FISMAand the Risk Management Framework
|
|
- Marlene Bryan
- 5 years ago
- Views:
Transcription
1 FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an Imprint of Elsevier
2 Trademarks Acknowledgements About the Author xvii xix xxi CHAPTER 1 Introduction 1 Introduction 1 Purpose and Rationale 3 How to Use This Book 5 Key Audience 5 FISMA Applicability and Implementation 6 Implementation Responsibilities 6 FISMA Progress to Date 7 FISMA Provisions 8 Standards and Guidelines for Federal Information Systems...9 System Certification and Accreditation 11 Strengths and Shortcomings of FISMA 12 Structure and Content 13 Relevant Source Material 18 References 19 CHAPTER 2 Federal Information Security Fundamentals 23 Information Security in the Federal Government 25 Brief History of Information Security 26 Civilian, Defense, and Intelligence Sector Practices 28 Legislative History of Information Security Management 33 Certification and Accreditation 34 HPS DITSCAP 36 NIACAP 37 NIST Special Publication DIACAP 40 NIST Risk Management Framework 41 Joint Task Force Transformation Initiative 42 Organizational Responsibilities 43 Office of Management and Budget (OMB) 44 National Institute of Standards and Technology (NIST) 44 Department of Defense (DoD) 45
3 viii Contents Office of the Director of National Intelligence (ODNI) 45 Department of Homeland Security (DHS) 45 National Security Agency (NSA) 46 General Services Administration (GSA) 46 Government Accountability Office (GAO) 46 Congress 46 Executive Office of the President 47 Relevant Source Material 47 References 48 CHAPTER 3 Thinking About Risk 53 Understanding Risk 54 Key Concepts 54 Types of Risk 57 Organizational Risk 63 Trust, Assurance, and Security 66 Trust and Trustworthiness 67 Assurance and Confidence 67 Security 68 Trust Models 68 Risk Associated with Information Systems 70 Risk Management Framework 71 Risk Management Life Cycle 72 Other Risk Management Frameworks Used in Government Organizations 73 Relevant Source Material 75 References 76 CHAPTER 4 Thinking About Systems 79 Defining Systems in Different Contexts 80 Information Systems in FISMA and the RMF 81 Information System Attributes 82 Perspectives on Information Systems 85 Information Security Management 85 Capital Planning and Investment Control 86 Enterprise Architecture 87 System Development Life Cycle 88 Information Privacy 90 Establishing Information System Boundaries 91 Subsystems 92 System Interconnections 95 Maintaining System Inventories 97
4 ix Relevant Source Material 98 References 99 CHAPTER 5 Success Factors 105 Prerequisites for Organizational Risk Management 106 Justifying Information Security 107 Key Upper Management Roles 109 Managing the Information Security Program Ill Organizational Policies, Procedures, Templates, and Guidance 114 Compliance and Reporting 114 Agency Reporting Requirements 115 Information Security Program Evaluation 115 Organizational Success Factors 116 Governance 116 Planning 117 Budgeting and Resource Allocation 118 Communication 118 Standardization, Automation, and Reuse 119 Flexibility 119 Measuring Security Effectiveness 120 Security Measurement Types 122 Security Measurement Process 123 Relevant Source Material 126 References 126 CHAPTER 6 Risk Management Framework Planning and Initiation 131 Planning 132 Planning the RMF Project 134 Aligning to the SDLC 135 Planning the RMF Timeline 136 Prerequisites for RMF Initiation 137 Inputs to Information System Categorization 138 Inputs to Security Control Selection 139 Organizational Policies, Procedures, Templates, and Guidance 140 Identifying Responsible Personnel 142 Establishing a Project Plan 143 Roles and Responsibilities 144 Getting the Project Underway 145
5 X Contents Relevant Source Material 148 References 149 CHAPTER 7 Risk Management Framework Steps 1 & Purpose and Objectives 154 Standards and Guidance 154 Step 1: Categorize Information System 157 Security Categorization 158 Information System Description 166 Information System Registration 167 Step 2: Select Security Controls 168 Common Control Identification 174 Security Control Selection 176 Monitoring Strategy 180 Security Plan Approval 181 Relevant Source Material 181 References 182 CHAPTER 8 Risk Management Framework Steps 3 & Working with Security Control Baselines 188 Assurance Requirements 189 Sources of Guidance on Security Controls 190 Roles and Responsibilities 194 Management Controls 194 Operational Controls 195 Technical Controls 195 Program Management, Infrastructure, and Other Common Controls 196 Step 3: Implement Security Controls 196 Security Architecture Design 198 Security Engineering and Control Implementation 198 Security Control Documentation 201 Step 4: Assess Security Controls 202 Security Control Assessment Components 204 Assessment Preparation 205 Security Control Assessment 211 Security Assessment Report 212 Remediation Actions 213 Relevant Source Material 214 References 215
6 xi CHAPTER 9 Risk Management Framework Steps 5 & Preparing for System Authorization 220 Step 5: Authorize Information System 222 Plan of Action and Milestones 223 Security Authorization Package 226 Risk Determination 228 Risk Acceptance 229 Step 6: Monitor Security Controls 230 Information System and Environment Changes 233 Ongoing Security Control Assessments 234 Ongoing Remediation Actions 235 Key Updates 236 Security Status Reporting 237 Ongoing Risk Determination and Acceptance 238 Information System Removal and Decommissioning 238 Relevant Source Material 239 References 240 CHAPTER 10 System Security Plan 245 Purpose and Role of the System Security Plan 246 System Security Plan Scope 246 Defining the System Boundary 247 Key Roles and Responsibilities 249 The Role of the SSP within the RMF 249 Structure and Content of the System Security Plan 251 System Security Plan Format 252 SSP Linkage to Other Key Artifacts 264 Developing the System Security Plan 266 Rules of Behavior 267 Managing System Security Using the SSP 268 Relevant Source Material 269 References 269 CHAPTER 11 Security Assessment Report 275 Security Assessment Fundamentals 276 Security Control Assessors and Supporting Roles 276 Assessment Timing and Frequency 281 Scope and Level of Detail 284 Security Assessment Report Structure and Contents 288 Assessment Methods and Objects 290 Performing Security Control Assessments 293
7 Assessment Determinations 293 Producing the Security Assessment Report 296 The Security Assessment Report in Context 296 The Purpose and Role of the Security Assessment Report 298 Using the Security Assessment Report 300 Relevant Source Material 300 References 301 CHAPTER 12 Plan of Action and Milestones 305 Regulatory Background 307 Structure and Content of the Plan of Action and Milestones 308 Agency-Level POA&M 308 System-Level POA&M Information 309 Creating POA&M Items 313 Planning for Remediation 316 Oversight of POA&M Creation Weaknesses and Deficiencies 317 Risk Assessments 318 Risk Responses 319 Sources of Weaknesses 320 Producing the Plan of Action and Milestones 322 Timing and Frequency 322 Maintaining and Monitoring the Plan of Action v 317 and Milestones 323 Resolving POA&M Items 324 Relevant Source Material 324 References 326 CHAPTER 13 Risk Management 329 Risk Management 329 Key Risk Management Concepts 332 Three-Tiered Approach 335 Organizational Perspective 335 Mission and Business Perspective 339 Information System Perspective 342 Trust and Trustworthiness 343 Components of Risk Management 344 Frame 344 Assess 347 Respond 349 Monitor 352
8 xiii Information System Risk Assessments 353 Risk Models 355 Assessment Methods 356 Analysis Approaches 357 Prepare 357 Conduct 359 Maintain 359 Relevant Source Material 360 References 361 CHAPTER 14 Continuous Monitoring 367 The Role of Continuous Monitoring in the Risk Management Framework 369 Monitoring Strategy 373 Selecting Security Controls for Continuous Monitoring 374 Integrating Continuous Monitoring with Security Management 375 Roles and Responsibilities 375 Continuous Monitoring Process 377 Define ISCM Strategy 380 Establish ISCM Program 381 Implement ISCM Program 385 Analyze Data and Report Findings 385 Respond to Findings 386 Review and Update ISCM Program and Strategy 387 Technical Solutions for Continuous Monitoring 388 Manual vs. Automated Monitoring 388 Data Gathering 389 Aggregation and Analysis 394 Automation and Reference Data Sources 395 Relevant Source Material 395 References 396 CHAPTER 15 Contingency Planning 403 Introduction to Contingency Planning 403 Contingency Planning Drivers 404 Contingency Planning Controls 406 Contingency Planning and Continuity of Operations 411 Federal Requirements for Continuity of Operations Planning 412
9 xiv Contents Distinguishing Contingency Planning from Continuity of Operations Planning 413 Contingency Planning Components and Processes 414 Information System Contingency Planning 417 Develop Contingency Planning Policy 417 Conduct Business Impact Analysis 418 Identify Preventive Controls 419 Create Contingency Strategies 420 Develop Contingency Plan 422 Conduct Plan Testing, Training, and Exercises 422 Maintain Plan 424 Developing the Information System Contingency Plan 424 ISCP Introduction and Supporting Information 425 Concept of Operations 426 Activation and Notification 427 Recovery 428 Reconstitution 430 Appendices and Supplemental Information 431 Operational Requirements for Contingency Planning 432 System Development and Engineering 432 System Interconnections 433 Technical Contingency Planning Considerations 433 Relevant Source Material 437 References CHAPTER 16 Privacy Privacy Requirements for Federal Agencies Under FISMA and the E-Government Act 446 Privacy Provisions in the E-Government Act of Privacy and Minimum Security Controls 451 Privacy in FISMA Reporting 452 FISMA Incident Reporting and Handling 455 Federal Agency Requirements Under the Privacy Act 455 Fair Information Practices 456 Privacy Impact Assessments 461 Applicability of Privacy Impact Assessments 462 Conducting Privacy Impact Assessments 463 Documenting and Publishing PIA Results 464 System of Records Notices 465
10 xv Updates to Privacy Impact Assessments for Third-Party Sources 465 Privacy Impact Assessments within the Risk Management Framework 466 Protecting Personally Identifiable Information (PII) 466 Notification Requirements for Breaches of Personally Identifiable Information 468 Other Legal and Regulatory Sources of Privacy Requirements 470 Privacy Requirements Potentially Applicable to Agencies 470 Relevant Source Material 475 References 476 CHAPTER 17 Federal Initiatives 481 Network Security 481 US-CERT 482 Comprehensive National Cybersecurity Initiative 483 Trusted Internet Connections 484 EINSTEIN 484 Cloud Computing 485 FedRAMP 486 Application Security 487 Tested Security Technologies 488 Federal Information Processing Standards 488 Common Criteria 489 Secure Configuration Checklists 489 Identity and Access Management 490 Identity, Credential, and Access Management (ICAM) 491 Personal Identity Verification 491 Electronic Authentication 493. Federal PKI 496 Other Federal Security Management Requirements 497 Personally Identifiable Information Protection 498 OMB Memoranda 498 Information Resources Management 499 Federal Enterprise Architecture 499 Open Government 501 Relevant Source Material 501 References 502
11 xvi Contents APPENDIX A References 507 APPENDIX B Acronyms 521 APPENDIX C Glossary 527 INDEX 547
Certification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationIntroduction to the Federal Risk and Authorization Management Program (FedRAMP)
Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1 Today s Training Welcome! This training session is part one of the FedRAMP Training
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationRISK MANAGEMENT FRAMEWORK COURSE
RISK MANAGEMENT FRAMEWORK COURSE Secure Managed Instructional Systems, LLC Consulting Training Staffing Support 3350 Riverview Pkwy Suite 1900 * Atlanta, Georgia 30339 * Phone: 800-497-3376 * Email: semais@semais.net.*
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationDavid Missouri VP- Governance ISACA
David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationGuide to Understanding FedRAMP. Version 2.0
Guide to Understanding FedRAMP Version 2.0 June 6, 2014 Executive Summary The Federal Risk and Authorization Management Program (FedRAMP) provides a costeffective, risk-based approach for the adoption
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationMoving to the Cloud. Developing Apps in. the New World of Cloud Computing. Dinkar Sitaram. Geetha Manjunath. David R. Deily ELSEVIER.
Moving to the Cloud Developing Apps in the New World of Cloud Computing Dinkar Sitaram Geetha Manjunath Technical Editor David R. Deily AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationEmbedded Systems Architecture
Embedded Systems Architecture A Comprehensive Guide for Engineers and Programmers By Tammy Noergaard ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationFedRAMP Initial Review Standard Operating Procedure. Version 1.3
FedRAMP Initial Review Standard Operating Procedure Version 1.3 August 27, 2015 Revision History Date Version Page(s) Description Author 08/07/2015 1.0 All Initial Release FedRAMP PMO 08/17/2015 1.1 All
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationFedRAMP Security Assessment Plan (SAP) Training
FedRAMP Security Assessment Plan (SAP) Training 1. FedRAMP_Training_SAP_v6_508 1.1 FedRAMP Online Training: SAP Overview Splash Screen Transcript Title of FedRAMP logo. FedRAMP Online Training; Security
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.1 September 3, 2015 FedRAMP Plan of Action & Milestones (POA&M) Template Completion Guide v1.1 September 3, 2015 Document
More informationEVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011
EVALUATION REPORT Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011 OIG-12-A-04 November 9, 2011 All publicly available OIG
More informationManaged Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)
Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management
More informationFedRAMP Training - Continuous Monitoring (ConMon) Overview
FedRAMP Training - Continuous Monitoring (ConMon) Overview 1. FedRAMP_Training_ConMon_v3_508 1.1 FedRAMP Continuous Monitoring Online Training Splash Screen Transcript Title of FedRAMP logo. Text
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationClick to edit Master title style
Federal Risk and Authorization Management Program Presenter Name: Peter Mell, Initial FedRAMP Program Manager FedRAMP Interagency Effort Started: October 2009 Created under the Federal Cloud Initiative
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationUnderstand and Implement Effective PCI Data Security Standard Compliance
PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Second Edition Dr. Anton A. Chuvakin Branden R. Williams Technical Editor Ward Spangenberg ELSEVIER AMSTERDAM BOSTON
More informationContinuous Monitoring Strategy & Guide
Version 1.0 June 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationSTUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System
Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information
More informationAn Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)
An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) Solutions Built On Security Prepared for The IT Security Community and our Customers Prepared by Lunarline,
More informationSummary of Contents LIST OF FIGURES LIST OF TABLES
Summary of Contents LIST OF FIGURES LIST OF TABLES PREFACE xvii xix xxi PART 1 BACKGROUND Chapter 1. Introduction 3 Chapter 2. Standards-Makers 21 Chapter 3. Principles of the S2ESC Collection 45 Chapter
More informationSystem Assurance. Beyond Detecting. Vulnerabilities. Djenana Campara. Nikolai Mansourov
System Assurance Beyond Detecting Vulnerabilities Nikolai Mansourov Djenana Campara ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SYDNEY TOKYO Morgan Kaufmann
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.2 October 21, 2016 FedRAMP POA&M Template Completion Guide v1.1 September 1, 2015 Document Revision History Date Description
More information3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act
Jonathan Cantor, Department of Commerce Gery Huelseman, U.S. Air Force Michael E. Reheuser, Department of Defense Background on FISMA-Reheuser NIST guidelines-cantor IT security-huelseman Federal Information
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3 ABSTRACT This white paper is Part 1 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationDoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP April 14, 2004 Current Macro Security Context within the Federal Government
More informationInspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017
Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in
More informationContemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance
Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance July 2017 Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA Regional Director NCC Group Agenda FedRAMP - Foundations/Frameworks Cloud
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationComputers as Components Principles of Embedded Computing System Design
Computers as Components Principles of Embedded Computing System Design Third Edition Marilyn Wolf ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY
More informationU.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk
U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1 Some Inconvenient Truths The bad guys and gals still only work
More informationThe next generation of knowledge and expertise
The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404
More informationOFFICE OF INSPECTOR GENERAL
OFFICE OF INSPECTOR GENERAL Evaluation Report Catalyst for Improving the Environment Evaluation of U.S. Chemical Safety and s Compliance with the Federal Information Security Management Act and Efforts
More informationInteragency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal
More informationREQUEST FOR INFORMATION
Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services RFI Response Joel Atkinson Associate Category
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationApproved 10/15/2015. IDEF Baseline Functional Requirements v1.0
Approved 10/15/2015 IDEF Baseline Functional Requirements v1.0 IDESG.org IDENTITY ECOSYSTEM STEERING GROUP IDEF Baseline Functional Requirements v1.0 NOTES: (A) The Requirements language is presented in
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationIncident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014
Incident Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Incident Requirements and Process Clarification Disposition... 3 2. Incident Requirements and Process
More informationAligning Agency Cybersecurity Practices with the Cybersecurity Framework
POINT OF VIEW Aligning Agency Cybersecurity Practices with the Cybersecurity Framework Leveraging Gigamon to Align Cybersecurity Budgets with Desired Business Outcomes 2013-2017 Gigamon. All rights reserved.
More informationGuide for Assessing the Security Controls in Federal Information Systems
NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems Ron Ross Arnold Johnson Stu Katzke Patricia Toth George Rogers I N F O R M A T I O N S E C U R
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationTEL2813/IS2621 Security Management
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information
More informationNIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution
NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution Dr. Michaela Iorga NIST October 2018 A Triple Inflection Point Marked A New
More informationLunarline s School of Cyber Security Course Catalog
Lunarline s School of Cyber Security Course Catalog 3300 N Fairfax Drive, Suite #308, Arlington, Virginia 22201 Phone: 571.481.9300 Fax: 202.315.3003 www.schoolofcybersecurity.com Table of Contents RISK
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationCyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber
CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationMobile Device Security
Mobile Device Security A Comprehensive Guide to Securing Your Information in a Moving World STEPHEN FRIED icfl CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationTelos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments
` Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments Telos Corporation 19886 Ashburn Road Ashburn, VA 24445 www.telos.com ` Introduction Telos Corporation and Amazon
More informationDefense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form
Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form Page 1 of 5 Submitted to DISA s DoD Cloud Support Office by: Signature (Prefer CAC
More informationTop Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk
Top Reasons To Audit An IAM Program Bryan Cook Focal Point Data Risk Focal Point Data Risk A New Type of Risk Management Firm THE FACTS Born from the merger of three leading security & risk management
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationFPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details
FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details 2 FPM IT 420B: FAC P/PM IT Planning & Acquiring Operations of IT Systems FPM-IT-420B: FAC-P/PM-IT PLANNING & ACQUIRING
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,
More information