FISMA
1 1
2
3
4
1 ISO/IEC 27001) (27003,27004,27007 3416 2010 2 ) IPA 5
6
7
http://csrc.nist.gov/groups/sma/fisma/index.html 8
9
(2003-2008) 2008) 10
SP 800-53 FISMA SP 800-53 GISRA FISMA 2002/12/17 SP SP800-53Rev.1 SP 800-55Rev.1 SP 800 SP SP800-37 -37 SP 800-53Rev.2 SP 800 SP SP800-53A -53A SP 800-53Rev.3 SP 800 SP 800-37Rev.1 SP 800 ISO/IEC 17799 17799 17799 17799 27002 27002 27001 27001 JIS X5080 Q27002 Q27001 ISMS Ver.0.8 Ver.1.0 Ver.2.0 / Ver.1.0 Ver.2.0 20 20
12
13
Step6 MONITOR Step1 CATEGORIZE Step2 SELECT Step5 AUTHORIZE Step4 ASSESS Step3 IMPLEMENT 14
Risk Management Strategy Architecture Description Organizational Inputs Step6 Step1 CATEGORIZE Information Systems FIPS 199/SP 800-60 Step2 MONITOR Security Controls SELECT Security Controls SP 800-53A FIPS 200/SP 800-53 Step5 AUTHORIZE Information Systems SP 800-37 Step4 ASSESS Security Controls SP 800-53A 15 Step3 IMPLEMENT Security Controls SP 800-60 Series
) 16
FEA SP 800-53A SP 800-37 FIPS 199/SP800-60 HIGH,MOD,LOW SP 800-37 Rev.1 FIPS 200/SP800-53 HIGH, MOD,LOW SP 800-Series SP 800-53A /
SP 800-37 2004/5 APPENDIX / SP 800-37 Rev.1 2009/11 APPENDIX E 18 SP800-53 Rev3 2009/8 6
19
20
21
22
23
24
2009/12/16 25
Code P1 P2 26
27
NIST SP 800-53 A CLASS FAMILY j 28
29
Consensus Audit Guideline( 30
( Inspector General( 31
32
33
34
35
36
37
38
NIST SP 800-53 Rev.3 39
NIST SP 800-53 Rev.3 ISO/IEC 27001 40
41
AT-1 AT-2 AT-3 AT-4 AT-5 42
Step6 MONITOR Step5 AUTHORIZE Step1 CATEGORIZE Step4 ASSESS Step2 SELECT Step3 IMPLEMENT / / 43 /
Step6 MONITOR Step1 CATEGORIZE Step2 SELECT Step5 AUTHORIZE Step4 ASSESS / Step3 IMPLEMENT / / 44
45
46
47
http://scap.nist.gov/ 48
49
SCAP XCCDF 50
51
52
Risk Management Strategy Architecture Description Organizational Inputs Step6 MONITOR Security Controls Step1 CATEGORIZE Information Systems Step2 SELECT Security Controls Step5 AUTHORIZE Information Systems Step4 ASSESS Security Controls Step3 IMPLEMENT Security Controls 53
54
55
XCCDF IA-5 SCAP 56 Windows
57
58
http://csrc.nist.gov/groups/sns/cloud-computing/ 59
60
enterprise owned or leased shared infrastructure for specific community Sold to the public, mega-scale infrastructure composition of two or more clouds 61
Hybrid Clouds Private Cloud Community Cloud Public Cloud Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Broad Network Access On Demand Self-Service Rapid Elasticity Resource Pooling Measured Service 62 62
63 63
,,, 64
Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks C&A Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds) 65
66
67
68
Provide guidance to industry and government for the creation and management of relevant cloud computing standards allowing all parties to gain the maximum value from cloud computing 69
Proprietary Value Add Functionality Standardized Core Cloud Capabilities 70
71
72
73
74
75
76