An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)
|
|
- Suzan Stokes
- 6 years ago
- Views:
Transcription
1 An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) Solutions Built On Security Prepared for The IT Security Community and our Customers Prepared by Lunarline, Inc I ST, NW, Suite 500 Washington, DC March 2006 By Mike Bendel
2 Table of Contents 1. Purpose DIACAP Defined The Net-Centric Data Strategy Global Information Grid (GIG) DIACAP and GIG Mission Assurance Categories (MACs) Confidentiality Levels (CLs) Mission Assurance Categories (MACs) & Confidentiality Levels (CLs) MAC, CL, & Information Assurance (IA) Controls IA Control Examples The DIACAP Knowledge Service (KS) Enterprise Mission Assurance Support services (emass) DIACAP Roles & Responsibilities The DIACAP Enterprise Governance Structure The DIACAP Process Stages & Phase One The DIACAP Process: Phase Two The DIACAP ScoreCard The DIACAP Process: Phase Three The DIACAP Process: Phase Four The DIACAP Process: Phase Five The DIACAP Process: Summarized Transition to DIACAP Transition Timeline and Instructions DITSCAP & DIACAP Compared APPENDIX A: REFERENCES List of Tables Table 1: MAC Levels... 6 Table 2: CL Levels...6 Table 3: IA Control Subject Areas... 7 Table 4: Minimum Required Baseline Scores Table 5: DIACAP Phase Review Table 6: Phases: DIACAP vs. DITSCAP Table 7: DIACAP & DITSCAP Compared Table of Figures Figure 1: The emass Welcome Page Figure 2: Register the IA Program Figure 3: The emass System Page Figure 4: The DIACAP ScoreCard... 14
3 1. Purpose The purpose of this article is to give an overview of the new Department of Defense IA Certification and Accreditation Process (DIACAP) and two associated Web-based services the DIACAP Knowledge Service (KS) and the Enterprise Mission Assurance Support Service (emass). 2. DIACAP Defined DIACAP, based on DoDI 8510.bb, is a new process for the Certification and Accreditation (C&A) of all Department of Defense (DoD) information systems (IS) and for determining whether these systems should be authorized to operate. It cancels DODI and DoD M and replaces DITSCAP. DIACAP is latest method for identifying, implementing, and validating information assurance controls and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA). DIACAP is also a guide for compliance with the Global Information Grid (GIG). DIACAP is a dynamic process in which IA posture is reviewed not less than annually. It has a DoD enterprise C&A decision structure and implements enterprise level baseline IA Controls based on the IS Mission Assurance Category (MAC) and Confidentiality Level (CL). IA Controls may be augmented at the DoD Component level and the IS level. DIACAP places the responsibility of establishing DIACAP objectives, context & decision structure on DoD Senior Information Assurance Official (SIAO) and the Principle Approving Authority (PAA) representatives. Compliance with assigned IA Controls and the IS C&A decision status is conveyed by the DIACAP Scorecard. DIACAP assigns, implements, and validates DoDI standardized IA Controls and manages IA posture across DoD information systems consistent with DoD regulatory policy (IA 8500 series) and legislative policy (FISMA). It provides for the availability of C&A status of DoD information systems across the Global Information Grid (GIG) and supports transition to GIG standards, e.g., from fixed system boundaries to a net-centric environment. 3. The Net-Centric Data Strategy The Net-Centric Data Strategy (May 9, 2003*) is a key enabler of the DoD s transformation. This Strategy provides the foundation for managing the Department s data in a net-centric environment, ensuring several things: 1) Data are visible, accessible, and understandable when needed and where needed to accelerate decision making. 2) Tagging of all data (intelligence, non-intelligence, raw, and processed) with metadata enables discovery by known and unanticipated users in the DoD.
4 3) All data is posted to shared spaces for users to access except when limited by security, policy, or regulations. 4) Organizing around Communities of Interest (COIs) that are supported by Warfighter, Business, and Intelligence Domains. 4. Global Information Grid (GIG) What is the Global Information Grid (GIG)? The GIG comprises a seamless and secure end-to-end IA Architecture requiring shared enterprise services with streamlined management capabilities. The concept of individual systems will no longer exist. It encompasses DoD, the Intelligence Community (IC), Federal, industry, and international partnership communities. The network-centric objectives of the Global Information Grid (GIG) are based on an information sharing environment that empowers the user with the ability to securely access all relevant information and recognizes the individual user as an information source. Access privileges will be required in order to ensure information is available to those who need it and protected from those without appropriate privileges. The GIG supports all Department of Defense, National Security and related Intelligence Community missions and functions in war and in peace. The GIG encompasses the globally interconnected, end-to end set of information capabilities, associated processes and personnel for collecting, disseminating, distributing and managing information on demand by warfighters, policy makers and support personnel. GIG enables the formation of dynamic communities of interest (COIs). In some circumstances, these COIs will be formed on short notice and may exist for a relatively short timeframe. GIG requires greatly enhanced IA solutions to support the paradigm shift from "Need to know" to "need to share". Information sharing will require user access that crosses traditional system and classification boundaries. GIG will permit provisional access to data for users not normally possessing access privileges, but who may need access in certain mission-critical situations. It will require that users, and perhaps even automated processes, have the ability to override data owner and originator security settings in support of operational need. 5. DIACAP and GIG How is DIACAP related to the GIG? The DIACAP is a central component of GIG IA C&A Strategy. DIACAP satisfies the need for a dynamic C&A process for the GIG and net-centric applications which cannot be met with the current C&A methodology.
5 The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by: 1. Ensuring uniformity of approach 2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach 3. Being able to handle differing system 4. facilitating a dynamic environment Information Assurance will be implemented with Information Assurance Controls as defined by DoDI and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA. The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program. The status of all systems in the DIACAP program will be available to all who have authorized access. 6. Mission Assurance Categories (MACs) The Mission Assurance Category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, especially concerning the Warfighter s combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined mission assurance categories: MAC I: Information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. MAC II: Information that is important to the support of deployed and contingency forces. MAC III: Information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. Table 1 shows the required levels of integrity and availability for each MAC level.
6 Table 1: MAC Levels MAC Integrity Level Availability Level MAC I High High MAC II High Medium MAC III Basic Basic 7. Confidentiality Levels (CLs) The Confidentiality Level (CL) measures a system s confidentiality requirements based on whether the system processes classified, sensitive, or public information. Table 2 maps each CL to its required level of confidentiality. Table 2: CL Levels CL Definition Level Required Classified Systems processing classified information High Sensitive Systems processing sensitive information Medium Public Systems processing public information Basic Since the CL measures the need for confidentiality, it is used to determine acceptable access factors, like requirements for individual security clearances or background investigations, access approvals and need-to know determinations. Interconnection controls and approvals and acceptable methods by which users may access the system are also determined by the CL of a system. 8. Mission Assurance Categories (MACs) & Confidentiality Levels (CLs) MACs and CLs are independent, that is a MAC I system may process public information and a MAC III system may process classified information. The nine combinations of mission assurance category and confidentiality level establish nine baseline IA levels that may coexist within the Global Information Grid (GIG): MAC I, Classified MAC I, Sensitive MAC I, Public
7 MAC II, Classified MAC II, Sensitive MAC II, Public MAC III, Classified MAC III, Sensitive MAC III, Public 9. MAC, CL, & Information Assurance (IA) Controls A MAC and a CL is assigned to each DoD information system. Which IA controls are appropriate for a system is determined by the assigned MAC and CL. IA Controls are the baseline requirements for IA C&A and help ensure that the levels of confidentiality, integrity, and availability meet system security requirements. The MAC IA Controls focus on integrity and availability while the CL IA Controls focus on confidentiality and integrity. Table 3 shows the IA control subject areas. Table 3: IA Control Subject Areas Control Subject Area Name # of Controls DC Security Design & Configuration 31 IA Identification & Authentication 9 EC Enclave & Computing Environment 48 EB Enclave Boundary Defense 8 PE Physical & Environmental 27 PR Personal 7 CO Continuity 24 VI Vulnerability & Incident Management IA Control Examples Examples of Confidentiality IA Controls Identification and Authentication IAGA-1 Group Identification and Authentication (NIST SP , IA-2) Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the DAA.
8 Security Design and Configuration DCAS-1 Acquisition Standards (NIST SP , SA-2) The acquisition of all IA-and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA-and IA-enabled COTS IT products is limited to products that have been evaluated or validated through one of the following sources the International Common Criteria (CC), the NIAP Evaluation and Validation Program, or the FIPS validation program. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation. Examples of Integrity IA Controls Identification and Authentication IAKM-2 Key Management (NIST SP IA-2, IA-4, IA-5) Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. Identification and Authentication IATS-2 Token and Certificate Standards (NIST SP , IA-2) Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product. Examples of Availability IA Controls Security Design and Configuration DCAR-1 Procedural Review (NIST SP , CA-2) An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations. Security Design and Configuration DCSD-1 IA Documentation (NIST SP , PS-2, PL-2) All appointments to required IA roles are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes the technical, administrative, and
9 procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives. 11. The DIACAP Knowledge Service (KS) What is the DIACAP Knowledge Service (KS)? The KS is a Web-based, DoD PKenabled DIACAP knowledge resource for DIACAP. It provides a wealth of tools, such as GIG IA C&A guidelines, diagrams, process maps, and documents, to support and aid in DIACAP execution. The KS is a collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. It is also a source for IA news and events and other IA-related information resources. With the DIACAP KS, you can find the most current GIG IA C&A guidelines and determine which enterprise level IA Controls apply to a given information system. The KS has implementation guidance, validation procedures and expected results for each DoDI IA Control. You can also hear about real-world experiences implementing DIACAP, get access to forms and templates and find out about latest IA news. The DIACAP KS is available on-line without charge. 12. Enterprise Mission Assurance Support services (emass) What is Enterprise Mission Assurance Support services (emass)? emass is a Webbased suite of integrated services for select core IA program management processes, the first of which is the implementation and management of C&A based on the requirements of the DIACAP. It is an OASD(NII) Research & Development Initiative designed to support the DoD 8500-series policy framework. It will support DCID 6/3 (Intelligence Community) and NIST SP /53 (Civil) in future iterations. It is considered a DoD Core Enterprise Services (CES) candidate for IA program management. It is an IATAC endeavor that is government owned, not proprietary. The benefits of emass are automation, accountability, extensibility, and flexibility. emass creates a C&A package for the management of each registered information system. DoD PKI and auditing features enable montioring of each transaction. emass is scalable to any enterprise, regardless of size and mission. It was designed to support multiple IA requirements types. emass will be available without charge for licensing or development upgrades; However, organizational investment is required for hardware, COTS software licenses and training.
10 The following three figures give an introduction to the emass interface. Figure 1: The emass Welcome Page Figure 2: Register the IA Program
11 Figure 3: The emass System Page 13. DIACAP Roles & Responsibilities There are various roles and Responsibilities within the DIACAP. The Designated Approval Authority (DAA) has the authority and ability to evaluate the mission, business cases, and budgetary needs for the system in view of the security risks. The DAA determines the acceptable level of residual risk and makes the authorization decision. The Information Assurance Manager (IAM)/Certification Authority (CA) is the one who manages the certification process. The IAM/CA performs a comprehensive evaluation of the technical and non-technical aspects of the certification effort, reports the status of the certification and recommends to the DAA whether to authorize the system. The program Manager/System Manager (PM/SM) represents the interests of the system throughout its life cycle. The User Representative (UR) is concerned with system availability, integrity, and confidentiality as they relate to the system s mission. The Validation Tester tests the system against the IA Controls to ensure the system is compliant 14. The DIACAP Enterprise Governance Structure
12 The DIACAP Enterprise Governance Structure is intended to synchronize and integrate DIACAP activities across all levels. The Governance Structure is comprised of three major elements: accreditation structure, configuration control and management (CCM) structure, and C&A process administration and certification structure. The accreditation structure is aligned to GIG Mission Areas and addresses cross-cutting issues. In the configuration control and management structure, the DIACAP Technical Advisory Group (TAG) supports the KS content including the IA Controls. In the C&A process administration and certification structure, the authority and responsibility for certification are vested in the DoD Component Senior IA Officials (SIAOs). SIAOs serve as the Certifying Authority (CA) and the CIO is responsible for administration of the overall C&A process. 15. The DIACAP Process Stages & Phase One There are five phases that summarize DIACAP activities: 1. Initiate and Plan IA C&A; 2. Implement and Validate Assigned IA Controls; 3. Make Certification Determination & Accreditation Decisions; 4. Maintain Authority to Operate and Conduct Reviews; and 5. Decommission. The five steps taken during the first phase are: 1. Register the System with DoD Component IA Program 2. Assign IA Controls 3. Assemble a DIACAP Team 4. Review DIACAP intent, and 5. Initiate IA Implementation Plan. 16. The DIACAP Process: Phase Two The second DIACAP Phase is Implement and Validate. The three steps in this phase are: 1. Execute and Update IA Implementation Plan 2. Conduct Validation Activities and 3. Compile Validation Results. The following two Identification & Authentication controls are useful in the second and third steps of this phase:
13 Validating IA Controls (IAKM-2 Key Management) Production, Control, and Distribution of Asymmetric Keys (NIST SP , IA-5) Validation Test: Review system documentation. Ensure that asymmetric keys, if utilized, are produced, controlled, and distributed using appropriate DoD PKI assurance level certificates and hardware security tokens that protect the user s private key (i.e. CAC). Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of asymmetric keys. Expected Results: Asymmetric keys utilize appropriate DoD PKI assurance level certificates and hardware security tokens. Validating IA Controls (IAKM-2 Key Management) Symmetric Keys (NIST SP , IA-5) Test Script: Review system documentation. Ensure that symmetric keys, if utilized, are produced, controlled and distributed using NSA-approved key management technology and processes. Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of symmetric keys. Expected Results: Symmetric keys are produced, controlled, and distributed using NSA-approved key management technology and processes. The DIACAP Scorecard is an important tool for this stage of the DIACAP process because it shows the implemented and validated controls. 17. The DIACAP ScoreCard The DIACAP ScoreCard is a summary report that shows the certified or accredited implementation status of a DoD information system's assigned IA Controls and supports or conveys the accreditation decision. The DIACAP ScoreCard is intended to convey information about the IA posture of the evaluated system in a format that can be easily understood by managers and can be easily exchanged electronically.
14 The I-Assure implementation of the DIACAP ScoreCard is an automated client-side application enables the assessor to evaluate the effectiveness of the controls in place for an IT system through a series of questions and answers. Figure 4: The DIACAP ScoreCard Also in the Implement and Validate DIACAP phase, it is important to compare the system s MAC and CL controls against standard minimum baseline requirements. This helps to measure the effectiveness of these controls in terms of confidentiality, integrity, and availability. The following table shows these minimum baseline scores: Table 4: Minimum Required Baseline Scores Required Minimum Baseline Scores for CL Required Minimum Baseline Scores for MAC CL MAC Confidentiality Integrity Availability Total Required Minimum Baseline Scores Classified MAC I Sensitive MAC I Public MAC I Classified MAC II Sensitive MAC II Public MAC II Classified MAC III Sensitive MAC III Public MAC III
15 18. The DIACAP Process: Phase Three C&A Decisions are made during the third DIACAP phase. The three steps in this stage are: 1. Analyze Residual Risk 2. Issue Certification Determination 3. Make Accreditation Decisions. The Analyze Residual Risk step is performed by the IAM or the CA. They assess residual risk to the DoD Component information environment, to the information exposed to the DoD information system, and to the mission being supported by the DoD information system. The DAA makes an accreditation decision based on a review of the materials in the DIACAP package and recommendations from the IAM/CA. Example Contents of DIACAP Package: System Identification Profile DIACAP Strategy IA Implementation Plan DIACAP Scorecard Certification Determination DIACAP Plan of Actions and Milestones (POA&M), as required Accreditation Decision Artifacts and Evidence of Compliance There are four possible accreditation decisions: 1. Approval to Operate (ATO) 2. Interim Approval to Operate (IATO) 3. Interim Approval to Test (IATT), and 4. Denial of Approval to Operate (DATO). When an ATO is given, a DoD information system is authorized to process, store, or transmit information, granted by a DAA. Authorization is based on an acceptable IA design and implementation of assigned IA Controls. An IATO is a temporary approval granted by a DAA to operate based on an assessment of the implementation status of the assigned IA Controls. An IATT is a temporary approval granted by a DAA to conduct system testing based on an assessment of the implementation status of the assigned IA Controls. A DATO is a DAA determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA Controls.
16 19. The DIACAP Process: Phase Four The fourth DIACAP stage is Maintain ATO/Reviews. The four steps in this phase are: 1. Initiate and Update Lifecycle Implementation 2. Plan for IA Controls 3. Maintain Situational Awareness, and 4. Maintain IA Posture. Types of Phase 4 Activities 1. Exercise configuration management of the IA Controls Implementation Plan for the operational system, which permits IT component swaps and minor software releases. 2. Incorporate any new or modified IA Controls into IA Implementation Plan, or any corrections of other identified security vulnerabilities. 3. Update DIACAP Package and IA Controls Scorecard. 4. Conduct monitoring as specified in the IA Implementation Plan. 5. Conduct vulnerability scans and penetration tests. 6. Re-verify identified IA Controls. 7. Validate continued compliance with necessary IA Controls and IA Controls Scorecard. 20. The DIACAP Process: Phase Five The fifth and final DIACAP process stage, the Decommission Stage, has one important step: Disposition of the DIACAP registration information and system-related data. In the Decommission Stage, the DIACAP registration information and system-related data or objects in GIG supporting IA infrastructure and core enterprise services are securely disposed.
17 21. The DIACAP Process: Summarized The following table summaries the DIACAP phases and the steps in each phase: Table 5: DIACAP Phase Review Phases Initiate & Plan Implement & Validate Make C&A Decisions Maintain ATO/Reviews Decommission Steps Register the System with DoD Component IA Program Assign IA Controls Assemble a DIACAP Team Review DIACAP intent Initiate IA Implementation Plan Execute and Update IA Implementation Plan Conduct Validation Activities Compile Validation Results Analyze Residual Risk Issue Certification Determination Make Accreditation Decisions Initiate and Update Lifecycle Implementation Plan for IA Controls Maintain Situational Awareness Maintain IA Posture Disposition of DIACAP Registration Information & System-Related Data 22. Transition to DIACAP Why is the DoD changing from DITSCAP to DIACAP at this time? The DoD is transforming its information security posture in response to changes in Information Technology (IT) and Federal requirements and guidelines. There have been many changes in the way the DoD acquires, uses, and operates IT. Also, the E-Government Act Title III of the E-Government Act, Federal Information Security Management Act (FISMA), which requires Federal departments and agencies to develop, document, and implement an organization-wide program to provide information assurance. DIACAP ensures DoD C&A is consistent with FISMA, DoDD and DoDI
18 23. Transition Timeline and Instructions The current draft of DoDI 8510.bb provides a timeline and instructions for transition from DITSCAP to DIACAP. DIACAP should be immediately initiated in unaccredited new start or operational information systems. Transition actions and timelines for a system that is currently under DITSCAP vary depending on the DITSCAP phase and status of the SSSA, the DITSCAP Accreditation Decision, and incorporation of 8500 IA controls. Under specific circumstances, a system may continue under DITSCAP and be granted an Accreditation Decision under DITSCAP, while development of a DIACAP transition plan and schedule is required. If a system has a DITSCAP ATO more than three years old, DIACAP should be initiated. 24. DIACAP & DITSCAP Compared Table 6 shows how the DIACAP phases differ from the DITSCAP phases. Table 6: Phases: DIACAP vs. DITSCAP DIACAP Initiate & Plan IA C&A Implement & Validate IA Controls Make Certification Determination & Accreditation Decision IATO/ATO Maintain ATO DITSCAP Definition Verification Validation IATO/ATO Post-Accreditation Table 7 shows some of the differences between DIACAP and DITSCAP.
19 Table 7: DIACAP & DITSCAP Compared DIACAP All systems inherit enterprise standards and requirements Certification Authority is a qualified, resourced, and permanent member of CIO staff No pre-defined phases. Each system works to a plan that aligns to the system life cycle Accreditation status communicated by assigned IA Controls compliance ratings and letter and status code (ATO, IATO, IATT, DATO) in DIACAP Scorecard Automated tools, enterprise managed KS, requirements tied to architecture ATO means security risk is at an acceptable level to support mission and live data Continuous, asynchronous monitoring; reviewed not less than annually; FISMA reporting DITSCAP Security requirements and standards uniquely determined by each system DAA and Certifier selected by/for each system Policy advocated tailoring, but process was hard-coded to phases Accreditation status communicated via letter and status code (ATO, IATO) in SSAA No process improvement Inaccurate association of ATO with perfect and unchanging security Fire and forget accreditation; 3 year white glove inspection reaccredidation
20 APPENDIX A: REFERENCES Publication DIACAP KB DoDI 8510.bb DoD 8510.b-M emass GiG IA, USC 3542 NIST Special Publication (SP) FIPS 199 FIPS 201 OMB A130, Appendix III FISMA, 2002 DoD Acquisition Guidebook DoDI DoD M DoDD DoDI Publication Information DIACAP Knowledge Base Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March Defense Information Assurance Certification and Accreditation Process (DIACAP). DoD Instruction 8510.bb. Washington, DC: U.S. Department of Defense, draft Defense Information Assurance Certification and Accreditation Process (DIACAP) Manual Draft Annotated Outline. DoD 8510.b-M. Washington, DC: U.S. Department of Defense, draft emass Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March GIG IA Strategy (Draft). Fort Meade, MD: National Security Agency (NSA) Information Assurance Directorate, June Public Printing and Documents, Chapter 35 Coordination of Federal Information Policy, Subchapter III Information Security. U.S. Code 44, Section Washington, DC: U.S. Congress, National Institute of Standards and Technology Special Publication , Recommended Security Controls for Federal Information Systems, February Standards for Security Categorization of Federal Information and Information Systems. FIPS 199. Washington, DC: U.S. National Institute of Standards and Technology, Federal Information Processing Standards Publication 201, Personal Identity Verification for Federal Employees and Contractors, February Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, Nov Federal Information Security Management Act (FISMA). Washington, DC: U.S. Congress, DoD Acquisition Guidebook. Washington, DC: U.S. Department of Defense, Operation of the Defense Acquisition System. DoDI Washington, DC: U.S. Department of Defense, National Industrial Security Program Operating Manual (NISPOM). DoD Washington, DC: U.S. Department of Defense, Information Assurance. DoD Directive Washington, DC: U.S. Department of Defense, Information Assurance Implementation. DoD Instruction Washington, DC: U.S. Department of Defense, 2003.
DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationSTUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems
Slide 1 - Risk Management Framework RMF Module 5 Welcome to Lesson 5 - RMF Step 5 Authorizing Systems. Once the security controls are assessed, the POA&M and security authorization package must be finalized
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationDepartment of Defense INSTRUCTION. DoD Information Assurance Certification and Accreditation Process (DIACAP)
Department of Defense INSTRUCTION NUMBER 8510.01 November 28, 2007 ASD(NII)/DoD CIO SUBJECT: References: DoD Information Assurance Certification and Accreditation Process (DIACAP) (a) Subchapter III of
More information10th International Command and Control Research and Technology Symposium The Future of C2
10th International Command and Control Research and Technology Symposium The Future of C2 Defense Information Assurance Certification and Accreditation Process (DIACAP) and the Global Information Grid
More informationDoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP April 14, 2004 Current Macro Security Context within the Federal Government
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationDoDD DoDI
DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1 Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include:
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationRisk Management Framework for DoD Medical Devices
Risk Management Framework for DoD Medical Devices Session 136, March 7, 2018 Lt. Col. Alan Hardman, Chief Operations Officer, Cyber Security Division, Office of the DAD IO/J-6 William Martin, Deputy of
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationFISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008
FISMA Compliance and the Search for Security Tim Murray NES Associates February 5, 2008 Agenda What is FISMA? What do I REALLY have to do? How can technology help my organization meet FISMA requirements
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationStudent Guide Course: Introduction to the NISP Certification and Accreditation Process
Course: Introduction to the NISP Certification and Accreditation Process Lesson 1: Course Introduction Course Information Purpose Audience Pass/Fail % 75% Estimated completion time Provides training on
More informationTest & Evaluation of the NR-KPP
Defense Information Systems Agency Test & Evaluation of the NR-KPP Danielle Mackenzie Koester Chief, Engineering and Policy Branch March 15, 2011 2 "The information provided in this briefing is for general
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationRISK MANAGEMENT FRAMEWORK COURSE
RISK MANAGEMENT FRAMEWORK COURSE Secure Managed Instructional Systems, LLC Consulting Training Staffing Support 3350 Riverview Pkwy Suite 1900 * Atlanta, Georgia 30339 * Phone: 800-497-3376 * Email: semais@semais.net.*
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Defense Security Service Date: February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development COST
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationThis is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08
This is to certify that Chris FitzGerald has completed the course Systems Security Engineering - 206760_eng on 2/10/08 Systems Security Engineering About This Course Overview/Description To define the
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationManaged Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)
Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationGuide to Understanding FedRAMP. Version 2.0
Guide to Understanding FedRAMP Version 2.0 June 6, 2014 Executive Summary The Federal Risk and Authorization Management Program (FedRAMP) provides a costeffective, risk-based approach for the adoption
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationSynergistic Efforts Between Financial Audit and Cyber Security
DEPARTMENT OF THE NAVYCHIEF INFORMATION OFFICER Synergistic Efforts Between Financial Audit and Cyber Security Amira Tann, DON CIO IT Audit Readiness Lead Danny Chae, ASM FMC FMP IT Controls Lead June
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.1 August 13, 2004 ASD(NII)/DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: (a) DoD Directive 8500.1, "Information Assurance (IA),"
More informationIntroduction to the Federal Risk and Authorization Management Program (FedRAMP)
Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1 Today s Training Welcome! This training session is part one of the FedRAMP Training
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo
ISC2 Exam Questions CAP ISC2 CAP Certified Authorization Professional Version:Demo 1. Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose
More informationProgram Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS
Program Review for Information Security Management Assistance Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS Disclaimer and Purpose PRISMA, FISMA, and NIST, oh my! PRISMA versus an Assessment
More informationCIS 444: Computer. Networking. Courses X X X X X X X X X
4012 Points Courses * = Can include a summary justification for that section. FUNCTION 1 - GRANT FINAL ATO A. Responsibilities 1. Aspects of Security *Explain the importance of SSM role in (IA) 2. Accreditation
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationSTUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System
Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationDepartment of Defense Fiscal Year (FY) 2013 IT President's Budget Request Defense Technical Information Center Overview
Mission Area Department of Defense Business System Breakout Appropriation All Other Resources 19.083 EIEMA 19.083 RDT&E 19.083 FY 2013 ($M) FY 2013 ($M) FY 2013 ($M) FY12 to FY13 Comparision ($M) FY2012
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationFiXs - Federated and Secure Identity Management in Operation
FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems
More informationContemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance
Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance July 2017 Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA Regional Director NCC Group Agenda FedRAMP - Foundations/Frameworks Cloud
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationNational Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017
National Information Assurance Partnership (NIAP) 2017 Report NIAP continued to grow and make a difference in 2017 from increasing the number of evaluated products available for U.S. National Security
More informationManTech Advanced Systems International 2018 Security Training Schedule
ManTech Advanced Systems International 2018 Security Training Schedule Risk Management Framework Course Dates Course Location Course Cost February 12 15, 2018 Las Vegas, NV $1,950.00 March 12 15, 2018
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationRisk Management Framework (RMF) 101 for Managers. October 17, 2017
Risk Management Framework (RMF) 101 for Managers October 17, 2017 DoD Risk Management Framework (RMF) Process DoDI 8510.01, Mar 2014 [based on NIST SP 800-37] Architecture Description Components Firmware
More informationManTech Advanced Systems International 2017 Security Training Schedule
ManTech Advanced Systems International 2017 Security Training Schedule Risk Management Framework Course Course Dates Course Location Course Cost October 16 19, 2017 Joint Base Anacostia-Bolling, Washington,
More informationVol. 1 Technical RFP No. QTA0015THA
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Core Infrastructure IPSS Concept of Operations Per the IPSS requirements, we provide the ability to capture and store packet
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationDRAFT NATIONAL EDUCATION AND TRAINING STANDARD FOR SYSTEM CERTIFIERS
NSTISSI No. 4015 NATIONAL EDUCATION AND TRAINING STANDARD FOR SYSTEM CERTIFIERS THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER IMPLEMENTATION MAY BE REQUIRED BY YOUR DEPARTMENT OR AGENCY National Security
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationGSAW Information Assurance in Government Space Systems: From Art to Engineering
GSAW 2006 Information Assurance in Government Space Systems: From Art to Engineering Charles Lavine The Aerospace Corporation 310-336-1595 lavine@aero.org 1 Toward the Global Information Grid Toward the
More informationCritical Infrastructures and Cyber Protection Center (CICPC) Professional Development Programs. FISMA Compliance Review Program Sample Syllabus FISMA
Critical Infrastructures and Cyber Protection Center (CICPC) Professional Development Programs FISMA Compliance Review Program Sample Syllabus FISMA ICP-086-Pxx (class dates) Live on Weekdays Lunchbox
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2 3 June 2013 Developed by Red Hat, NSA, and DISA for the DoD Trademark Information Names, products,
More informationDoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008
DoDI 8500-2 IA Control Checklist - MAC 1-Classified Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Boundary and The Network Boundary and for an Enterprise is essential; it provides for an understanding of
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationDIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis
DIACAP IA CONTROLS Requirements Document 10.13.2015 Sasa Basara University of Missouri-St. Louis 1 1 University Blvd St. Louis, MO 63121 Overview This task is creating threshold (shall) requirements for
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationmanner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.
PCAOB Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org The Honorable Christopher Cox Chairman Securities
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationStudent Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview
Course: NISP C&A Process: A Walk-Through Lesson 1: Course Introduction Course Information Purpose Audience Provides training on the policies and standards used throughout the U.S. Government to protect
More informationSIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities
Roles and Responsibilities PARTICIPANT RESPONSIBILITIES Defense Security Service (DSS) DAA for Information Systems (IS) used to process classified information in the National Industrial Security Program
More information