美国联邦政府资讯安全管理系统稽核作业与相关标准初探

-35-121311.2.3(OfficeofManagementandBudgetOMB)2000(NationalInstituteofStandardsandTechnologyNIST)OMB1.(Audit)2.(CertificationandAccreditation)3.(CommonCriteria)4.(Framework)5.(InformationAssurance)6.(Standard)InformationTechnologyITCertificationandAccreditationC&ANationalInstituteofStandardsandTechnologyNIST4ITC&AITIT够11.IT2.IT3.够决C&A够ITIT19839102FederalInformationProcessStandardFIPSFIPS1021.11.21.3NISTC&ASP800-53InternationalOrganizationforStandardizationISOISO/IECTR197912-36-1.11.NSTISSC:NationalSecurityTelecommunicationsandInformationSystemSecurityCommittee2.NSTISSI:NationalSecurityTelecommunicationsandInformationSystemSecurityInstruction3.NSTISSNSTISSINo.40111801.2-37-1.3IT200019997~20006OfficeofManagementandBudgetOMB3~5C&A够OMB够1.IT2.IT够决减IT31.2.撑-38-况IT5NIST6NISTIT2.1512345IT637(NationalSecurityAgencyNSA)199982003103OMB减42000228OMBM00-072.1IT12345IT45够强决OMB20001.1OMB2000~20032.2~2.6IT2.2(InformationTechnologyIT)1.2.20021217(FederalInformationSecurityManagementActFISMA)IT-39-2.3(InformationTechnologyIT)(SecurityCost)1()(InspectorGeneralIG)1.11.21.31.41.51.61.71.81.9(OfficeofManagementandBudgetOMB)1.101.111.121.131.14(Review)(Check)2IT(Privacy)(Program)32.4(SecurityProgram)11(GeneralSupportSystem)(MajorApplication)2OMBDoC(NIST)GSAOPM2.12.2IT2.32.433.1DoC:DepartmentofCommerce3.2GSACeneralServicesAdministration3.3OMBOfficeofManagementandBudget3.4OPMOfficeofPersonalManagement3.5NISTNationalInstituteofStandardsandTechnology-40-2.5(PlamofActionandMilestonePOA&M)(PlanofActionandMilestonePOA&M)POA&MPOA&M2.6(ProgramReview)(FederalInformationSecurityManagementActFISMA)1.2.(OfficeofManagementandBudgetOMB)3.4.5.6.撑ITIT够OMB够1.IT2.够决减IT况NISTSP800-266ITNISTSP800-26IT43OMBA-130PDD-63NISTSP800-2620002.72000~2003-41-2.72000~20032003200320022002200120012000200040F36F31F56F70.5C-52F22F72C-72.5C-68D+51F72C-*65.5D38F40F69D+77C+66D33F75C59.5F41F51F74.5C63D-69D+64D65D64D66D61D-衆54F61D-43F58F34F------40F48F66D73C-43F37F48F17F55.5F56F50F52F86.5B79C+56F38F60.5D-68D+70C-60D-94.5A74C34F90.5A-63D-87B+80B-61.5D-52F39F59F71C-48F48F55F88B+82B-79C+86B39.5F54F69D+75C69D+28F48F*64D48F54F65D*76.5C50F44F65D65D55F53FD-1.(OfficeofManagementandBudgetOMB)OMB况2.3.OMB100OMB029%30%44%45%59%……90%100%4.4.1A=90~1004.2B=80~894.3C=70~794.4D=60~694.5E=0~595.5.1ClingerCohenAct104-106199685.2GovernmentInformationSecurityReformAct20005.3OMBA-1304200011305.4FederalInformationSecurityManagementAct107-347(TitleIII)2002125.5OMBM-03-19200386-42-OMB2.13ITToken……ITIT2.13Katzke,S.(2003)ProtectingFederalInformationSystemsandNetworks,Inresentationofthe4thInternationalCommonCriteriaConference,Sept.7~9,2003,Stockholm,Sweden.2.1(IT)(PP)NIAPCCEVSNISTCMVP(CC)FIPS140-2PPsIT√√√√√-43-1233.13.23.3455.15.2677.17.2-44-8910111213141516171819202122-45--46--47--48-ITIT10ITITOMBA-130幷决OMBA-130够够强198720029ITOMBA-130ITNISTSP800-1810ITSP800-30IT11IT啓ITIT够ITIT2002IT-49-ITNIST200210啓12~141.2.IT3.够C&A1.IT2.IT决3.IT4.5.ITNISTSP800-37ITITIA-CMM83C&AITNISTSP800-37C&AITC&AC&A19839102NISTFIPSITSystemDevelopmentLifeCycleSDLC1.2.3.4.5.NISTSP800-37C&AITIT靭够C&AITC&AC&AITITCommercialofftheshelfCOSTWEBITC&AITISO/IEC15408-50-FIPS140-2C&A11NIST://niapnist.govcc-schemeC&AC&AITITC&AITIT1.21993ommoneriteraISOC&A3.6~3.83.4IT-51-NISTSP800-53NISTSP800-53ISO/IEC13335-1ISO/IEC13335-1ISO/IEC13335-1(ISO/IEC13335-1)ISO/IEC13335-1ISO/IEC13335-1ISO/IEC13335-1ISO/IEC13335-1ISO/IEC13335-1-52--53-3.10ISO/IEC2ndWD19791:2003-12-31()(SystemSecurityTarget,SST)zzz1.2.4.5.6.7.8.9.10.(FlowHypothesis)11.-54-zzzzProtectionProfilePPzzTargetofEvaluationTOE//zSSTzz//zSSTzz\//zSSTzzzzzC&AOutreachKatzke,S.200397~94ISO/IEC19791C&A113.1~3.33.1C&ASimpleandSmartC&A43.43ISO/IEC1979114-55-U.S.$1,000,000U.S.$10,000,000U.S.$10,000,000C&A1.2.3.3ISO2000C&A2005C&AITC&A4.14.1C&A112C&AISO24.1-56-4.1-57-1NIST(2003)StandardsforSecurityCategorizationofFederalInformationandInformationSystems,PUB(Publication)199,NIST2ISO(2003)TextforISO/IEC2ndWD19791,Informationtechnology-Securitytechniques-Securityassessmentforoperationalsystems,ISO/IECJTC1/SC27N38013OMB(2000)OMBCircularNo.A-130,AppendixIII,Revised,November30,20004NIST(2000)FederalInformationTechnologySecurityAssessmentFramework,November28,2000,NIST5OMB(2003)OMBM-03-19,August6,20036Swanson,M.(2001)SecuritySelf-AssessmentGuideforInformationTechnologySystems,NISTSpecialPublication800-26,NIST7TheWhiteHouse(1998)TheClintonAdministration’sPolicyonCriticalInfrastructureProtection:PresidentialDecisionDirective63(PPD-63),May22,19988NSA(2003)INFOSECAssuranceCapabilityMaturityModel(IA-CMM),Version3.0,October2003,NSA9TheWhiteHouse(2002)FederalInformationSecurityAct,December17,200210Swanson,M.(1998)GuideforDevelopingSecurityPlansforInformationTechnologySystems,NISTSpecialPublication800-18,December1998,NIST11Stoneburner,G.,A.GoguenandA.Feringa(2004)RiskManagementGuideforInformationTechnologySystems(Draft),NISTSpecialPublication800-30ReviseA.,January2004,NIST12Ross,R.andM.Swanson(2002)GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystem,(Ini