Correctly Setting Your Accreditation Boundary is Essential

fence edit

So you’re initiating your FISMA program and you’ve already established your information sensitivity category using the FIPS Pub 199 guidelines. Next, you need to cordon off that portion of your total network that will be subject to the accreditation. This is the Accreditation Boundary which we will abbreviate AB.

Setting the AB is very important because it must encompass the storage locations of the sensitive information as well as the paths along which the data is transmitted. In their zeal for maximum security, organizations often set their AB too broadly thus increasing the effort to accredit their system and also imposing unnecessary and continuing security costs. In short, setting the AB is a balance between adequacy and expense.

Often information with different sensitivity categories (e.g., low and moderate) can be segregated physically and logically. Then separate ABs can be drawn. Only the moderate AB will require application of the 44 additional security controls called out by NIST SP 800-53 Rev 4. Depending on your network design and operations, this might represent considerable savings.

Now, you must also consider how to handle external systems that are neither under your control nor FISMA compliant. If sensitive information is passed across the AB to or from this system, then you must be able to prove that it has been protected on your side of the interface. The objective evidence of this should be included in your System Security Plan. It is also a good idea to include it explicitly in your interface agreement with the external organization.

A more challenging situation is when your sensitive data is stored in a cloud. Unless you have a COLO arrangement, it is not usually possible to include a virtualized environment within your AB. The best answer is for your Cloud Service Provider (CSP) to be FedRAMP certified. Short of that, you might have to perform a FISMA assessment of the CSP.

The final thing to consider is that ABs may transcend physical IT resources. For example, one of the NIST SP 800-53 requirements is that your organization have a disciplinary policy for security violations. Such a policy will probably be within the purview of Human Resources rather than IT. Therefore, your AB should consider organizational boundaries as well as physical/logical IT entities.