[ISN] ITL Bulletin for January 2005

InfoSec News isn at c4i.org
Mon Jan 31 04:07:41 EST 2005

Forwarded from: Elizabeth Lennon <elizabeth.lennon at nist.gov>

By Joan S. Hash
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce


To assist federal agencies with effectively integrating security into
the capital planning and investment control (CPIC) process, NIST's
Information Technology Laboratory has released Special Publication
(SP) 800-65, Integrating IT Security into the Capital Planning and
Investment Control Process. It provides tips and pointers in addition
to a sample methodology, which can be used to address prioritization
of security requirements in support of agency business units. The
publication describes risk factors that should be considered in
addressing security investments and links the current Office of
Management and Budget (OMB) guidance in this area to the current
Federal Information Security Management Act (FISMA), including the
Plan of Action and Milestones (POA&M) process that all agencies are
required to implement. This ITL Bulletin summarizes NIST SP 800-65.


Traditionally, information technology (IT) security and capital
planning and investment control (CPIC) processes have been performed
independently by security and capital planning practitioners. However,
the Federal Information Security Management Act (FISMA) of 2002 and
other existing federal regulations charge agencies with integrating
the two activities. In addition, with increased competition for
limited federal budgets and resources, agencies must ensure that
available funding is applied towards the agencies' highest-priority IT
security investments. Applying funding towards high-priority security
investments supports the objective of maintaining appropriate security
controls, both at the enterprise-wide and system level, commensurate
with levels of risk and data sensitivity. This special publication
introduces common criteria against which agencies can prioritize
security activities to ensure that corrective actions identified in
the annual FISMA reporting process are incorporated into the capital
planning process to deliver maximum security in a cost-effective

The implementation of IT security and capital planning practices
within the federal government is driven by a combination of
legislation, rules and regulations, and agency-specific policies.  
FISMA requires agencies to integrate IT security into their capital
planning and enterprise architecture processes, conduct annual IT
security reviews of all programs and systems, and report the results
of those reviews to OMB. Therefore, the implementation of FISMA
legislation effectively integrates IT security and capital planning
because agencies must document resource and funding plans for IT
security.  Furthermore, implementation of FISMA legislation ensures
that agency resources are protected, ensures that risk is effectively
managed, and requires agencies to incorporate IT security into the
life cycle of their information systems. OMB's FISMA reporting
guidance also suggests that agencies use NIST SP 800-26, Security
Self-Assessment Guide for Information Technology Systems, to evaluate
their security programs. The results of the self-assessment should be
documented in the agency's annual FISMA report and logged in the
agency's POA&M, along with POA&M inputs from other appropriate
sources. The agency must then determine the costs and timeframes
associated with mitigating the weaknesses identified in the POA&Ms.
These costs are captured in the system or program's annual OMB Exhibit
300 and in the enterprise-wide Exhibit 53, which are the funding
vehicles submitted to OMB to secure an operating budget.


To address the capital planning and IT security requirements imposed
on federal IT investments, NIST recommends a seven-step framework for
integrating IT security into the capital planning process for
enterprise-level IT security activities and individual system IT
security activities:

* Enterprise-level investments - those security investments
  that are ubiquitous across the agency and will improve the 
  overall agency's security posture (for example, an 
  enterprise-wide firewall or intrusion detection system 
  [IDS] acquisition or public key infrastructure [PKI]).

* System-level investments - those security investments 
  designed to strengthen a discrete system's security posture 
  (for example, strengthening password controls or testing a 
  contingency plan for a particular system).

The framework assists federal agencies in integrating IT security into
the capital planning process by providing a systematic approach to
selecting, managing, and evaluating IT security investments. The
methodology relies on existing data inputs so it can be readily
implemented at federal agencies. Inputs for the methodology include:

* Enterprise-Level Information

o Stakeholder rankings of enterprise-wide initiatives

o Enterprise-wide initiative IT security status

o Cost of implementing remaining appropriate security 
  controls for enterprise-wide initiatives

* System-Level Information

o System categorization (see NIST Federal Information 
  Processing Standard 199, Standard for Security Categorization 
  of Federal Information and Information Systems)

o Security compliance

o Corrective action cost

The seven-step methodology can help agencies identify high-priority
corrective actions for immediate funding. The seven steps include:

1. Identify the Baseline: use information security metrics or other
available data to baseline the current security posture.

2. Identify Prioritization Requirements: evaluate security posture
against legislative and Chief Information Officer (CIO)-articulated
requirements and agency mission.

3. Conduct Enterprise-Level Prioritization: prioritize potential
enterprise-level IT security investments against mission and financial
impact of implementing appropriate security controls.

4. Conduct System-Level Prioritization: prioritize potential
system-level corrective actions against system category and corrective
action impact.

5. Develop Supporting Materials: for enterprise-level investments,
develop concept paper, business case analysis, and Exhibit 300. For
system-level investments, adjust Exhibit 300 to request additional
funding to mitigate prioritized weaknesses.

6. Implement Investment Review Board (IRB) and Portfolio Management:
prioritize agency-wide business cases against requirements and CIO
priorities and determine investment portfolio.

7. Submit Exhibit 300s, Exhibit 53, and Conduct Program Management:
ensure approved 300s become part of the agency's Exhibit 53; ensure
investments are managed through their life cycle (using Earned Value
Management for Development/Modernization/Enhancement investments and
operational assessments for steady state investments) and through the
General Accounting Office (GAO) Information Technology Investment
Management (ITIM) maturity framework.

The process presented is intended to serve as a model methodology.
Agencies should work within their investment planning environments to
adapt and incorporate the pieces of this process into their own unique
processes to develop workable approaches for CPIC. If incorporated
into an agency's processes, the methodology can help ensure that IT
security is appropriately planned for and funded throughout the
investment's life cycle, thus strengthening the agency's overall
security posture.

This systematic approach can help agencies:

* Identify relevant OMB and other guidance that applies to 
  governing federal government IT security investment decisions;

* Explain how current security requirements relate and 
  support the IT CPIC process;

* Understand the IT investment management process 
  phases-Select, Control, and Evaluate-as they relate to 
  security investments;

* Identify CPIC-related roles and responsibilities required 
  to manage IT security investments;

* Explain the best practices IT security management process 
  and why it is important for making sound IT security 
  investment decisions;

* Understand how to develop security requirements and 
  appropriate supporting documentation for IT acquisition;

* Identify steps and materials required to complete a sound 
  business case in support of investment requests; and

* Understand implementation issues associated with 
  incorporating IT security into the CPIC process.

Federal IT Security and Capital Planning Legislation, Regulations, and

FISMA provides overarching requirements for securing federal resources
and ensuring that security is incorporated into all phases of the
investment life cycle.  FISMA codifies specific responsibilities of
federal agency officials, addresses protection of agency information
resources, calls for agency officials to manage risk to an appropriate
level, and requires agencies to incorporate security into the life
cycle of information systems. FISMA requires agencies to complete an
annual program review that includes conducting self-assessments for
all agency systems and conducting a FISMA independent evaluation.
Results from these activities are compiled into a comprehensive FISMA
report, which is submitted to OMB along with the budget year financial
documentation. The corrective actions that agencies identify to
mitigate weaknesses found in the FISMA report are documented and
tracked in the POA&M.

FISMA reporting includes providing a status of security weaknesses in
key areas of a security program. As required by FISMA, OMB provides
specific guidance annually. FISMA reporting guidance specifies
reporting formats and identifies required actions associated with the
quarterly and annual reporting.

The POA&M process provides a direct link to the capital planning
process. The POA&M information includes the costs of corrective
actions that have to be captured in the Exhibit 300 and rolled into
the Exhibit 53, which provides an overview of an agency's IT
portfolio. The Exhibit 53 includes a rollup of all Exhibit 300s and
additional IT expenses from across the agency. All IT investments are
identified by mission area and include their budget year and
life-cycle cost, as well as the percentage of their costs that are
devoted to IT security. All costs are totaled across the agency to
provide an overall picture of the agency's IT portfolio.

Costs associated with each POA&M item are required to map to annual
budget requests in the Exhibit 300s and the Exhibit 53. These costs
are captured as a component of the percentage of IT security, or the
percentage of the total investment for the budget year associated with
IT security in the Exhibit 300, and are then aggregated in the Exhibit
53. Typically, these costs include direct costs of providing IT
security for the specific IT investments.  Examples include the

* Risk assessment

o Security planning and policy

o Certification and accreditation (C&A)

o Specific security controls

o Authentication or cryptographic applications

o Education, awareness, and training

o System reviews/evaluations (including system security 
  test and evaluation [ST&E])

o Oversight or compliance inspections

o Development or maintenance of agency reports to OMB and 
  corrective action plans as they pertain to the specific 

o Contingency planning and testing

o Physical and environmental controls for hardware and software

o Auditing and monitoring

o Computer security investigations and forensics

o Reviews, inspections, audits, and other evaluations 
  performed on contractor facilities and operations

o Privacy impact assessments.

* Products, procedures, and personnel that have an 
  incidental or integral component and/or a quantifiable 
  benefit for the specific IT investment. Examples include 
  the following:

o Configuration or change management control

o Personnel security

o Physical security

o Operations security

o Privacy training

o Program/system evaluations whose primary purpose is other 
  than security

o System administrator functions

o System upgrades with new features that obviate the need 
  for other stand-alone security controls.

* Allocated security control costs for networks that 
  provide some or all necessary security controls for 
  associated applications. Examples include the following:

o Firewalls

o IDSs

o Forensic capabilities

o Authentication capabilities (e.g., PKI)

o Additional 'add-on' security considerations.

Ongoing security costs (operations and maintenance costs)  are
combined with the specific remediation costs and are submitted to OMB
in the Exhibit 300s and Exhibit 53 for the budget year.

Select, Control, Evaluate Process

In concert with the OMB capital planning and NIST security
requirements, agencies use GAO's best practices, three-phased
investment life-cycle model for federal IT investments, Select,
Control, and Evaluate, to ensure that investment management practices,
including security, are disciplined and thorough throughout each phase
of the investment life cycle.

The Select phase refers to activities associated with assessing and
prioritizing current and proposed IT projects based on mission needs
and improvement priorities and then creating a portfolio of IT
projects to address the needs and priorities. Typical Select phase
activities include screening new projects; analyzing and ranking all
projects based on benefit, cost, and risk criteria; selecting a
portfolio of projects; and establishing project review schedules.

The Control phase refers to activities designated to monitor the
investment during its operational phase to determine if the investment
is within the cost and schedule milestones established at the
beginning of the investment life cycle. Typical processes involved in
the Control phase include using a set of performance measures to
monitor the developmental progress for each IT project to enable early
problem identification and resolution.

The Evaluate phase refers to determining the efficacy of the
investment, answering the question, "Did the investment achieve the
desired results and performance goals identified during the Select

IT Management Hierarchy

Integrating IT security into the capital planning process requires
input and collaboration across agencies and functions. NIST SP 800-65
suggests a hierarchical approach to capital planning in which
investment decisions are made at both the enterprise and operating
unit levels.

While specific practices for investment management vary greatly at the
operating unit level because of varying sizes and missions of the
operating units, the process generally mirrors the process at the
departmental level.  The CIO formulates and articulates IT security
priorities to the organization to be considered within the context of
all agency investments. Priorities may be based on agency mission,
executive branch guidance such as the President's Management Agenda,
OMB guidance, or other external/internal priorities. Examples of
security priorities include certifying and accrediting all systems or
implementing PKI throughout the enterprise. (It is important to note
that OMB/Executive Branch guidance or laws should be ranked highest
among these priorities.)

Once operating units finalize their IT portfolios and budget requests
for the budget year, they forward their requests to the agency-level
decision makers. At the agency level, several committees evaluate IT
portfolios from the operating units, culminating in a review by the
IRB. The IRB then decides on an agency-level IT portfolio and forwards
recommendations to the agency head for review.

Once the agency-level IT portfolio is approved by the agency head, the
necessary Exhibit 300s and Exhibit 53 are forwarded to OMB to obtain


NIST Special Publication 800-65 describes in detail the underpinning
methodology which can be easily applied to address security
requirement integration and prioritization into an agency's capital
planning and investment planning process using well-understood
concepts related to the current FISMA framework and existing NIST
standards and guidance. The publication is available at


Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357

More information about the ISN mailing list