REQUEST FOR INFORMATION
|
|
- Wilfred Williams
- 6 years ago
- Views:
Transcription
1 Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services RFI Response Joel Atkinson Associate Category Manager Florida Department of Management Services Division of State Purchasing 4050 Esplanade Way Suite 360 Tallahassee, Florida Ph: Fax: September 1, 2015 TestPros, Inc Lake Center Plaza, #306 Sterling, VA Phone Fax This response includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate this RFI response. This restriction does not limit the Government's right to use information contained in this data if it is obtained from another source without restriction. This restriction applies to all pages of this response.
2 INTRODUCTION: The Department of Management Services Division of State Purchasing (Department) is issuing this Request for Information (RFI) to the General Services Administration (GSA) Schedule 70 vendor community to obtain information about vendors that are able to perform cyber-security assessment and remediation, as well as identity protection, monitoring and restoration services under this schedule. COMPANY INFORMATION: TestPros, Inc. Business size Small Business Top Secret facility clearance DUNS: Primary NAICS: CAGE Code: 3CMW0 Tax ID: GSA Schedule #GS-35F-0395U TestPros, Inc Lake Center Plaza, Suite #306 Sterling VA (Phone) Technical POC: Kevin Murray, , Administrative POC: Christina Wolfe, , TestPros is a small business with a 27-year track record of helping Government and Commercial customers maximize the value of their IT investments while ensuring their systems are usable, reliable, safe, and secure. We provide enterprise-wide program management, Operational Test and Evaluation (OT&E) services, Independent Verification and Validation (IV&V), Oversight, Quality Assurance (QA), software development, compliance (508, Security, Privacy, etc.), and cyber security (FISMA, DIACAP, FedRAMP Cloud Security, A&A, C&A) for our customers on a global basis. TestPros staff maintain a variety of professional certifications in cyber security, including CISSP and CCSK. TestPros has Extensive Prime Contracting Experience: TestPros is a successful prime contractor on the DHS EAGLE II FC3 (Test & Evaluation) contract, GSA ALLIANT GWAC, FAA efast MOA, FBI QA/IV&V IDIQ, and GSA Schedule IT 70. Florida benefits with low risk solutions delivered by a TestPros Program Management Office (PMO) whose people, processes and technologies have been optimized over our 27+ years of primarily performance based contracting. 1
3 RFI RESPONSE: TestPros has the experience, capabilities, tools, trained staff, and the desire to assist all State of Florida agencies with Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. TestPros can provide all of the services requested via this RFI, including: Pre-Incident Services: a) Incident Response Agreements Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident. b) Assessments Evaluate a State Agency s current state of information security and cybersecurity incident response capability. c) Preparation Provide guidance on requirements and best practices. d) Developing Cyber-Security Incident Response Plans Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident. e) Training Provide training for State Agency staff from basic user awareness to technical education. Post-Incident Services: a) Breach Services Toll-free Hotline Provide a scalable, resilient call center for incident response information to State Agencies. b) Investigation/Clean-up Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels. c) Incident response Provide guidance or technical staff to assist State Agencies in response to an incident. d) Mitigation Plans Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities. e) Identity Monitoring, Protection, and Restoration Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cybersecurity incident. 2
4 TestPros IT security and risk management processes are based on the U.S. National Institute of Standards and Technology (NIST) guidelines as illustrated in Figure 1 (below) and industry best practices, including lessons-learned on many previous Assessment and Authorization (A&A) engagements. Our Security Program approach includes a set of activities with fully documented procedures and checklists extracted from the applicable guidance and standards, which we then assembled into a cohesive process that is fully tailorable to any given phase of the development lifecycle, and encompasses continuous process improvement initiatives. Architecture Description Mission Business Process FEA Reference Models Segment and Solution Architectures Information System Boundaries Repeat as Needed Step 6 MONITOR Security Controls FIPS 199/SP Step 5 AUTHORIZE Information Systems Risk Management Strategy Starting Point Step 1 CATEGORIZE Information Systems FIPS 199/SP RISK MANAGEMENT FRAMEWORK Security Life Cycle Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Information Security Requirements Priorities and Resource Availability Step 2 SELECT Security Controls FIPS 200/SP Step 3 IMPLEMENT Security Controls SP Step 4 ASSESS Security Controls SP 800 Series SP A Figure 1 Risk Management Strategy TestPros provides a comprehensive set of technical support services, embedded with CMMI, ITIL, ISO, IEEE, NIST, and related industry and government standard practices, throughout the full life cycle from software development through system operations/ maintenance (O&M) and sustainment. We follow the PMBOK guidelines, rules and characteristics for project, program and portfolio management. We are well versed in detecting and remediating application and system vulnerabilities (common weaknesses enumerated CWE). Our risk management approach accommodates recursion and refinements, which aligns with iterative/agile approaches necessary for complex systems. It enables us to become involved at any point in the SDLC including with development already in progress, to diagnose issues, to identify remedial steps, and to move forward as integrated participants in each iteration of the system lifecycle processes. 3
5 Figure 2 below shows the major elements of TestPros Security Program. Figure 2 TestPros Performance-based Risk Management Framework Using this information and guidance from NIST SP Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, we will validate the security authorization boundaries and the network segments selected for discovery scan. If a gap it detected, we will report the gap(s) to the COR. TestPros experience in this area includes the discovery and analysis of assets and boundaries for DISA, DHS, DOI, USDA, and several other Federal Agency clients. TestPros will provide all the necessary personnel resources to fully satisfy the requirements of the SOW. TestPros has demonstrated expertise and knowledge in Federal Information Technology (IT) security laws, regulations, policies, and Presidential Decision Directives (PDD) 4
6 to include extensive working experience with applicable National Institute of Standards and Technology (NIST) Federal Information Processing Standard Publications (FIPS Pubs) and Special Publications (SPs). TestPros will review prior year s assessments and any Florida guidance regarding control selection criteria on which to select the controls to be assessed this period for each system. We will review the SSPs to identify control type and ownership, and we may leverage prior year(s) Security Assessment Plans (SAP), if they are deemed useful. TestPros provided research and design services to the DARPA National Cyber Range program - a National Cyber Security asset. TestPros will prepare a Security Assessment Plan (SAP) using the SAP template RMF SAP template v1 to describe the plan, process, and schedule for performance of the assessments for the GSS and the Major Applications. The SAP will clearly communicate the scope of the testing, the controls selected, and the objectives for the security control assessment in accordance with NIST SP A Rev 3 and Rev 4 (as applicable). The NIST SP A Rev 4 control areas are illustrated in Figure 3, below. TestPros will include the validated security authorization boundaries and asset inventory along with rational to support any sampling methodology. The SAP we develop will describe the vulnerability assessment and configuration auditing to be performed, the tools to be used, and any requirements of Florida to permit the tools to be installed and operated within the Florida environment. Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Figure 3 NIST A Rev4 Security Controls TestPros will provide a draft of the SAP for Florida review and comment, and address comments received within the 5-day review period. TestPros understands that the objectives of a Security Test and Evaluation (ST&E) are to: Uncover design, implementation, and operational flaws that could allow the violation of security policies that may affect the confidentiality, integrity, and availability of the information and information systems; 5
7 Determine the adequacy of security mechanisms, assurances, and other properties to enforce the Department s security policy; and Assess the degree of consistency between the system documentation and its implementation. Figure 4 below shows our general approach and methodology for conducting Independent Security Test & Evaluation (ST&E) in support of this program. Figure 4 TestPros Independent Security Test & Evaluation Process Upon Florida approval of the SAP, TestPros will execute the security control assessments, in accordance with NIST SP A standards, for the GSS and the Major Applications. TestPros will coordinate with the designated Florida points of Defense Security Service (DSS) - IV&V / T&E of Security Tools TestPros provided support to the DSS, conducting testing and evaluation, in our cleared labs, on many leading IT security tools to determine each tool s real-world capabilities and limitations in various server, desktop/laptop, and mobile device environments. This provides us with a unique insight on the most effective use of security tools. contact for information requests to schedule telephone and in person meetings, and to coordinate all technical testing. We understand that Florida will provide necessary credentials to support authenticated vulnerability and configuration scans of the selected devices and applications, and that database vulnerability scanning is not included within the scope of this assessment. TestPros will prepare a Security Assessment Report (SAR) for the GSS and one for each of the Major Applications. TestPros will identify and document control weaknesses with associated assessed risk level and provide recommendations for risk mitigation that will aid system administrators with remediation. We will summarize the results of 6
8 vulnerability and configuration scans and provide detailed reports using the RMF SAR template v1. TestPros will draft (or update the existing) Plan of Actions and Milestones (POA&M) for the GSS and each Major Application. The draft POA&M will identify all weaknesses mapped to security controls, risk level, and TestPros recommendation for mitigation. 7
9 CORPORATE EXPERIENCE: TestPros has been successfully providing independent IT assessment services for the past 25 years. Our experience includes Project Management, Transition Support, Contingency Planning, Emergency Support, IV&V/QA Oversight, Program/System Security, C&A/A&A Support, FISMA/FedRAMP, Continuous Monitoring, Continuous Integration/Configuration Management, Test & Evaluation, Test Automation, Certifying Authority Support, and CONUS and OCONUS support. TestPros holds a Top Secret clearance. We understand Florida s IT security needs and we can provide qualified and appropriately cleared personnel to fulfill these requirements. The table below highlights some pertinent past performance that is relevant to this scope of work. Contract Name DISA Net-Centric Enterprise Services, Enterprise File Delivery DOI HQ, C&A Phase-2 Independent Security Assessment (including Cloud/FedRAMP) Military Health System (MHS) Integrated Information Technology (IT) Solutions C&A Phase-2 Support DARPA National Cyber (Security) Range A&A and IT Security Services Support Internet Consortium (Google, Yahoo!, MSN, AOL, CNET, etc.) SAFE SOFTWARE Agency Defense Information Systems Agency Department of Interior Pacific Joint Information Technology Center (Pacific JITC) Hawaii USDA (various components) Defense Advanced Research Projects Agency U.S. Department of Labor Software Assurance ( Independent Source Code Review ) Project Period of Performance Security Support QA Support T&E Support Monitor Support 05/ / / / / / / / / / / / / /2011 In addition, our experience includes: TestPros is working with a key member of the military industrial complex to provide a software source code security risk and vulnerability assessment (Software Assurance) on over 1 Million lines of source code (based on NSA, NIST, DHS, and DOD security policies as well as commercial best practices). 8
10 DATA QUALITY and DATA SECURITY An organization cannot secure what it cannot define, measure and control. This principle is especially relevant in the context of system testing at Florida. As Florida assesses security capabilities and requirements of its as is systems, it is especially critical that it consider the implications of adopting, or failing to adopt, the data quality aspects of both inputs and outputs of the testing process. Failing to do so increases the potential for maintaining systems that do not perform as intended. Increased security gaps and breeches, costs associated with re-work, and loss of confidence in the ability of the Department to conduct its mission are other possible outcomes. As it relates to Assessment and Authorization, the TestPros team believes it is extremely important to include Data Quality Management as a key component of the Task. By doing so, it will help insure that systems and applications deliver as intended, and only enable access and authorization as they should. As an example, if a building access database is only updated daily, the currency or recency dimension of data quality could be inadequate to meet security requirements: a badge could remain active and enable a terminated employee access. Some other Data Quality related questions that should be considered for Assessment and Authorization include: Does the comparison data used in the assessment and audit process originate from a vetted, authoritative source? Is it complete? Is it accurate? Is the level of detail sufficient? Are the data relevant to the specific user needs? The answers to these questions may not be a simple yes or no, but rather come in the form of the threshold or range of acceptable levels that must be base-lined and or established up front and then measured against during the testing process. Data quality management needs to be a cohesive, integrated process that measures quality levels, analyzes results and addresses the root cause issues. The scope of the data quality process includes people (IT and functional users), process and technology. Re-engineering deployed systems to incorporate added security is a time consuming and costly endeavor. Taking a Data Centric approach to system development will reduce these costs up front. Furthermore, having a Data Quality requirements set enables the IV&V process to achieve its intended effects of identifying unmet requirements during development - as opposed to during user acceptance testing or after rollout. These latter two approaches result in greatly increased costs. Ultimately, the data quality drives the quality of the security processes at Florida. If the data are of poor quality then the process cannot produce quality outcomes. When working with existing systems, a data-driven approach requires data reverse engineering across the multiple interfacing systems. Reverse engineering an organization s data assets has proven a successful approach to 9
11 reconstituting the understanding and/or the physical condition of organizational data systems that have deteriorated or become unclear. This approach will reduce costs in remediating existing systems as well as reduce cost in the development of future state strategic solutions by providing factual information about your data assets; what data exists, where it exists, how it is related to other data assets and the quality condition of those assets. TestPros has extensive directly related experience. We use a combination of automated security tools and processes such as Trusted Agent FISMA (TAF), Nessus, Foundstone, NCircle, Rapid7, BindView, NeXpose, Retina, NetIQ and other security and vulnerability scanning tools and manual testing methods to conduct comprehensive Security Test and Evaluation on customer IT assets. TestPros is also actively engaged with Cloud Security, including the FedRAMP program. FedRAMP Security Process As an enthusiastic government Prime Contractor we ask that you provide TestPros with the opportunity to compete for the IV&V, IT Security, QA, and related support for this program. Please feel free to contact me with any questions or if you need any additional information. Thank you, Kevin Murray President& Founder Direct Dial (703) KMurray@TestPros.com TestPros, Inc Lake Center Plaza, Suite 306 Sterling, VA Office Phone (703)
existing customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationFedRAMP Security Assessment Plan (SAP) Training
FedRAMP Security Assessment Plan (SAP) Training 1. FedRAMP_Training_SAP_v6_508 1.1 FedRAMP Online Training: SAP Overview Splash Screen Transcript Title of FedRAMP logo. FedRAMP Online Training; Security
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationDUNS CAGE 5T5C3
Response to Department of Management Services Cyber Security Assessment, Remediation, and Identity Protection, Monitoring and Restoration Services Request For Information 131 Guilford Road, Bloomfield
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationIntroduction to the Federal Risk and Authorization Management Program (FedRAMP)
Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1 Today s Training Welcome! This training session is part one of the FedRAMP Training
More informationCyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber
CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity
More informationRISK MANAGEMENT FRAMEWORK COURSE
RISK MANAGEMENT FRAMEWORK COURSE Secure Managed Instructional Systems, LLC Consulting Training Staffing Support 3350 Riverview Pkwy Suite 1900 * Atlanta, Georgia 30339 * Phone: 800-497-3376 * Email: semais@semais.net.*
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationTRIAEM LLC Corporate Capabilities Briefing
TRIAEM LLC Corporate Capabilities Briefing 3/4/ 1 CORPORATE OVERVIEW CORPORATE VALUES MISSION STATEMENT SERVICES WORKFORCE EXPERIENCE CORPORATE CONTACTS 3/4/ 2 CORPORATE OVERVIEW TRIAEM is certified through
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationGuide to Understanding FedRAMP. Version 2.0
Guide to Understanding FedRAMP Version 2.0 June 6, 2014 Executive Summary The Federal Risk and Authorization Management Program (FedRAMP) provides a costeffective, risk-based approach for the adoption
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationFederal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011
Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationRFQ OIT-1 Q&A. Questions and Answers, in the order received.
Question Does the system have an existing SSP? Do they use a system like Xacta or CSAM to generate the SSP. Will they provide us the current POAM list? Will they provide scanning tools or we have to bring
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationFPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details
FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details 2 FPM IT 420B: FAC P/PM IT Planning & Acquiring Operations of IT Systems FPM-IT-420B: FAC-P/PM-IT PLANNING & ACQUIRING
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationRisk Management Framework for DoD Medical Devices
Risk Management Framework for DoD Medical Devices Session 136, March 7, 2018 Lt. Col. Alan Hardman, Chief Operations Officer, Cyber Security Division, Office of the DAD IO/J-6 William Martin, Deputy of
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationQuick Start Strategy to Compliance DFARS Rob Gillen
WELCOME Quick Start Strategy to Compliance DFARS 252.204-7012 Rob Gillen Overview Meet Bill Harrison Meet FASTLANE Important Updates Overview of NIST 800-171 Case Studies 5 Items to a Quick Start Strategy
More informationManaged Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)
Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationContemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance
Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance July 2017 Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA Regional Director NCC Group Agenda FedRAMP - Foundations/Frameworks Cloud
More informationFedRAMP Initial Review Standard Operating Procedure. Version 1.3
FedRAMP Initial Review Standard Operating Procedure Version 1.3 August 27, 2015 Revision History Date Version Page(s) Description Author 08/07/2015 1.0 All Initial Release FedRAMP PMO 08/17/2015 1.1 All
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationSynergies of the Common Criteria with Other Standards
Synergies of the Common Criteria with Other Standards Mark Gauvreau EWA-Canada 26 September 2007 Presenter: Mark Gauvreau (mgauvreau@ewa-canada.com) Overview Purpose Acknowledgements Security Standards
More informationRFQ OIT-1 Q&A. Questions and Answers, in the order received.
Question Does the system have an existing SSP? Do they use a system like Xacta or CSAM to generate the SSP. Will they provide us the current POAM list? Will they provide scanning tools or we have to bring
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.1 September 3, 2015 FedRAMP Plan of Action & Milestones (POA&M) Template Completion Guide v1.1 September 3, 2015 Document
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationTrack 4: Session 6 Cybersecurity Program Review
Track 4: Session 6 Cybersecurity Program Review Challenges in Implementing an Agency-wide Adv Metering System: IT Security & Support Needs Karen Curran GSA Office of Facilities Management Energy Division
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationVol. 1 Technical RFP No. QTA0015THA
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Core Infrastructure IPSS Concept of Operations Per the IPSS requirements, we provide the ability to capture and store packet
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationApplication for Certification
Application for Certification Requirements to Become a Certified Information Security Manager To become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade on the
More information