CM-4 SECURITY IMPACT ANALYSIS

[melainalegaspi]

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.

David Bernick cheat sheet: Have an SDLC and follow it; use a ticketing system with approvals fields; make sure security/quality teams get a say for “high impact” items. (a)VMs and Infrastructure should be aligned to a baseline/standard such as CIS or NIST. This organization is not strongly opinionated as to which baseline or standard is followed, though we do like CIS. Here’s the baseline for Linux VMs and the one for GCP.(b) There are many many scripts/images for Linux that align to these standards (bash, puppet, ansible, chef, etc) (c)There aren’t many for GCP but Broad has some. (d)You can invent your own standard but we don’t recommend it because you have to write it down and maintain it. Use someone else’s. (e)Serverless computing still has to align to a baseline (such as IAM configuration in CIS) but there’s much less work to do. Related to CM-04, SA-08, SA-10, SI-02, SC-07

[nolunwa-ucsc]

@hannes-ucsc "Planned for CM-04: to add PullAprove for a more fine-grained approval process that allows multiple users to sign off"

[nolunwa-ucsc]

@theathorn this should be reassigned to the team, as we already discussed this in the meeting. Current gap: Include security impact analysis in all stages of the SDLC process, which includes discussing security risk during TDD/storytime/requirement gathering, adding security test/scans to the CI/CD, and if possible failing the build depending on the test, more fine-grained approval process that allows multiple users to sign off and have someone other than the owner of the code include a comment in the GitHub ticket stating they have performed a security impact analysis and confirms this new changes will not impact the current security posture of the system

[hannes-ucsc]

What's the difference between this and https://github.com/DataBiosphere/azul/issues/2525#issuecomment-1191765928?

[nolunwa-ucsc]

@hannes-ucsc CM-04 is an additional layer to CM-02(1) and/or can be implemented similarly. But the actual difference CM-04 adds that is part of the compliance req from CM-02(1) is the explicit call out of a security impact analysis documented in the issue tracking app.

[melainalegaspi]

@hannes-ucsc: "The security impact analysis aspect will be covered by my work on CM-02 (1) #2525. This will become a no-op."

[hannes-ucsc]

Covered by #4596.