Federal agencies implement information security programs to provide security for the information and systems that support its operations and assets. These programs, based on laws, regulations, standards, and guidelines, are intended to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. A properly implemented information security program produces certain artifacts throughout its life cycle that are designed to demonstrate its maturity and the security status of its information systems.
The Information System Security (ISS) Reference Data Model was developed on the fundamental premise that information system-specific security activities must be built on a comprehensive security program and that many of the artifacts produced by these activities can be managed through automated tools. This publication, and its associated Extensible Markup Language (XML) taxonomy and schema, is intended to:
- Serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program; and
- Enable greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management.
The XML taxonomy and schema, based on the security controls contained in NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, and the Risk Management Framework, provide a mechanism to denote or “tag” information security artifacts and enable Federal Information Security Management Act (FISMA) related software tools to share information through a common nomenclature of data fields found in most information system security software tools. The process of documenting and confirming many of these artifacts can be automated, and this automation can be used to support legislative reporting requirements.
Federal agencies implement information security programs to provide security for the information and systems that support its operations and assets. These programs, based on laws, regulations, standards, and guidelines, are intended to ensure the selection and implementation of appropriate security...
See full abstract
Federal agencies implement information security programs to provide security for the information and systems that support its operations and assets. These programs, based on laws, regulations, standards, and guidelines, are intended to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. A properly implemented information security program produces certain artifacts throughout its life cycle that are designed to demonstrate its maturity and the security status of its information systems.
The Information System Security (ISS) Reference Data Model was developed on the fundamental premise that information system-specific security activities must be built on a comprehensive security program and that many of the artifacts produced by these activities can be managed through automated tools. This publication, and its associated Extensible Markup Language (XML) taxonomy and schema, is intended to:
- Serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program; and
- Enable greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management.
The XML taxonomy and schema, based on the security controls contained in NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, and the Risk Management Framework, provide a mechanism to denote or “tag” information security artifacts and enable Federal Information Security Management Act (FISMA) related software tools to share information through a common nomenclature of data fields found in most information system security software tools. The process of documenting and confirming many of these artifacts can be automated, and this automation can be used to support legislative reporting requirements.
Hide full abstract
