https://wiki.owasp.org/index.php?title=Industry:Project_Review/NIST_SP_800-37r1_FPD_Appendix_I&feed=atom&action=historyIndustry:Project Review/NIST SP 800-37r1 FPD Appendix I - Revision history2024-03-29T01:28:24ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Industry:Project_Review/NIST_SP_800-37r1_FPD_Appendix_I&diff=74696&oldid=prevDan Philpott: Initial add for GIC review of NIST SP 800-37r1 FPD2009-12-04T05:25:36Z<p>Initial add for GIC review of NIST SP 800-37r1 FPD</p>
<p><b>New page</b></p><div>{| align="right"<br />
| __TOC__<br />
|}<br />
<br />
<big>APPENDIX I</big><br />
<br />
<big>'''SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS'''</big><br />
<br />
PARTNERSHIPS, OUTSOURCING ARRANGEMENTS, [http://fismapedia.org/index.php?title=Term:Supply_Chain SUPPLY CHAIN] EXCHANGES<br />
<br />
<br />
Organizations are becoming increasingly reliant on information system services provided by external providers to carry out important missions and business functions. [http://fismapedia.org/index.php?title=Term:External_Information_System External information system] services are services implemented outside of the authorization boundaries established by the organization for its information systems. These external services may be used by, but are not part of, organizational information systems. In some situations, [http://fismapedia.org/index.php?title=Term:External_Information_System external information system] services may completely replace the functionality of internal information systems. Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing [http://fismapedia.org/index.php?title=Term:Compensating_Controls compensating controls] when the risk is greater than the [http://fismapedia.org/index.php?title=Term:Authorizing_Official authorizing official] or the organization is willing to accept.<br />
<br />
Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, [http://fismapedia.org/index.php?title=Term:Lines_of_Business lines of business] arrangements), licensing agreements, and/or [http://fismapedia.org/index.php?title=Term:Supply_Chain supply chain] exchanges. The growing dependence on external service providers and new relationships being forged with those providers present new and difficult challenges for the organization, especially in the area of information system security. These challenges include:<br />
<br />
* Defining the types of external services provided to the organization;<br />
* Describing how the external services are [http://fismapedia.org/index.php?title=Term:Protected protected] in accordance with the [http://fismapedia.org/index.php?title=Term:Security_Requirements security requirements] of the organization; and<br />
* Obtaining the necessary assurances that the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of the external services is acceptable.<br />
<br />
FISMA and OMB policy require external providers handling federal information or operating information systems on behalf of the federal government to meet the same [http://fismapedia.org/index.php?title=Term:Security_Requirements security requirements] as federal agencies. [http://fismapedia.org/index.php?title=Term:Security_Requirements Security requirements] for external providers including the [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] for information systems [http://fismapedia.org/index.php?title=Term:Processing processing], storing, or transmitting federal information are expressed in appropriate contracts or other formal agreements. Organizations can require external providers to implement all steps in the [http://fismapedia.org/index.php?title=AnA:RMF RMF] with the [http://fismapedia.org/index.php?title=Term:Exception exception] of the [http://fismapedia.org/index.php?title=Term:Security_Authorization security authorization] step, which remains an inherent federal responsibility that is directly linked to the management of risk related to the use of [http://fismapedia.org/index.php?title=Term:External_Information_System external information system] services.<br />
<br />
The assurance or confidence that the risk from using external services is at an acceptable level depends on the trust<ref>The level of trust that an organization places in an external [http://fismapedia.org/index.php?title=Term:Service_Provider service provider] can vary widely, ranging from those who are highly trusted (e.g., business partners in a [http://fismapedia.org/index.php?title=Term:Joint_Venture joint venture] that share a common business model and common goals) to those who are less trusted and represent greater sources of risk (e.g., business partners in one endeavor who are also competitors in another market sector).</ref> that the organization places in the external [http://fismapedia.org/index.php?title=Term:Service_Provider service provider]. In some cases, the level of trust is based on the amount of direct control the organization is able to exert on the external [http://fismapedia.org/index.php?title=Term:Service_Provider service provider] with regard to employment of [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls.<br />
<br />
The level of control is usually established by the terms and conditions of the [http://fismapedia.org/index.php?title=Term:Contract contract] or service-level agreement with the external [http://fismapedia.org/index.php?title=Term:Service_Provider service provider] and can range from extensive (e.g., negotiating a [http://fismapedia.org/index.php?title=Term:Contract contract] or agreement that specifies detailed security control requirements for the provider) to very limited (e.g., using a [http://fismapedia.org/index.php?title=Term:Contract contract] or service-level agreement to obtain commodity services<ref>Commercial providers of commodity-type services typically organize their business models and services around the concept of shared resources and devices for a broad and diverse [http://fismapedia.org/index.php?title=Term:Customer customer] base. Therefore, unless organizations obtain fully dedicated services from commercial service providers, there may be a need for greater reliance on [http://fismapedia.org/index.php?title=Term:Compensating_Security_Controls compensating security controls] to provide the necessary protections for the information system that relies on those external services. The organization's [http://fismapedia.org/index.php?title=Term:Risk_Assessment risk assessment] and [http://fismapedia.org/index.php?title=Term:Risk_Mitigation risk mitigation] activities reflect this situation.</ref> such as commercial telecommunications services). In other cases, the level of trust is based on factors that convince the organization that the requisite [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] have been employed and that a credible determination of control effectiveness exists. For example, a separately authorized [http://fismapedia.org/index.php?title=Term:External_Information_System_Service external information system service] provided to an organization through a well-established [http://fismapedia.org/index.php?title=Term:Line_of_Business line of business] relationship may provide a degree of trust in the external service within the tolerable risk range of the [http://fismapedia.org/index.php?title=Term:Authorizing_Official authorizing official].<br />
<br />
The provision of services by external providers may result in some services without explicit agreements between the organization and the external entities responsible for the services. Whenever explicit agreements are feasible and practical (e.g., through contracts, service-level agreements, etc.), the organization develops such agreements and requires the use of the [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] in [http://fismapedia.org/index.php?title=Doc:Special_Publication_800-53 Special Publication 800-53]. When the organization is not in a position to require explicit agreements with external providers (e.g., the service is imposed on the organization or the service is [http://fismapedia.org/index.php?title=Term:Commodity_Service commodity service]), the organization establishes explicit assumptions about the service capabilities with regard to security. In situations where an organization is procuring information system services or technologies through a centralized acquisition vehicle (e.g., governmentwide [http://fismapedia.org/index.php?title=Term:Contract contract] by the [http://fismapedia.org/index.php?title=General_Services_Administration General Services Administration] or other preferred and/or mandatory [http://fismapedia.org/index.php?title=Term:Acquisition_Organization acquisition organization]), it may be more efficient and cost-effective for the originator of the [http://fismapedia.org/index.php?title=Term:Contract contract] to establish and maintain a stated level of trust with the external provider (including the definition of required [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] and level of assurance with regard to the provision of such controls). Organizations subsequently acquiring information system services or technologies from the centralized [http://fismapedia.org/index.php?title=Term:Contract contract] can take advantage of the negotiated trust level established by the [http://fismapedia.org/index.php?title=Term:Procurement procurement] originator and thus avoid costly repetition of the activities necessary to establish such trust.<ref>For example, a [http://fismapedia.org/index.php?title=Term:Procurement procurement] originator could authorize an information system providing external services to the federal government under specific terms and conditions of the [http://fismapedia.org/index.php?title=Term:Contract contract]. A [http://fismapedia.org/index.php?title=Term:Federal_Agency federal agency] requesting information system services under the terms of the [http://fismapedia.org/index.php?title=Term:Contract contract] would not be required to reauthorize the information system when acquiring such services (unless the request included services outside the scope of the original [http://fismapedia.org/index.php?title=Term:Contract contract]).</ref> Contracts and agreements between the organization and external providers may also require the active participation of the organization. For example, the organization may be required by the [http://fismapedia.org/index.php?title=Term:Contract contract] to install public key encryption-enabled client software recommended by the [http://fismapedia.org/index.php?title=Term:Service_Provider service provider].<br />
<br />
Ultimately, the responsibility for adequately mitigating unacceptable risks arising from the use of [http://fismapedia.org/index.php?title=Term:External_Information_System external information system] services remains with the [http://fismapedia.org/index.php?title=Term:Authorizing_Official authorizing official]. Organizations require that an appropriate [http://fismapedia.org/index.php?title=Term:Chain_of_Trust chain of trust] be established with external service providers when dealing with the many issues associated with information system security. A [http://fismapedia.org/index.php?title=Term:Chain_of_Trust chain of trust] requires that the organization establish and retain a level of confidence that each participating [http://fismapedia.org/index.php?title=Term:Service_Provider service provider] in the potentially complex [http://fismapedia.org/index.php?title=Term:Consumer consumer]-provider relationship provides adequate protection for the services rendered to the organization. The [http://fismapedia.org/index.php?title=Term:Chain_of_Trust chain of trust] can be complicated due to the number of entities participating in the [http://fismapedia.org/index.php?title=Term:Consumer consumer]-provider relationship and the type of relationship between the parties. External service providers may also in turn outsource the services to other external entities, making the [http://fismapedia.org/index.php?title=Term:Chain_of_Trust chain of trust] even more complicated and difficult to manage. Depending on the nature of the service, it may simply be unwise for the organization to place significant trust in the provider—not due to any inherent untrustworthiness on the provider's part, but due to the intrinsic level of risk in the service. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization: (i) employs [http://fismapedia.org/index.php?title=Term:Compensating_Controls compensating controls]; (ii) accepts a greater degree of risk; or (iii) does not obtain the service (i.e., performs missions or business operations with reduced levels of functionality or possibly no functionality at all).<br />
<br />
<br />
== Sources ==<br />
<br />
* [http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-FPD.pdf NIST SP 800-37 Rev. 1 DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach]<br />
<br />
[[Category:GIC-NISTSP80037r1FPD]]</div>Dan Philpott