FISMA Cybersecurity Performance Metrics and Scoring
|
|
- Baldwin Hodge
- 6 years ago
- Views:
Transcription
1 DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit,
2 2. Cybersecurity Metrics OMB receives agency FISMA metrics through DHS s CyberScope System. Metrics reporting schedule per M Quarterly CIO FISMA metrics (CFO Act only) 2. Monthly PIV/CAC submissions (CFO Act Only) 3. Annual IG, CIO, and SAOP Metrics (All Agencies)
3 3. Cybersecurity Metrics in Action OMB uses FISMA metrics for nine processes and products that drive agency Performance: 1. President s Management Council (PMC) Assessment 2. Cybersecurity Cross-Agency Priority (CAP) Reports 3. Annual FISMA Report to Congress 4. CyberStat Reviews 5. PortfolioStat Reviews 6. FedStat Reviews 7. President s Budget Cybersecurity Crosscut 8. Cabinet Engagements 9. Policies and Guidance
4 4. Annual FISMA Report to Congress FY 2016 Annual FISMA Report to Congress One Pagers Agency one-pagers provide greater context for FY 2016 cybersecurity performance data Goal of improving readability and look and feel of report. FY 2016 IG Metrics provide independent assessment of FY 2016 CIO metrics. OMB anticipates a decrease in IG scores due scoring methodology changes. One-pagers will also serve as one-stop summary for future OMB, DHS and IG oversight discussions (e.g., CyberStat, etc.).
5 5. PMC Assessment Background In the wake of the OPM incidents, OMB recognized the need for a cybersecurity performance assessment that provides agency Deputy Secretaries and EOP with an understand of the agency s hygiene. OMB developed the PMC Cybersecurity Assessment in late 2014 using agencies FISMA metrics data and assessment criteria from the NIST Cybersecurity Framework. This assessment is a vehicle for driving agency performance and ensuring accountability from the Deputy Secretary on down through the organization. OMB has matured the assessment process and products to ensure clear and effective communication to agencies, and uses the output from this process to inform its oversight and budget processes.
6 6. Leveraging the NIST Cybersecurity Framework The 23 Civilian CFO-Act Agencies receive a quarterly assessment from OMB that provides overall rating based on performance across the five NIST Cybersecurity Framework function areas: Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
7 7. Rating Standards EOP provides ratings to agencies for each NIST framework function area on a 0-3 scale: Agency has not met foundational targets Agency has met foundational targets Agency has met government-wide targets Agency has exceeded government-wide targets In first quarter of FY 2016, only five agencies had information security programs that met or exceeded government-wide performance goals. By the end of FY 2016, 13 agencies had met these targets and all others were making significant progress toward this end as a direct result of PMC Assessment process.
8 8. Sample of Individual Agency Scorecard Overall Example Justice has agency met government-wide has met government-wide targets targets Overall rating is the average of the component scores, rounded to the nearest whole number. ( )/5 = 2 Identify Hardware Asset Management (CAP) 100% Software Asset Management (CAP) 97% Unclassified systems with security ATO 87% Review of contracts with sensitive information Policy empowering incident commanders Protect Vulnerability Management (CAP) 100% Secure Configuration Management (CAP) 95% Unprivileged PIV logical access (CAP) 95% Privileged PIV logical access (CAP) 100% Remote access security Insider Threat Program Media destruction policy Detect Anti-Phishing and Malware Defense (CAP) Anti-Phishing 5 of 7 Malware Defense 3 of 5 Other Defense 2 of 4 EINSTEIN Program Attempts to access data detected and investigated Test exfiltration attempts are caught Respond Incident response plan Participating in C-CAR protocol Roles and responsibilities are verified No active critical vulnerabilities > 30 days Recover Disaster and incident recovery plans Incident notification 100% Credit monitoring BPA Credit repair contract Legend Criteria Met Criteria Not Met Criteria NA To achieve a particular rating in a framework area, an agency must meet all criteria within both the given level and all prior levels. Level 1 - Foundational targets Level 2 - Government-wide targets Level 3 - Exceeding government-wide targets
9 9. Baseline Metrics In addition to the metrics underlying the PMC Assessment, OMB also analyzes agency performance on measures not used to calculate agency scores. The intent is to better understand current agency performance so ambitious but realistic targets can be set for future assessments. Current Baseline Metrics include: HTTPS implementation (M-15-13) Endpoints with data encrypted at rest (FIPS 140-2) Users with significant security responsibilities who have completed role-based security training Time to revoke role-based credentials following the termination of employees/contractors
10 10. Appendix: EOP Cybersecurity Assessment Criteria Identify Protect Detect Respond Recover Hardware Asset Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Software Asset Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Unclassified information systems with a security ATO Level 1 80% Level 2 95% Level 3 100% Review of contracts with sensitive information Level 1 Review of key contracts is in progress Level 2 Review of key contracts is completed Level 3 All contracts contain clauses on protection, detection, reporting of information Policy empowering incident commanders Level 1 In place Vulnerability Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Secure Configuration Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Remote access security Level 1 FIPS validated Level 2 30 minute time out Level 3 prohibit split tunneling Unprivileged PIV logical access (CAP) Level 2 85% (CAP Goal) Privileged PIV logical access (CAP) Level 2 100% (CAP Goal) Insider Threat Program Level 1 Initial operating capability Level 2 Full operating capability Media destruction policy Level 1 In place Anti-Phishing and Malware Defense (CAP) Level 1 1 of 3 key indicators 90% Level 2 All key indicators 90% (CAP Goal) Level 3 All key indicators 100% EINSTEIN Program Level 2 Fully Implemented Attempts to access large volumes of data are detected and investigated Level 2 Detected and investigated Test exfiltration attempts are caught Level 3 Test conducted in past year and attempt was caught Incident response plan Level 1 Developed, tested once annually Level 2 Tested twice annually Level 3 No more than 180 days old Participating in C-CAR protocol Level 1 Participated in most recent C-CAR call Roles and responsibilities are verified Level 2 Verified during incident response testing No active critical vulnerabilities > 30 days Level 2 No vulnerabilities identified Disaster and incident recovery plans Level 1 Developed, but not tested regularly Level 2 Tested annually Level 3 Less than one year old Incident notification Level 1 Policy that establishes timeline for public or internal notifications after the detection or discovery of a compromise of PII is in place Level 2 Metrics tracking for notifications in place Level 3 Metrics indicate 100% compliance Credit monitoring BPA Level 2 In place Credit repair contract Level 3 In place
11 11. Appendix: Sample Action Items The following items require additional information/details on how the agency is working to meet government-wide targets: Category Criteria Questions Actions Needed Identify CAP Goal: Hardware Asset Management 1.2, 1.4, 3.16 Identify CAP Goal: Software Asset Management 1.5, 3.17 Detail actions to improve Hardware Asset Management capabilities or explain impediments to OMB Detail actions to improve Software Asset Management capabilities or explain impediments to OMB Identify Review of key contracts with sensitive information 1.8 Complete review of key prioritized contracts or explain impediments to OMB Protect CAP Goal: PIV logical access (unprivileged users) 2.4, Protect CAP Goal: PIV logical access (privileged users) 2.5, Detail actions to improve PIV usage amongst unprivileged users or explain impediments to OMB Detail actions to improve PIV usage amongst privileged users or explain impediments to OMB Protect Privileged user count has achieved target 2.5 Reduce number of privileged users where possible Protect Insider Threat Program, per E.O Provide a status update of program implementation in next submission Respond Recover Incident response plan developed and tested biannually Recovery plans have been developed and tested annually Increase specificity regarding the frequency of incident response plan testing and updating Ensure that enterprise-wide incident recovery plan is in place and updated on annual basis
12 12. Annual Assessment Timeline March 1 Annual FISMA report to congress released (from previous FY) January 1-15 CFO Act Agencies complete Q1 FISMA CIO assessment April 1-15 CFO Act Agencies complete Q2 FISMA CIO assessment July 1-15 CFO Act Agencies complete Q3 FISMA CIO assessment October 1-31 All agencies complete annual FISMA CIO assessment February 15 Q1 PMC assessments delivered to agency CIOs May 15 Q2 PMC assessments delivered to agency CIOs August 15 Q3 PMC assessments delivered to agency CIOs December 15 Q4 PMC assessments delivered to agency CIOs EOP conducts FY Q1 PMC assessments EOP conducts FY Q2 PMC assessments EOP conducts FY Q3 PMC assessments EOP conducts FY Q4 PMC assessments
13 IG FISMA Metrics - History Collaboration with OMB, DHS, CIGIE, and other stakeholders Historically, the OIG FISMA metrics were mostly yes/no questions that did not enable an easy determination of Effectiveness In 2015, a FISMA metrics subcommittee of the FAEC IT Committee was formed to develop effectiveness based measures
14 Maturity Model Approach Maturity model incorporates Federal requirements and maps to best practices (e.g., CMMI, CoBIT, NIST, C2M2) Maturity indicators map to CIO metrics, NIST and supporting special publications, President s Management Council, and other governmentwide focus areas/initiatives FISMA Metrics Subcommittee has incorporated comments from various stakeholders including FAEC, CIGIE, and the CIO/CISO community 14
15 Effectiveness within the Maturity Model Level 1 Ad-hoc Level 2 Defined Level 3 Consistently Implemented Level 4 Managed & Measurable Operate Implement Level 5 Optimized Desired Results Effectiveness
16 FISMA IG and CIO Metrics FY 2017 FISMA IG Metrics are broadly aligned with the FY 2017 FISMA CIO Metrics Function (Section) IG Metrics CIO Metrics Identify (Risk Assessment) X X Protect (Configuration Management) X X Protect (Identification and Authentication) X X Protect (Security Training) X X Detect (ISCM) X X Respond (Incident Response) X X Recover (Contingency Planning) X X
17 Scoring Methodology FY 2017 FISMA IG Metrics scoring methodology will seek to provide a balanced assessment of agency information security capabilities Agency IGs will assess capabilities on a spectrum of potential maturity levels Overall maturity for each NIST Function will be recommended based on its average maturity level Goal is to provide a representative maturity level, but IGs can substitute a different score if they choose Overall agency maturity will be determined by the IG with no automatically generated recommendation This allows IGs to customize their assessments based on agency circumstances
18 Next Steps Access the metrics at DHS.gov/FISMA Hold follow-on training session in July Work with DHS to make changes to the Cyberscope application For 2018, develop a review guide or companion document to the metrics for IG use
19 Q&A Sample of the common questions received by the FISMA Metrics Subcommittee When is the due date for FISMA this year? Will the scoring methodology be different this year? Will specific questions be weighted differently than others? Is Level 4 still considered to be the bar for Effectiveness? Can an agency have an Effective program at Level 3? Will IGs be required to provide comments in Cyberscope for all responses not at a Level 4?
Information Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationAligning Agency Cybersecurity Practices with the Cybersecurity Framework
POINT OF VIEW Aligning Agency Cybersecurity Practices with the Cybersecurity Framework Leveraging Gigamon to Align Cybersecurity Budgets with Desired Business Outcomes 2013-2017 Gigamon. All rights reserved.
More informationInspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017
Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in
More informationOctober 30, 2015 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
October 30, 2015 M-16-04 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: Shaun Donovan Director Tony Scott Federal Chief Information Officer SUBJECT: Cybersecurity Strategy and Implementation
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationFederal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011
Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationWe are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.
Description of document: Requested date: Released date: Posted date: Source of document: President's Council on Integrity and Efficiency Information (PCIE) Information Technology Investigations Sub- Committee
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationInformation Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure
This document is scheduled to be published in the Federal Register on 07/18/2017 and available online at https://federalregister.gov/d/2017-15068, and on FDsys.gov 9110-9P P DEPARTMENT OF HOMELAND SECURITY
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationAdvanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin
Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationNo More Excuses: Feds Need to Lead with Strong Authentication!
No More Excuses: Feds Need to Lead with Strong Authentication! Dr. Sarbari Gupta sarbari@electrosoft-inc.com Annual NCAC Conference on Cybersecurity March 16, 2016 Electrosoft Services, Inc. 1893 Metro
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationCYBERSECURITY FEDERAL UPDATE. NCSL Cybersecurity Task Force
CYBERSECURITY FEDERAL UPDATE NCSL Cybersecurity Task Force FY 2018 BUDGET BLUEPRINT President s Management Agenda Identifies cybersecurity as a critical area to improving the federal government Department
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationCISO as Change Agent: Getting to Yes
SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch
More informationDHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs
DHS Overview of Sustainability and Environmental Programs Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs DHS Mission DHS Organization Getting to Know DHS Mission: Secure
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationDHS Election Task Force Updates. Geoff Hale, Elections Task Force
1 DHS Election Task Force Updates Geoff Hale, Elections Task Force Geoffrey.Hale@hq.dhs.gov ETF Updates Where we ve made progress Services EI-ISAC/ National Cyber Situational Awareness Room What we ve
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationCritical Infrastructure Sectors and DHS ICS CERT Overview
Critical Infrastructure Sectors and DHS ICS CERT Overview Presented by Darryl E. Peek II REGIONAL INTELLIGENCE SEMINAR AND NATIONAL SECURITY FORUM 2 2 Authorities and Related Legislation Homeland Security
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More informationCLOSING IN FEDERAL ENDPOINT SECURITY
CLOSING IN FEDERAL ENDPOINT SECURITY More than half of agency IT officials worry about cyberattacks involving endpoint devices as a means of accessing agency networks. Yet many aren t taking advantage
More information112 th Annual Conference May 6-9, 2018 St. Louis, Missouri
8:30 10:30 May 6, 2018 Room 240 Complex 112 th Annual Conference May 6-9, 2018 St. Louis, Missouri Moderator/Speakers: Kevin Wachtel Finance Director/Treasurer, Villa Park, IL Alex Brown Senior Manager,
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationData Recovery Policy
Data Recovery Policy The Marketware, Inc. Contingency Plan establishes procedures to recover Marketware, Inc. following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained
More informationCyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber
CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity
More informationInteragency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationFiXs - Federated and Secure Identity Management in Operation
FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems
More informationACR 2 Solutions Compliance Tools
ACR 2 Solutions Compliance Tools What s all the noise about the Cyber Security Framework? The Cyber Security Framework Airs Conference May 2017 About ACR 2 Solutions your NIST experts ACR2 is a developer
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationNotification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.
This document is scheduled to be published in the Federal Register on 09/19/2017 and available online at https://federalregister.gov/d/2017-19838, and on FDsys.gov 9110-9P-P DEPARTMENT OF HOMELAND SECURITY
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More information79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90
th OREGON LEGISLATIVE ASSEMBLY-- Regular Session Senate Bill 0 Printed pursuant to Senate Interim Rule. by order of the President of the Senate in conformance with presession filing rules, indicating neither
More information2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager
2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationFFIEC Cybersecurity Assessment Tool
FFIEC Cybersecurity Assessment Tool Cybersecurity Controls & Incidence Mappings for Splunk Enterprise, Enterprise Security, User Behavior Analytics Curtis Johnson Senior Sales Engineer & Security SME September
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationQuadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters
Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters QHSR Background Implementing Recommendations of the 9/11 Commission Act of 2007 directed DHS to Conduct a Quadrennial Homeland
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More information3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act
Jonathan Cantor, Department of Commerce Gery Huelseman, U.S. Air Force Michael E. Reheuser, Department of Defense Background on FISMA-Reheuser NIST guidelines-cantor IT security-huelseman Federal Information
More informationGEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards
GEORGIA CYBERSECURITY WORKFORCE ACADEMY NASCIO 2018 State IT Recognition Awards Title: Georgia Cybersecurity Workforce Academy Category: Cybersecurity State: Georgia Contact: Stanton Gatewood Stan.Gatewood@gta.ga.gov
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationCYBERSECURITY RESILIENCE
CLOSING THE IN CYBERSECURITY RESILIENCE AT U.S. GOVERNMENT AGENCIES Two-thirds of federal IT executives in a new survey say their agency s ability to withstand a cyber event, and continue to function,
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More information300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0
P.O. Box 212 Philip D. Murphy, Governor 300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ 08625-0212 www.tech.nj.gov STATE OF NEW JERSEY TECHNOLOGY CIRCULAR Enterprise Information
More informationOFFICE OF INSPECTOR GENERAL
OFFICE OF INSPECTOR GENERAL Evaluation Report Catalyst for Improving the Environment Evaluation of U.S. Chemical Safety and s Compliance with the Federal Information Security Management Act and Efforts
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationImplementing the Administration's Critical Infrastructure and Cybersecurity Policy
Implementing the Administration's Critical Infrastructure and Cybersecurity Policy Cybersecurity Executive Order and Critical Infrastructure Security & Resilience Presidential Policy Directive Integrated
More informationThe next generation of knowledge and expertise
The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationDefensible Security DefSec 101
Defensible Security DefSec 101 Security Day November 2017 Information Security Branch Paul Falohun Senior Security Analyst Dan Lathigee Senior Project Manager Content 1 Introduction 2 DefSec for PSO 3
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More information