whichdefinedthe scope of theirefforts (FIPS199,Page 1):
 The creationof standardsforall federal agenciesforcategorizationof all informationand
informationsystemsusedbythose agencieswiththe goal of providingadequate securitybased
on riskexposure.
 Guidelinesregardingthe typesof informationandinformationsystemsineachof those
categories.
 The minimummanagement, operational, andtechnical control requirementsforsecuring
informationand informationsecuritysystemsineachof those definedcategories.

The RiskManagement Framework
The Office forLunar and Martian Affairsutilizesthe RiskManagementFrameworkdescribedinNISTSP
800-37 Revision1, Guide forApplying theRisk ManagementFrameworkto FederalInformation Systems.
These standards have beencreatedtoensure thatthe managementof riskas itrelatedtoinformation
and informationsystemsisconsistentwiththe missionandfunctionof the agency.
The six stepsof thisprocessare:
1. Categorize the InformationandInformationSystem.
2. Selectaprovisional setof baseline securitycontrolsbasedonthe systemcategorization.
3. Implementthe provisional securitycontrols.
4. Assessthe effectivenessof the provisional securitycontrols.
5. Authorize the informationsystemforuse basedona determinationthe riskpresentonthat
system.
6. Monitorthe informationsystemanditssecuritycontrolscontinuouslytoassesstheir
effectiveness.Changesmade tothe systemare notedandevaluatedforimpactonthe level of
riskpresentonthat system.
InformationCategorization
Securitycategorization isanecessarystep inintegratingagencybusiness andtechnologymanagement
withsecurity,establishingthe pathtothe standardization,measurement,andevaluationof security
efforts(NISTSP800-60, Page 4), and isthe firststepof the risk managementframeworkoutlinedinSP
800-37. FIPS199 providesstandardsforcategorizinginformationandinformationsystemsbasedonthe
impactto the agency of eventsthat jeopardize the accomplishmentof itsmission,assets,legal
responsibilities,daytodayfunctions,andpeople (FIPS199,Page 1). These categoriesare usedin

assessingthe risktoan informationsystemalongside informationaboutrelevantthreatsand
vulnerabilities asa part of a formal,standardized,andmeasurableriskassessmentprocess.
FISMA section3532 describes athree axessystemformeasuringinformationrelevance toan
informationsecurityprogram:
 Confidentiality,ameasure of the desiredlevel of disclosureof information.
 Integrity,ameasure of the intactness,non-repudiation,andauthenticityof information.
 Availability, the timelinessandreliabilityof accesstoinformation.
PerFIPS199, the OLMA usesthese three securityobjectives tomeasure the potential impactthatthe
lossor compromise of informationwouldhave onthe agenciesassets,operations,mission,orpeople. A
lowimpactis attributedtoan eventthatcausesa limitedadverseeffect,amoderate impactisdue toan
eventwithaseriousadverse effect,andahighimpact isdescribedassevere orcatastrophic:preventing
the accomplishmentof the agenciesprimaryfunction.
The securitycategoryof an informationsystemonwhichinformationof variouslevelsof impactresides
isbasedon the highestlevelof impactwithineachof those informationtypes.FIPS199 refersto thisas
the “highwater mark” method(Page 4),beingthe “highestvaluesfromamongthose securitycategories
that have beendeterminedforeachtype of informationresidentonthe informationsystem.” Itisthe
role of the informationsystemowner,withsupportof otherofficialssuchasthe InformationSystem
SecurityOfficer,toprovide thiscategorization.
Types of Information Systems
NISTprovidesguidance inmappingtypesof informationsystemstorecommendedsecuritycategoriesin
SP 800-60: Guide forMapping Typesof Information and Information Systemsto Security Categories,
volumesIandII. Thisdocumentprovidesacatalogof typesof informationsystemswhichcanbe
referredtoinorderto determine aprovisionalrecommendedsecuritycategoryforthose systems.While
these recommendedsecuritycategoriescanbe used initially inthe initialabsence of aformal impact

analysiseveryattemptshouldbe takentodeterminethe actual securitycategoryforeachinformation
systemunderthe responsibilityof the OLMA.
Early coloniststookstepstoensure the secrecyof theireffortsand,forthe mostpart, common
terrestrial technologies werenotinplace toadequatelydetecttheirpresence onthese worldsuntilthe
mid-1950s whensome evidence of theiractivitieswasleakedtothe general publicbut,fortunately,
interpretedasscience fiction. PursuanttoExecutive Order1111A of 1963 one of the OLMA’s missionsis
to conceal the existence of the coloniesfromthe general public until atime whichknowledge of their
existence wouldnolongerpose ariskof disruptiontothe societiesandnationsof Earth.Because of this
some information of anytype maybe classifiedand,therefore,notsubjecttothe policiesandguidance
withinthisdocument.
NotableInformationTypes
While the OLMA’scharter extendstonearlyall aspectsof life onthe Lunarand Martian colonies, some
systemfunctionsandtypesof informationmaybe of notable regard to itsmission of the agencyor have
special considerationstothe unique nature of the OLMA’smission.
Energy Supply InformationType
Thistype of informationisinregardtothe generation,obtaining,use, distribution,andconsumptionof
power.
While the original LunarandMartian colonistsgeneratedandgovernedthe generationof theirown
energysupply,mainly viause of atomicreactors,these operationswere laterfederalizedunderthe
authorityof the OLMA in 1964.
The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationis
moderate. The provisional impactforeachaxisis:
 Confidentiality:Low

 Integrity:Moderate
 Availability:Moderate
Note that,due to the factthat the coloniesrely,inpart,onatomicenergy,some informationinthis
categoryis consideredclassifiedandnational securityrelated.Thatinformationisoutside of the scope
of thisdocument.
The above informationregardingthisinformationtype wasdrawnfromNISTSP800-60 Vol 2, section
D.7.1, on page 133. Fore more detailsaboutthistype of information please refertothatdocument.
EnvironmentalMonitoringand ForecastingInformationType
Thistype of informationisinregardtothe observationandpredictionof environmentalconditions,
includingairquality,waterlevelsandquality,emissions,andweather.
ConditionsonLunaand Mars are quite differentfromEarthand as suchsometimesrequire specialized
techniquestomeasure orpredict.Insome casesenvironmental forecastingiscritical tothe continued
existence of the colony,suchasinthe case of solar flares,Martianduststorms,and continuous
monitoringof artificial environments.
moderate accordingtodefaultNISTguidance.The provisional impactforeachaxisis:
 Availability:Low (See Note Below)
In the case of informationregarding off world systemsOLMA recommendsthatthe provisionalimpact
alongthe availabilityaxisisraisedtohigh,due tothe extreme nature andsuddenchangesinthe
environments of the off worldcolonies.Insome caseschangesinthe environmentcanhave a
catastrophiceffectresultinginthe lossof humanlife and,therefore,itiscritical thatinformationabout

such potentiallydeadlyenvironmental factorsshouldalwaysbe immediatelyavailable tothe off world
colonists andsupportteamsonEarth.
D.8.1, on page 139. For more detailsaboutthistype of informationpleaserefertothatdocument.
SpaceOperations InformationType
Thistype of informationdescribesandsupportsactivitiesrelatedtomissionsandpeople conducting
aerospace basedmissionsandoperations.
The missionof OLMA isdirectlyrelatedtospace andspace travel toand fromoff worldcoloniesonLuna
and Mars. Since the federalizationof the coloniesOLMA hastakenstepsto bringthe securityof
informationregardingspace operationstothese colonieswithinfederallymandatedguidelines.
The provisional securitycategoryof systemsinthisfunctionorcontainingthistype of informationishigh
accordingto defaultNISTguidance.The provisional impactforeachaxisis:
 Confidentiality:Low(See Note Below)
 Integrity:High
 Availability:High
OLMA recommendsthatthe provisional confidentialityimpactforspace operations information,and
therefore space operationsrelatedinformationsystems,to be moderate.While notall information
regardingthe off worldcoloniesisclassifiedanyinformationregardingspace operations,especially
regardingthe SaganSpace Center(SSC) inAntarctica,isparticularlytellingandcouldleadtofurther
unwantedinquiriesthatmaycompromise the secrecyof the OLMA’smission.
D.11.4, onpage 158. For more detailsaboutthistype of informationplease refertothatdocument.

SpaceExplorationand Innovation InformationType
Informationregardinginnovationanddevelopmentof technologiesandknowledge relatedtospace,
space basedtransportation,andthe explorationof space.
The OLMA isdirectly engagedtosupportoff word Lunar andMartian colonistsintheirpursuittofurther
researchand developmentof technologies inextra-terrestrialenvironments.Whilemostresearchis
conductedwithinplanetaryormoonbasedboundariesitisstill consideredtofall withinthisinformation
type due to the heavylevel of interactionthe off worldcolonistshave withouterspace andregions
where there islittle tonoboundarybetweenthe surface andspace,suchas on the surface of Luna.
 Confidentiality:Low (See Below)
 Availability:Low
OLMA recommendsthatthe provisional confidentialityimpactforspace explorationandinnovation
shouldbe moderate. The technologiesresearchedonthe off worldcoloniesare,insome cases,
extremelydangerousorunacceptablewithinthe currentsocial andcultural climate.Detailedknowledge
of suchresearcheffortscouldhave a seriousadverse effectonthe missionof the OLMA.
D.12.2, onpage 202. For more detailsaboutthistype of informationplease refertothatdocument.
CivilianOperations InformationType
Thisinformationtype describesthe provisioningof non-militaryservice byfederal government
employees.

The personnel conductingeffortsandresearchonthe off worldcoloniesare primarilycivilianwith
guidance,direction,andsupportfromthe OLMA, whichisa militaryagency.Thoughnotalwaysthe case
mostsupportoperationsare conductedperdirectionof the OLMA whichresearchandscientificefforts
are directedbycivilianoperations.
Informationabout CivilianOperations isavehicle bywhichthe federal governmentprovidesservicesto
the citizensof the off worldcolonies underthe care of the OLMA. Thisinformationtype isessentiallya
meansof deliveryforothermission-basedservicesinformationandsubjecttothe provisional security
categoryand impactlevelsdescribedforeachof those servicesasdescribedinNISTSP800-60 Revision
1, Volume 2.
InformationSecurityInformationType
All functionsregardingaddressingthe securityneedsof federalinformationsystemsfallunderthe
informationsecurityinformationtype.Thisincludesbutisnotlimitedtocreationof securitypolicies,
guidelines,procedures,securitycontrolsregardingauthentication,authorization,investigations,non-
repudiation,andriskdetermination.
While notof great concernin the past,the recentactionsof native Martiansregardingcolonial
separationhave spurredthe developmentandenforcementof ITSecuritypoliciesandprocedures
specifictothe off worldcolonies underthe OLMA’sguidance.
 Availability:Low

C.3.5.5, on page 96. For more detailsaboutthistype of informationplease refertothatdocument.
Security Controls
FIPSPublication200: MinimumSecurityRequirementsforFederal Information and Information Systems,
establishes the minimumrequirementsforthe securityof federal informationsystems overseventeen
differentareas.The minimumrequirements forthese areas are metby implementingandexercising
securitycontrolsasdescribedinNIST SP800-53 Revision3:Recommended Security ControlsforFederal
Information Systems applicable withineachof those areas.
Control selectionisdone inconsiderationof the securitycategoryof the informationsystemand
determinedlevel of impactof the informationalongthe three axesof confidentiality,integrity,and
availability.Thisisdone bymeansof anestablishedbaselinesetof controls whichrepresentthe
minimumcontrolsrequiredtoadequatelysecure the informationsystem.These controlsmustalso then
be appropriatelytailored,ormodifiedforuse onthe informationsystemaccordingtoitsoperational
scope and functional purpose.
As definedinFIPS200 securitycontrol selectionbasedoninformationsystemimpactisdone inthe
followingmanner:
 Low-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe low baseline
setof controls.
 Medium-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe medium
baseline setof controls.
 High-impactinformationsystemsmust,atminimum, use securitycontrolsfromthe high
baseline setof controls.
For eachof the seventeensecurityareas thatFIPS200 has identifiedNISTSP800-53 lists,amongstother
controlsspecifictoeacharea, governance basedcontrolsthatare bothcommonto all areas and

consistentlywithinthe highestprioritygrouping.Whilenotexplicitlymentionedascontrolsof note
belowthe sectionbelowthese,“policyandprocedure”controlsare exercisesforeachof these security
areas at the OLMA, as governance createsthe foundationand authorityuponwiththe implementation
and exercise of othercontrolsrelies. More informationonpolicyandprocedure controls andtheir
implementation foreachof the seventeensecurityareascanbe foundintheirrespective sectionsof the
Office forLunar andMartian Affairs securitypolicydocuments (OLMA, STIMU DocumentLibrary).
While manydifferentsecuritycontrolsmaybe deployedonthe informationsystemsthe OLMA there are
some of note withineachcategorythat may require special consideration orsupplemental guidance
basedon the missionandoperational requirementsunique tothisagency.
Access Control (AC)
The agency limitsaccesstoinformationsystemssuchthatonlyauthorizedusers,theirprocesses,or
knowndevicescanutilize these appropriate informational resources.
AC-2AccountManagement
Thiscontrol requiresthatthe agencymanage information systemaccountsbyidentifyingaccounttypes,
groupmemberships,accessprivileges,managingaccountlifecycle,reviewingaccounts,andgranting
access basedonvalidauthorization.
Due to the nature of some of the systemsthatthe OLMA manages,including life supportandaccessto
sensitivescientificinformation,itisimperative thataccountsare managed,tracked,andprovisioned
appropriately.Asoff-worldcolonistsrarely,if ever,returntoEarth the terminationof theiraccountsis
generallyonlydone atthe time of theirretirement,death,ortransfertoan unrelatedsystemwiththeir
ownseparate account managementsystem.
Control Reference:NISTAP800-53 Revision3,Page I-5

AC-18WirelessAccess
Wirelessaccesscontrol createsguidance forthe implementationof wirelesscommunicationssystems,
monitorsthose systemsforunauthorizedaccess,authorizesaccess,andenforcesotherrequirements.
While manywirelesscommunicationssystemsare usedbythe OLMA it isimportantto note that the lack
of a magnetosphereonLunaand Mars presentssome technical hurdlesnotfoundintraditional long
range wirelesscommunicationsimplementations,possiblyallowingforthe range of the signalstobe
modifieddependingonthe technologyusedtoeitherfurtherlimitthe use of communicationsorinthe
signalsradiatingbeyondexpectedboundaries.Inthe lattercase thismayleadto a lossof confidentiality
and care shouldbe exercised.
Control Reference:NISTAP800-53 Revision3,Page I-6
Awareness and Training (AT)
The agency ensuresthatpersonnelare made aware of securityrisks,governance requirements,and
applicable procedureswhile alsobeingadequatelytrainedtocarryout theirsecurityrelatedfunctions.
AT-2SecurityAwareness
All newusersare givena basicsecurityawarenesstraining.Existingusersare givensupplemental
trainingperiodicallyorwhenconditionsarise whichwarrantit.Thistrainingincludesinformationabout
the needforsecurityprogramsas well asactionstheycan take themselvesin ordertoensure or
promote a secure environment.Thiscaninclude techniquessuchasuse of posters,communicationsand
newsarticles,remindersoncomputerscreens,andeventsdesignedtopromote securityawarenesssuch
as seminarsorsimulations.
Thiscontrol and agencyspecificreasoningisrelatedtocontrol IR-2IncidentResponse Training.

Control Reference:NISTAP800-53 Revision3,Page F-21
Audit and Accountability (AU)
The agency monitorsandcollectsinformationsystemauditrecordssufficientforpurposesof analysis
and investigationof impactful securityevents.
AU-2AuditableEvents
Informationsystemsmustbe capable of auditingaspecifiedsetof eventsdefinedbythe agency.
The OLMA placesemphasisonauditingeventsassociatedwithenvironmental controlsthathave the
potential toeitherplace apersonintoimmediate danger,suchasan airlockopeningorclosing,and
eventswhichhave the potentialtoplace multiple peopleingreatdangeraftera periodof time,suchas
a leakinan atmosphericseal.The abilitytotrackthese eventsandgatherinformationaboutthemis
paramountto the safetyof the off worldcolonistsunderthe OLMA’sgovernance.
AU-13MonitoringforInformationDisclosure
The agency monitorsavailable sourcesof informationforevidence of unauthorizedinformationleakage.
Much of the work happeningatthe off wordcoloniesunderthe OLMA’sguidance isconfidential and
couldpose a dangerto the missionandfunction of the scientificcoloniesonLunaand Mars if exposed.
Because of thisOLMA has dictated,asone of itssecurityfunctions,thatopensourcesof information
such as the internetortelevisionbe monitoredforinformationwhichmayreveal orleadtobe revealed
the importantworkbeingdone inthe off worldcolonies.

Certification, Accreditation, and Security Assessments (CA)
The agency periodicallyassesses the effectivenessof securitycontrolson informationsystemsto
determine theirlevel of effectiveness.
CA-5Planof ActionandMilestones
Whennecessarythe agencywill developaPlanof Actionand Milestones (POA&M) documenttotrack
remediationeffortsforweaknessesidentifiedinits informationsystemssuchasvulnerabilitiesor
misconfigurations.
The POA&Mdocumentisan essential partof the systemauthorizationprocessemployedbythe OLMA,
whichisin turnbasedon standardsestablishedby NISTSP800-37 Revision3:Guide forApplying theRisk
ManagementFrameworkto FederalInformation Systems.Seesection3.5,step5.1 of the Risk
ManagementFrameworkformore information.
Configuration Management (CM)
The agency establishes andenforcesbaselinescontrolsandconfigurationsforitsinformationsystems
and maintainsandinventoryof those systems.
CM-2BaselineConfiguration
The agency creates,maintains,anddocumentsabaseline configurationforinformationsystems.
Standardizationcreatesabaselineof measurementfromwhichdeviationscanbe detectedand
resolved.Inhostile environmentwhere resources,eventime,are scarce it isimportantto be able to find

and remediate problemsininformationsystemswhichmayresultinacompromise ordelayof the
missionof the OLMA.
Contingency Planning (CP)
The agency creates,maintains,andexercisesplansforresponsetoemergencysituations,
implementationof backupoperations,anddisasterrecoveryscenarios.
CP-2ContingencyPlan
Informationsystemsthatprovideessential functionsmusthave contingencyplansthatprovide for
recoveryviarecoverypointobjectives,recoverypriorities,metrics,definedrolesandresponsibilities,
contact information,abilitytomaintainessential functionsdespite disruption,andleadtowardsfull
informationsystemrecovery.
As the OLMA operatedinenvironmentshostiletolife itisof essentialimportance thatthe coloniesare
able to continue inthe eventof anincidentordisaster.The civiliancolonistsrelyonthe OLMA to
provide safetyandsecuritysothattheirfocuscan be onthe continuance of theirimportantwork.
Identification and Authentication (IA)
The agency identifiessystemdevices,users,andtheirprocessesandverifiestheiridentitiestogrant
themaccess toagency informationsystems.
IA-2 IdentificationandAuthentication(Organizational Users)
Informationsystemsmusthave the abilitytoidentifyagencypersonnel.

The OLMA representsaunique partnershipbetweenthe civiliancolonistsof Lunaand Mars and the
UnitedStatesfederal government.Whilethe OLMA providesservicestothe coloniststheyare expected
to, inturn,work alongside the agency.Insome casesitisimportantthanan informationsystemmay
needtorespond or grant authorization differentlytoOLMA personnel thanitwouldtoa civiliancolonist
inorder to properly maintainthispartnership.Thiscontrol andreasoningare alsorelateddirectlyto
control IA-8 IdentificationandAuthentication(Non-Organizational Users).
Incident Response (IR)
The agency createsa processwhichincludespreparation,detection,analysis,containment,and
recoveryactivitiestorespondtoincidentswhichmayhave anegative impactonthe organization.These
incidentsare monitored,documented,andreportedtothe appropriate agencypersonnel or authorities.
IR-2 IncidentResponseTraining
As the resourcesonthe off worldcoloniesare spreadoverthe vastdistancesof space the OLMA holds
securityawareness andthe abilitytorespondtoanincidentare of high priority;eachpersonmustbe
responsible forthe securityof theirenvironmentandinformationsystemstosome degree asrapid
response maynotbe presentdue to eitherthe distance betweenphysical securityresourcesorthe time
it takesforcommunicationssignalstopassbetweencoloniesondifferentastral bodiesdependingon
theircurrentorbital positions.Forexample,itwill take onaverage between4and5 minutesforsignals
to travel betweenLunaandMars. Because of thisa certaindegree of self-reliance isnecessaryforall of
the OLMA’s personnel.
Thiscontrol and reasoningare relatedtocontrol AT-2: SecurityAwareness.

Maintenance (MA)
The agency performsperiodicmaintenance onitsinformationsystems andprovidesoversightonthe
tools,practices,andpeople involvedinthose maintenanceactivities.
MA-6TimelyMaintenance
Thiscontrol ensuresthatsupportor parts are available forinformationsystemswithinagiventime span
of failure.
As the OLMA overseesvariousenvironmental control systemsessential tolife onthe off worldcolonies
it isof highimportance thatmaintenance isperformedonaregularand timelybasis.Ingeneral systems
whichhave a higheravailabilityimpacthave alowerresponse time andfastertime tocompletionfor
maintenance activities.
Media Protection (MP)
The agency takesstepstoprotectboth analogand digital informationmedia,limitingaccesstothat
mediatoappropriate personnelanddestroyingthe mediawhere necessary.
MP-4MediaStorage
Thiscontrol dictatesthat storage mediaisto be storedsecurelyandprotectedfromdamage.
As boththe coloniesof Lunaand Mars lacka magnetosphere of Earth theyare subjecttoexposure to
varioussourcesof radiationandenergyfromspace.While mostof the coloniesare underground,
providingshieldingfromthese harmful sourcesof radiation,somepartsof themare exposed.Inall cases
any mediasubjectto damage frominterstellarradiation,suchasmagnetictapes,shouldbe storedin
properlyshieldedcontainers.

Physical and Environmental Protection (PE)
The agency limitsphysicalaccesstoits informational resources,protectsphysical informationsystem
componentsandinfrastructure,andprovidesenvironmentalcontrolsforfacilitieswherethose
informationsystemsare located.
PE-11EmergencyPower
Short termpowerisavailable tofacilitatethe propershutdownof aninformationsystem.Insome cases
longtermemergencypowersuppliesmaybe necessary.
Informationsystemsmaintainedbythe OLMA may be performingimportantscientificcalculations,
simulations,orsupportslife sustainingenvironmental function.The higherthe securitycategoryof an
informationsystemthe longeranemergencypowersupply shouldbe able tooperate foruntil normal
operationsare restored.
Planning (PL)
The agency develops,revises,andexercisessecurityplansforinformationsystemswhichdescribethe
use of securitycontrolsandbehaviorrequirementsforassignedpersonell.
PL-2 SystemSecurityPlan
The agency createsa securityplanforan informationsystemthatdefinesboundaries,categorization
rationale,requirements,relationshipstoothersystems,anddescribesexistingsecuritycontrolsalready
inplace.

Thisplanis reviewedandapprovedbythe authorizingofficialduringthe systemauthorizationprocess.
Personnel Security (PS)
The agency takesstepstoensure the trustworthinessof peopleinpositionsof responsibilityandthe
securityof informationsystemsinuse bythose people.When necessary,formal actionistakenagainst
personnel whohave violatedagencysecuritypolicies.
PS-3Personnel Screening
Thiscontrol dictatesthat potential employeesare screenedpriortogainingauthorizationtoagency
informationsystemsandrescreened whencertainconditionsare met.
The OLMA musttake great care inensuringthatit can trustsits personnel due tothe secretiveand
impactful nature of the workbeingdone underitspurview.Inadditional tobackgroundchecksto
ensure a historyof trustworthinessfurtherbehavioral analysisbasedinterviewtechniquesare used
duringany screeningprocess,bothinitial andsubsequent.
Risk Assessment (RA)
The agency periodicallyassessesthe risk toitspeople,assets,andinformationsystems.
RA-2SecurityCategorization
The informationandinformationsystemswithinthe responsibilityof the agencyare categorizedin
accordance withfederal lawsandstandards.

Categorizationisthe firststepof the RiskManagementframeworkdescribedinNISTSP800-37 Revision
3. The OLMA followsthisprocessameanstoproperlydetect,manage,andremediateriskonits
informationsystems.
RA-3RiskAssessment
The agency performsaformalizedassessmentof riskpresentonaninformationsystem,reviewsthe
results,andperformsperiodicupdatesof the assessments.
A riskassessmentisauseful tool whendone asapart of the risk managementframeworkandits
associatedprocesses.AccordingtoNISTSP800-37 Revision3,“a risk assessmentguidesthe
prioritizationprocessforitemsincludedinthe planof actionandmilestones.”
Guidance onrisk assessmentscanbe foundinNISTSP800-30 Revision1:Guide forConducting Risk
Assessments.
System and Services Acquisition (SA)
The agency allocatessufficientresourcestoprovide adequateprotectiontoitsinformationsystems,
utilizesasystemsdevelopmentlifecycle thataddressessecurityconcerns,andmonitorsthe use of
software.
SA-2AllocationofResources
The agency determinesthe resourcesrequiredtoimplementthe securitycontrolsnecessarytoprovide
an informationsystemwithadequatesecurity.

As resourcesinthe off worldcoloniesare extremelylimiteditisimportanttobe able toknow exactly
howmany will be requiredbythe securitycontrolsassignedforuse onthat system.ColoniesonLuna
may have more immediate accesstoresourcesfromEarth,while resource scarcityonMars isalwaysan
issue.Inmanycasesthe coloniesmustbe self-sufficientwithanyadditional resourcesfromEarthseen
as unnecessarybutnotunwelcome.
System and Communications Protection (SC)
The agency monitors,controlsandprotectscommunicationof informationatkeypointsalongsystem
boundaries,bothexternal andinternal,andmakesuse of architectural,softwaredevelopment,and
engineeringtechniquesthat contribute tosecure informationtransmissionpractices.
DC-9TransmissionConfidentiality
Informationwithaconfidentialityrequirementmustbe protectedfromunauthorizeddisclosure while in
transit.
As muchof the OLMA’s workisdone in secretthe classificationof muchof the informationaboutthis
workalongthe confidentialitydimensionishigh.Encryptedcommunicationstunnels,especiallythose
for sharedcommunicationschannelssuchasthe mainbandusedby Mars andLuna to communicate
withSagan StationonEarth, mustbe used.
Thiscontrol and reasonare alsorelateddirectlytocontrol SC-28Protectionof InformationatRest.

System and Information Integrity (SI)
The agency locates,reports, andremediatesinformationsystemflawsinatimelymanner,providing
protectionfrommaliciouscode,andmonitoringsecurityalertsandintelligence inordertofacilitate an
appropriate response.
SI-4 InformationSystemMonitoring
The agency tracks eventsoninformationsystemsinaccordance withitsobjectivesandisable todetect
informationsystemsattacks.
Thiscontrol and itsreasoningare directlyrelatedtocontrolsAU-2Auditable Eventsandcontrol AU-13
MonitoringforInformationDisclosure.
RiskAssessment
"I often say that when you can measure what you are speaking about, and express it in numbers, you
know something about it; but when you cannot express it in numbers, your knowledge is of a meagre
and unsatisfactory kind;itmay be thebeginning of knowledge, but you have scarcely, in your thoughts,
advanced to the stage of science, whatever the matter may be.” – William Thomson, Lord Kelvin
The OLMA measuresriskaccordingtothe followingconceptual formula:
Risk = Threat x Vulnerability x Impact
There are several variantsof the riskformulainuse throughoutthe securityindustry.Some risk
assessmentmodels,suchasthe NISTmodel,alsoinclude the likelihood of athreateventoccurringas a
componentof risk.Forthe purposesof the OLMA likelihoodisconsideredafactorof threatand will be
includedthereinasmanyof our assessmenttoolsalreadyuse thismethodology.

The resultsof a riskassessment,includingsource documentsforeachcomponentof the riskformula,
are thendocumentedforlaterreference throughoutthe RiskManagementFramework.
The components of thisformulaare definedinNISTSP800-30 Revision1:
Threat
“Any circumstanceor eventwith the potentialto adversely impactorganizationaloperationsand assets,
individuals,otherorganizations…through an information systemvia unauthorized access,destruction,
disclosure,or modification of information,and/ordenialof service.”
Thisvalue istypicallyprovidedforusbyautomatedvulnerabilityscannersandstoredinreports
generatedbythose scanners.Sourcesof threatsmaybe intentional,accidental,orenvironmental.
Vulnerability
“A weaknessin an information system,system,security procedures,internal controls,orimplementation
thatcould be exploited by a threatsource.”
Thisvalue istypicallyprovidedforusbyautomatedvulnerabilityscannersandstoredinreports
generatedbythose scanners.
Impact
“The level of impactfroma threat eventis the magnitudeof harmthatcan be expected to resultfrom
the consequencesof unauthorized disclosureof information,unauthorized modificationof information,
unauthorized destruction of information,orlossof information orinformation systemavailability.”
It shouldbe notedthatimpactis partiallydefinedbythe thingbeingaffectedbythe threatand
vulnerability.Thatis,noexternal source canautomaticallytell uswhatthe impactonour own
environmentwillbe because itisoursandunique to its use andpositionwithinthe OLMA.

The classificationof the informationpresentonorusedby an informationsystemcanbe usedto help
determine thisvalue.Informationof ahighersecuritycategoryshouldbe representedashavinga
greaterlevel of impacton the level of riskdetermined.
A Note on Measurement
Measurementsof componentsof riskforthe OLMA’sinformationsystemsare gatheredaccordingtoa
0.0 to 10.0 scale.If these valuesare goingtobe usedinothercalculationstheyshouldbe keptonthis
scale to preserve likenessandprecision. Resultsof calculations,foruse inreportsor presentations,can
be translatedintootherscalesasneeded,suchasthe 1-5 scale usedby mostcorporate riskassessment
methodologiesorthe 1-3 scale usedbysome federal agenciesorthe CVSS2.0 ratingsystem.
For our purposesvaluesshowninreportswill use the followingscale:
Rating Scale (0-5)
None
Very Low
Low
Medium
High
Critical
System Security Authorization
Step5 of the RiskManagementFramework isthe authorizationof aninformationsystembasedupona
determinationof the riskpresentonthatsystem. Thisisaddressedbyseveral tasks,eachof whichisalso
representedbyacorrespondingsecuritycontrol.
Plan of Action and Milestones
The Planof Actionand Milestones (POA&M) document describesactionsnecessaryto addressand
correct weaknesses inthe securitycontrolsused onaninformation systemorthe vulnerabilities onthe

informationsystem whichthose securitycontrolsdonotadequatelyaddress.The documentthen
describesthe issuesandtaskstoremediate those issues,the resourcesnecessarytodoso,and any
milestones metduringthe course of completionof the plan.
Riskassessmentsare usedtoassignprioritytothese tasksbasedonthe issuestheyaddressandhelpto
guide time requirementsforcompletionof tasks. Control RA-3RiskAssessmentrepresentsthe
correspondingsecuritycontrol forthisstep.
The correspondingsecuritycontrol forthisstepis CA-5Planof Actionand Milestones.The OLMA
specificreasoningandconsiderationscanbe foundinthe correspondingsectionof thisdocument.
Reference:NISTSP800-37 Revision1,Page 34
Security Authorization Package
The POA&M, alongwiththe securityassessmentdocumentandthe securityplancreatedduringearlier
stepsof the Risk ManagementFrameworkprocess,isusedtocomplete the securityauthorization
package.The Authorizingofficial canuse the informationinthispackage to conductfurtheranalysis
basedon the vulnerabilities,threats,andimpactdescribedthereintomake adeterminationof risk.The
authorizingofficial canrequestadditional informationtoaddto the authorizationpackage asnecessary
inorder to make a more accurate determinationof risk.
The securityplanis relatedtocontrol PL-2 SystemSecurityPlan.The security assessmentis relatedto
control CA-2 SecurityAssessments. More informationonsecuritycontrolsnotexplicitlydescribedinthis
documentare describedinNISTSP800-53 Revision3.

Risk Determination
The authorizingofficial,workingwiththe seniorinformationsecurityofficer asappropriate,reviewsthe
informationinthe authorizationpackage toexamine security controlscurrentlyinplace on the
informationsystem, determine the current level of riskpresent,andreview the recommendations
providedinthe POA&Mdocument.The currentrisklevel is determinedalongwithriskmitigation
strategies.Remainingriskiscomparedtothe level of acceptablerisktodetermineif furtheractionis
required.
The OLMA has determinedthataverylow level of risk,basedonthe five pointratingscale described
earlierinthisdocument, isacceptable tothe agencydue tothe heavyreliance of the missionand
functionof the agencyon informationtechnology.
Risk Acceptance
It isthe authorizingofficial’s role todetermine if the risktothe mission,function,image,reputation,
assets,people,ororganizationsisacceptable withinthe boundssetbythe OLMA’sriskpolicies while
weighingthisrisk againstcontinuedoperationalandmissiondemandsplacedonthe system. This
decisionisdocumentedinthe authorizationdecisiondocument detailingthe final decisionof the
authorizingofficial regardingthe acceptance of riskassociatedwiththisinformationsystemandif that
systemisauthorizedto beginorcontinue operations.Termsandconditionsmayalsobe includedinthis
document,providingforspecial casesforuse ordescribinglimitsonuse of the informationsystem.This
documentalsodescribesthe periodof expirationof thisauthorization,promptinganotherauthorizing
reviewtotake place.Thisinformationisthengiventothe systemownerandsecuritycontrol provideras
well asotherpartiesas necessary.

Reference:Reference:NISTSP800-37 Revision1,Page 35
InformationSystem Monitoring
Because people and resourcesare relativelyscarce onoff worldcoloniesthe OLMA reliesheavilyon
automationandautomatedprocessedtomonitorthe securityof itsinformationsystems. NISTSP800-
137 AppendixDdescribesseveral typesof toolsthat,whendeployedappropriatelyandwithoversight
of humanexpertise,are usefulinsystemmonitoringpractices.
Asset Management
These toolsletsecurityanalysisknowwhatsystemsare presentintheirenvironment.Thisisthe
foundationof anefforttosecure all of the systemsinanorganization,assecuritycontrolscannotbe
deployedtosystemsif youdon’tknowwhatsystemsyouhave inthe firstplace,especiallyif the
environmentissolarge or widespreadthananaccurate and timelymanual inventorywouldbe
impossible.
Configuration Management
Centralizedconfigurationmanagementallowsadministratorstodeployconsistentsettingstomany
categoriesof systemssimultaneously,ensuringcompliance withpre-establishedparametersassecurity
controls.Thistool can alsofind deviationsinsettingsfromthe establishednormal identifyingthese
flawedsecuritycontrol deploymentsinreal time and,inmanycases,correct themautomatically.
Event and Incident Management
These toolsare usedto gatherinformationaboutspecific occurrenceshappeningona givensystem,
such as detectionof attacksbasedonknownsignatures,systembehavioral patterns,orotherlogsof
activity.If there isa commoncause to particularsetsof behaviorthe informationcanbe organizedasan
incidentenablingforcommonreference of relatedevents.

Information Management
The securitycategoryof a systemisdeterminedbythe type of dataon that system.Information
managementtoolsare able totrack thisinformationandhow itmovesoverthe network, possibly
preventinginformationleakage andallowingthe securityteamtoidentifythe sensitivityof agiven
systembasedonthe type of informationpresentonthatsystem.
License Management
License managementcandetectthe numberof installationsof anapplicationinthe environmentand
compare thisagainstthe numberwhichthe organizationisallowedorhaspurchased.Thisallowsfor
avoidance of feesorlegal actionbythe software distributorbydetectingthisdeviationandenablingthe
securityteamto correctit, or by preventingthe installationof the unlicensedsoftware inthe firstplace.
Malware Detection
Symanteccorporationdefines Malware as,“a categoryof maliciouscode thatincludesviruses,worms,
and Trojanhorses.”Thistool is used tofindsuch software and,inmanycases,take a predetermined
actionagainstit, enablingforreal-time protectionof asystemandmitigationof the riskcreatedbythe
malware threat.
Network Management
Networkmanagementtoolsallow fordiscoveryof new hostsonthe networkandmonitoringof traffic.
These toolsallowforreal time discoveryof systemsonthe networkwhichare notinthe inventoryof
allowedsystemsornetworkdevices.
Software Assurance
Thisset of toolsallowsforthe analysisof software behaviorenablinganorganizationtoverifythe
trustworthinessof anapplication.Forsoftware developedinternallythiscanbe utilizedaspartof the
software developmentcycle toimprove onthe securitycompliance of anapplication.

Vulnerability and Patch Management
These toolsscansystemstodetectsoftware flawsordetermine if asoftware update isavailableand
neededtoaddressaknownissue.These toolscanallow forquickdiscoveryof suchissuesthrough
regularlyscheduledscansandremediationviapre-determinedpatchingmechanisms.

References
1. E-GovernmentActof 2002. Pub.L. No. 347.107, Stat. 2899, P.116. RetrievedJanuary2015 from
U.S. GovernmentPrintingOfficeat: http://www.gpo.gov/fdsys/pkg/PLAW-
107publ347/html/PLAW-107publ347.htm
2. Mell,P.,Scarfone,K.,Romanosky S.(2007 January).A Complete Guide tothe Common
VulnerabilityScoringSystemVersion2.0.RetrievedMarch2015 fromFirstat
https://www.first.org/cvss/cvss-guide.pdf
3. National Institute of StandardsandTechnology.(2014 April 1). FISMA – Detailed Overview.
RetrievedJanuary2015 from NISTat: http://csrc.nist.gov/groups/SMA/fisma/overview.html
4. National Institute of Standardsand Technology.(2004 February). FederalInformation Processing
StandardsPublication:StandardsforSecurity Categorization of FederalInformation and
Information Systems.RetrievedFebruary2015 fromNIST at:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
5. National Institute of StandardsandTechnology.(2006 March). FederalInformation Processing
StandardsPublication:MinimumSecurity Requirementsfor FederalInformation and Information
Systems.RetrievedMarch2015 fromNIST at:
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
6. National Institute of StandardsandTechnology.(2015 January28). NIST ComputerSecurity
Publications - NIST SpecialPublications(SPs).RetrievedMarch2015 from
http://csrc.nist.gov/publications/PubsSPs.html
7. National Institute of StandardsandTechnology.(2010 February). NISTSpecialPublication 800-37
Revision 1: Guide forApplying theRisk ManagementFrameworkto FederalInformation Systems.
RetrievedFebruary2015 fromNISTat: http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final.pdf

8. National Institute of StandardsandTechnology.(2013 April). NISTSpecialPublication 800-53
Revision 4: Security and Privacy ControlsforFederalInformation Systemsand Organizations.
RetrievedFebruary2015 fromNISTat:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
9. National Institute of StandardsandTechnology.(2003 August). NISTSpecialPublication 800-59:
Guideline for Identifying an Information Systemasa NationalSecurity System.RetrievedMarch
2015 fromNIST at: http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf
10. National Institute of StandardsandTechnology.(2008 August). NISTSpecialPublication 800-60
Revision 1: Volume1: Guide for Mapping Typesof Informationand Information Systemsto
SecurityCategories.RetrievedFebruary2015 fromNISTat:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf
11. National Institute of StandardsandTechnology.(2008 August). NISTSpecialPublication 800-60
Revision 1: Volume2: Appendicesto Guide for Mapping Typesof Informationand Information
Systemsto Security Categories.RetrievedFebruary2015 fromNISTat:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf
12. Nicolen,Shawn.(2015March 21). OLMA STIMU:Stuff ThatIMadeUp.Personal Interview,
March 2015.
13. Office andManagementandBudget.(1996 February8). CIRCULARNO.A-130. RetrievedMarch
2015 fromthe OMB at: https://www.whitehouse.gov/omb/circulars_a130
14. Office of the PressSecretary.(2009 December29). Executive Order13526- ClassifiedNational
SecurityInformation.RetrievedMarch2015 from The White House at:
https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-
information
15. Symantec. Malware- MaliciousVirus CodeDetection - Trojan - Trojan Horse.Retrieved March
2015 fromNortonat: http://us.norton.com/security_response/malware.jsp

Agency System Security Authorization Program Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (20)

Similar to Agency System Security Authorization Program Overview

Similar to Agency System Security Authorization Program Overview (20)

Recently uploaded

Recently uploaded (20)

Agency System Security Authorization Program Overview