ad-assurance - RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Chronological Thread
- From: "Curry, Warren" <>
- To: "" <>
- Subject: RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
- Date: Wed, 1 May 2013 15:53:05 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Nice Jeff..
WHC Warren H. Curry UFIT – Identity Access Management PO Box 113359, 2008 NE Waldo Rd 352-273-1383
Have a great day!!! From: [mailto:]
On Behalf Of Capehart,Jeffrey D The part that I found interesting was where the new REV4 includes a requirement that non-organizational users must use approved authentication by either accepting
the PIV cards from other agencies, accepting 3rd party credentials, or using FICAM issued profiles.
That would lead right to the main point of Federated Identity, which is that if any of our institutions become certified for InCommon Silver (an approved profile
by FICAM), then Government Agencies (NSF, NIH, etc.) will be able to comply with FISMA/SP-800-53 while allowing users authenticated outside of their system to use selected information systems. This new revision doesn’t make Silver have to comply with SP-800-53. Rather, it says that if FICAM approved Silver, then any federal government agencies using
Silver would be in compliance with requirement IA-8 for those users authenticated under Silver (and same for Bronze). So maybe now it is clear why InCommon Bronze and Silver needed FICAM review and approval with the V1.2 changes? In considering the intent of the specs, perhaps some of the wording in IA-8 and other FISMA requirements can be used to help formulate alternative means. ·
Balance ease of use for access with need to protect and ADEQUATELY mitigate risk ·
Consider PRACTICALITY and security in balancing (above) ·
The organization employs cryptographic mechanisms to prevent unauthorized disclosure/modification of information at rest
unless otherwise protected by alternative physical measures ·
The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission
unless otherwise protected by organization-defined alternative physical measures See below for where this is in the final release. -Jeff (CONTEXT: FEDERAL GOVERNMENT AGENCIES NEED TO BE IN COMPLIANCE WITH FISMA/SP-800-53) IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). In accordance with the
E-Authentication E-Government initiative,
authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments
to determine authentication needs and consider scalability, practicality, and security in balancing the need to
ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. Control Enhancements: (4) IDENTIFICATION AND AUTHENTICATION
| USE OF FICAM-ISSUED PROFILES
The information system conforms to FICAM-issued profiles.
Supplemental Guidance:
This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable
as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is
FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as
SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). From:
[]
On Behalf Of David Walker I'm not trying to derail our discussion, but I thought this might of interest to some of you. David ---------- Forwarded message ----------
NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
To view the full announcement of this document and the updates made to improve this document, please visit the Computer Security Resource Center (CSRC) News/Announcement page:
Here is the link to the Special Publications page on CSRC to view/download the document:
**Please note – when clicking link to the PDF file, you will notice the link as
dx.doi.org/……., the link does point to a NIST webserver. – see note at top of Special Publications page. All new approved NIST documents are going to be using the
dx.doi.org link.
__________
Pat O'Reilly Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your
Subscriber Preferences Page. You will need to use your e-mail address to log in. If you have questions or problems with the subscription service, please contact
. All other inquiries can be directed to
. This service is provided to you at no charge by the National Institute of Standards and Technology (NIST).
|
- [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, David Walker, 05/01/2013
- RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, Capehart,Jeffrey D, 05/01/2013
- RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, Curry, Warren, 05/01/2013
- RE: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, Capehart,Jeffrey D, 05/01/2013
Archive powered by MHonArc 2.6.16.