Federal Government Information Security - Chapter 8

Questions and Answers

What is the primary function of the federal Incident Response (IR) center, as mandated by FISMA?

To develop and implement information security policies for federal agencies.

To provide technical assistance to agencies regarding information security incidents. (correct)

To conduct investigations of cyberattacks on government agencies.

To monitor and analyze internet traffic for malicious activity targeting government agencies.

What percentage of incidents reported to NCCIC/US-CERT in 2018 were caused by employee violations of acceptable use policies?

31% (correct)

25%

45%

15%

Which of the following is NOT a responsibility of the federal IR center under FISMA?

Developing and implementing information security standards for federal agencies. (correct)

Compiling and analyzing data on information security incidents.

Consulting with NIST and agencies with NSSs about information security incidents.

Informing agencies about current and potential threats and vulnerabilities.

Which of the following scenarios would NOT be classified as an information security incident under FISMA?

A website experiences a temporary outage due to planned maintenance. (A)

Which of the following is another name for the federal IR center?

US-CERT (D)

What is the primary purpose of reporting incidents to the NCCIC?

To allow the NCCIC to track and analyze incident trends across federal agencies. (A)

Which of the following is NOT a characteristic of an information security incident, as defined by FISMA?

It results in the loss of a significant amount of data. (B)

According to the information provided, what is the most common type of information security incident reported to NCCIC/US-CERT?

Employee violations of acceptable use policies. (A)

What is the primary responsibility of an Inspector General (IG) as defined by the Inspector General Act of 1978?

Conducting independent and objective audits, investigations, and inspections to detect and prevent waste, fraud, and abuse. (D)

Which of the following is NOT a responsibility of an Inspector General (IG)?

Developing and implementing agency strategic plans. (D)

How are Inspector Generals (IGs) for major federal agencies appointed?

The president nominates them, and the Senate approves them. (A)

Who has the authority to remove an Inspector General (IG) for a major federal agency?

Only the president can remove them. (C)

Which agency is responsible for creating information security standards and guidelines under the Federal Information Security Management Act (FISMA)?

The Department of Commerce (DOC) (A)

What is the role of the National Institute of Standards and Technology (NIST) in relation to information security?

Creating information security standards and guidelines for federal agencies. (B)

Why is it important that Inspector Generals (IGs) are not political officials?

To prevent IGs from being influenced by partisan politics and making decisions based on personal agendas. (A)

Which of the following documents are NOT mentioned in the text as resources for making security control decisions?

SP 800-53, Revision 6 (D)

What is the primary purpose of the Inspector General Act of 1978?

To define the role and responsibilities of Inspector Generals (IGs) in federal agencies. (D)

What is the primary purpose of FIPS 200 and SP 800-53, according to the text?

To provide guidance on security control decisions for federal information systems. (A)

What is considered a high impact event?

An event that causes severe or catastrophic harm to the agency, its assets, or people. (D)

The text discusses the importance of security control decisions. What is the relationship between security categories and these control decisions?

The security category assigned to an agency influences the types of security controls that are considered appropriate. (B)

What is the anticipated release timeframe for the final version of SP 800-53, Revision 5, as mentioned in the text?

Late 2020 or early 2021 (A)

Which of the following areas is NOT included in the 17 areas listed by FIPS 200?

Data encryption (D)

In what publication are agencies required to publish their System of Records Notices (SORNs)?

The Federal Register (B)

What is the website address where the System of Records Notices (SORNs) for the National Aeronautics and Space Administration (NASA) can be found?

https://www.nasa.gov/content/nasa-privacy-act-system-of-records-notices-sorns (A)

What is the implication of the OMB requiring agencies to use FIPS 200 and SP 800-53 for their security control decisions?

Agencies are expected to refer to these documents for guidance while making their security control decisions. (C)

Based on the information provided, which of the following statements about SP 800-53, Revision 5 is TRUE?

It provides a comprehensive framework for security and privacy controls, including major enhancements from prior revisions. (C)

What is the minimum amount of damages a person can recover in a lawsuit against a federal agency for an intentional or willful violation of the Privacy Act?

$1,000 (B)

What is the maximum fine a federal agency employee can face for improperly disclosing information in violation of the Privacy Act?

$5,000 (C)

Which of the following is NOT a potential type of lawsuit that a person can file against a federal agency under the Privacy Act?

Failure to comply with a Freedom of Information Act (FOIA) request. (B)

A federal agency employee who intentionally violates the Privacy Act can face what type of criminal charge?

Misdemeanor (C)

What is the primary purpose of the Privacy Act of 1974?

To protect the privacy of individuals by limiting the government’s collection, use, and disclosure of personal information. (C)

Which of the following entities is responsible for carrying out the independent evaluation of an agency's information security program, if the agency does not have an Inspector General?

An external auditor (D)

What is the primary purpose of the CyberScope assessment?

To gauge an agency's compliance with information security best practices and regulations (B)

Besides information security, what other area is required to be reported by agencies in their yearly report?

Privacy activities (D)

What is the primary responsibility of an Inspector General (IG)?

To review and assess the agency's performance and compliance with regulations (D)

What is the primary goal of an agency's information security report besides addressing weaknesses and security control issues?

To demonstrate compliance with relevant regulations (D)

How often is the independent evaluation of an agency's information security program required?

Annually (D)

What is the primary function of the yearly report, according to the context, besides reporting on cybersecurity issues?

To assess if organizations are meeting their stated goals and objectives in information security and privacy (B)

In the provided content, what is the primary role of the Department of Homeland Security (DHS) in relation to information security reporting?

Developing and publishing annual security questions for agencies to answer (A)

Under what circumstances can a record be disclosed without written consent?

When the disclosure is made for statistical research or reporting, and all personally identifiable data has been removed. (B), When the disclosure is made to a federal agency employee who needs the record to perform his or her job duties. (D)

Which of the following is NOT a permissible disclosure of a record without written consent under the Privacy Act?

Disclosure to a private company for marketing purposes. (C)

When is disclosure of a record without written consent permissible to a law enforcement agency?

When the agency requests the record for an ongoing criminal investigation. (B)

Which of the following is a circumstance under which a record can be disclosed without written consent, according to the text?

Disclosure to the U.S. Census Bureau to perform a survey. (B)

When can a record be disclosed without the consent of the individual to whom it pertains?

When the disclosure is made to protect the health or safety of an individual. (A)

Which of the following is a valid reason for disclosing a record without written consent from the individual?

To disclose a record under the Freedom of Information Act. (C)

Which of the following is a valid exception to the requirement of written consent for record disclosure, as stated in the text?

Disclosure for routine use by the agency that maintains the record. (D)

Which scenario would be considered a permissible disclosure of a record without written consent according to the provided text?

Disclosure to the U.S. Comptroller General for an oversight function. (C)

Flashcards

CyberScope

A set of questions asked to assess agency security practices.

Privacy Training Programs

Programs to educate agency staff on privacy regulations and protocols.

Breach Notification Policy

Guidelines on how to inform individuals about data breaches.

PII

Personally Identifiable Information that must be protected.

Independent Evaluation

An external assessment of an agency's information security program.

Inspector General (IG)

An official who reviews federal agencies for efficiency and compliance.

External Auditor

An independent entity hired to evaluate an agency's security program.

SSN Elimination Efforts

Strategies to minimize the unnecessary use of Social Security Numbers.

Written Consent Disclosure

No need for written consent for certain record disclosures.

Federal Agency Disclosure

Records can be disclosed to federal employees for job duties without consent.

Freedom of Information Act

Disclosure required under the Freedom of Information Act.

Routine Use Disclosure

Records may be disclosed for an agency’s routine use.

Census Bureau Disclosure

Disclosures made to the U.S. Census Bureau for surveys.

Statistical Research Disclosure

Records may be shared for statistical research after removing identifiers.

National Archives Disclosure

Records can be disclosed to the National Archives for historical value.

Health and Safety Disclosure

Disclosure to protect a person’s health or safety without consent.

Federal IR Center

A center that supports agencies in managing information security incidents under FISMA.

NCCIC

National Cybersecurity and Communications Integration Center; where agencies report security incidents.

US-CERT

United States Computer Emergency Readiness Team; another name for the federal IR center.

FISMA

Federal Information Security Management Act; requires federal agencies to secure information systems.

Information security incident

An event that risks the integrity, confidentiality, or availability of information.

Acceptable use policy violations

Employee actions that break a federal agency's established security rules.

Threat analysis

The process of identifying and evaluating potential threats to information security.

Risk assessment process

The evaluation of potential risks that agencies must consider to enhance security.

SORN

System of Records Notice, informing about data collection by agencies.

Federal Register

The official journal of the federal government where announcements are published.

Privacy Act Violations

Unauthorized access or failure to amend records under the Privacy Act.

Legal Actions for Violations

Individuals can sue agencies for Privacy Act violations.

Damages Awarded

Courts can award damages for intentional Privacy Act violations.

Criminal Responsibility

Federal agency employees can face criminal charges for violations.

Fines for Disclosures

Employees can be fined up to $5,000 for leaking information.

Agency Webpage Requirement

Agencies must post their SORNs online, enhancing transparency.

High Impact Event

An event causing severe damage to an agency's assets, confidentiality, integrity, or availability.

NIST

National Institute of Standards and Technology, providing frameworks for information security.

FIPS 200

Document detailing minimum security requirements for federal information systems.

SP 800-53

NIST document outlining security and privacy controls for federal organizations.

Security Control Decisions

Choices agencies make about implementing security measures.

17 Control Areas

Areas where agencies must specify security controls according to FIPS 200.

Revision 5

Upcoming update to SP 800-53 with enhanced security controls.

Access Control

Mechanisms to restrict who can view or use information resources.

Inspector General Act of 1978

Legislation that defines the role and responsibilities of IGs.

Independent audits

Evaluations conducted by IGs free from agency influence.

Fraud prevention

The effort made by IGs to detect and stop dishonest activities.

Role of NIST

NIST develops information security standards as required by FISMA.

Appointment of IGs

IGs are nominated by the president and confirmed by the Senate.

Removal of IGs

Only the president has the authority to remove an IG.

Study Notes

Federal Government Information Security and Privacy Regulations

• President Obama in 2009 described America's digital infrastructure as a strategic national asset, highlighting the need for better protection of federal information systems.
• Federal government and private organizations share responsibility for safeguarding digital infrastructure.
• Federal systems hold personal data, conduct national business, and house sensitive security data, critical for national defense.

Chapter 8 Topics

• Information security challenges facing the federal government.
• Provisions of the Federal Information Security Modernization Act (FISMA).
• Roles of the National Institute of Standards and Technology (NIST).
• National security system (NSS) protection methods.
• Federal government privacy protections in information systems.
• Import and export control laws.
• Case studies and examples.

Chapter 8 Goals

• Describe federal government information security challenges.
• Explain the requirements of the Federal Information Security Modernization Act.
• Describe the role of NIST in establishing information security standards.
• Discuss approaches to protecting national security systems.
• Outline how the federal government protects privacy in information systems.
• Review import and export control laws.

Information Security Challenges Facing the Federal Government

• In 2010, Vivek Kundra stated that federal computers are attacked millions of times daily.

• In 2018, federal agencies reported over 31,000 information security incidents.

• Government computer systems hold crucial operational and citizen data.

• Government data targets hackers, a concern shared with private entities.

• Hackers stole background investigation records from the Office of Personnel Management (OPM), impacting over 21.5 million records.

• Thieves stole a National Institutes of Health (NIH) researcher's laptop, compromising data on 2,500 study participants.

• Attackers accessed the USAJOBS database, stealing employment information.

• U.S. State Department warned over 400 individuals about a cyber security breach targeting passport application data.

• Spies accessed Pentagon systems, targeting data on the Joint Strike Fighter aircraft.

What is Cyberwar?

• Cyberwar refers to conflicts between nations and their militaries.
• It is not fought on a physical battlefield but rather within information systems.
• It can affect military and civilian systems.
• Examples include interference in elections (e.g., 2016 U.S. elections), attacks on Ukraine power grids, and the cyberattack against Sony Pictures Entertainment.

The Federal Information Security Modernization Act (FISMA 2014)

• Aims to improve oversight of federal information security activities.
• Acknowledges the need for stronger information security controls.
• Defines information security as protecting confidentiality, integrity, and availability of IT systems.
• Sets forth agency information security responsibilities.
• Authorizes NIST to develop standards for IT systems.
• Clarifies that national security systems must implement security using a risk-based approach.
• Establishes a central federal security incident response center.

Agency Information Security Programs

• Agencies must create an agency-wide information security program.
• Programs must include risk assessments, policies, procedures, subordinate plans, security awareness training, testing and evaluation, remedial actions, incident response, and continuity of operations plans.
• Agencies must follow NIST Security standards.

NIST RMF

• Outlines six steps for protecting federal IT systems:
  • Categorize IT systems
  • Select minimum security controls.
  • Implement security controls in IT systems
  • Assess security controls for effectiveness.
  • Authorize the IT system for processing.
  • Continuously monitor security controls.
• NIST guidelines help federal agencies categorize their IT systems based on risk impact (low, moderate, high).

Protecting Privacy in Federal Information Systems

• The Privacy Act of 1974 protects data collected by federal agencies (in the executive branch).
• The E-Government Act of 2002 complements the Privacy Act, requiring agencies to review IT systems for privacy risks, post privacy policies, and report privacy activities to the OMB.
• Privacy impact assessments (PIAs) are required for any system collecting personally identifiable information (PII).
• Agencies must give public notice of their record-keeping systems (System of Records Notice (SORN)).
• Agencies are audited based on whether the security controls in place meet the relevant laws.

Central Incident Response Center

• Under FISMA, agencies are required to have a federal IR center.
• This includes providing support on handling information security incidents.
• The center is also known as the US-CERT.
• Agencies must report security incidents within 1 hour.
• Incident reports must include impact, information loss, recovery estimates, timing, impacted systems, and network location data.

Import and Export Control Laws

• Laws limit the export of materials, data, and technical information to protect national security.
• Three main regulations govern these activities: International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and regulations of the Office of Foreign Assets Control (OFAC).
• Violations of these laws can lead to significant fines and prison sentences.
• ITAR governs military and defense applications.
• EAR covers dual-use technologies (both military and commercial applications.
• OFAC enforces trade sanctions.

Case Studies and Examples: OPM Data Breaches

• In 2015, OPM experienced two significant data breaches affecting over 21.5 million individuals involved in background checks. Compromised PII included, but was not limited to social security numbers, employment history, medical information, criminal history, addresses, and family member information.
• Consequently, the Director and CIO of the OPM resigned.

CHAPTER SUMMARY

• This chapter summarized laws protecting federal data security and privacy, FISMA’s role in overseeing security, and the major laws protecting data privacy (the Privacy Act of 1974 and the E-Government Act of 2002).

KEY CONCEPTS AND TERMS

• Inspector general (IG)
• National security systems (NSSs)
• Privacy impact assessment (PIA)
• Record
• System of records notice (SORN)

CHAPTER 8 ASSESSMENT

• (Questions and answers not provided, assessment questions require specific text from the provided notes to answer.)

Description

Explore the complexities of information security within the federal government as outlined in Chapter 8. This quiz covers key topics such as the Federal Information Security Modernization Act (FISMA), the role of NIST, and the challenges faced in safeguarding sensitive data. Test your understanding of national security systems and privacy protections in federal information systems.