REG NASA-LLIS-5099-2012 Lessons Learned - Information Technology (IT) Security Requirements Levied On Federal Agencies Do Not Align With Systems Engineering and Integration (SE&I) .pdf

1、Public Lessons Learned Entry: 5099 Lesson Info: Lesson Number: 5099 Submitting Organization: KSC Submitted by: Jenni Palmer Subject: Information Technology (IT) Security Requirements Levied On Federal Agencies Do Not Align With Systems Engineering and Integration (SE&I) Requirements Management Proce

2、sses Abstract: Federally mandated IT security requirements when implemented through the Constellation Program requirements process failed to capture scope and intent of higher level requirements. Description of Driving Event: The Constellation Program identified the need to tailor security controls

3、for implementation in Orion/Ares flight communication systems. The resulting requirements, based on NIST 800-53 controls, were inserted in Program level requirements document and levied on system designers through the Constellation Architecture Requirements Document. This resulted in designers addre

4、ssing only the allocated requirements rather than assessing the applicability of the entire standard. Lesson(s) Learned: Placing a subset of NIST 800-53 controls into the SE&I requirements management process created the appearance that the NIST 800-53 controls not referenced were not applicable to s

5、ystem designers. The current SE&I requirements management structure is not structured to accommodate the requirement of system designers to address NIST 800-53 controls. Recommendation(s): Program specific requirements relating to IT security should be limited to the definition of interfaces between

6、 systems. Decisions regarding applicability and implementation of specific NIST 800-53 controls should be made at the lowest level possible so the intent of controls are met in the most cost efficient manner. Evidence of Recurrence Control Effectiveness: N/A Documents Related to Lesson: NPR 2810.1 S

7、ecurity of Information Technology NIST 800-53 Recommended Security Controls for Federal Information Systems and Organizations Mission Directorate(s): Exploration Systems Additional Key Phrase(s): Additional Categories. Additional Categories.Information Technology/Systems Additional Info: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Project: constellation Approval Info: Approval Date: 2012-04-05 Approval Name: mbell Approval Organization: HQ Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-