Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Transcription

1 Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

2 Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager Can Reduce Labor, Support Resource Re-Allocation THE PROBLEM Continuous Monitoring, Security Authorization, and Risk Management are complex and time-consuming processes FISMA calls for continuous monitoring of IA controls, a lifecycle risk management approach and remediation to ensure sustained compliance Every IT system in the federal government must comply with FISMA, via FIPS-199 and FIPS-200 Cybersecurity skills are in short supply, high demand, and are therefore expensive Cybersecurity pros spend too much time on low-value, mundane tasks formatting documents, cross-walking regulations, and manually tracking POA&Ms Without automation, continuous monitoring, risk management, and security authorizations can be manpower intensive and prohibitively expensive At the same time, non-compliance is not an option; at risk is your IT budget... taxpayer information personal healthcare diagnosis public confidence... national security THE ANSWER: XACTA IA MANAGER Xacta IA Manager the industry s leading framework for IT security governance, risk management, and compliance has done more to streamline and automate these complex security processes than any other solution. This data sheet shows how Xacta IA Manager can significantly reduce the cost of FISMA compliance and reporting, including continuous monitoring operations. When looking for an IT security automation product, it is important to determine the scope of the solution as well as how much manual labor it will save. The solution should automate all six steps of the NIST r1 Risk Management Framework. Without this breadth of coverage, scarce human cybersecurity resources are wasted performing low-value, mundane tasks, such as formatting security plan documents, parsing regulations, and tracking POA&Ms. Xacta IA Manager automates these tasks, so that cybersecurity professionals can spend their time recommending security controls for new systems, conducting security assessments, evaluating risks, responding to incidents, and communicating with business unit leaders. It also supports transitioning emphasis away from paperwork and onto Continuous Monitoring. This Total Cost of Ownership document should be used as a data point for cybersecurity managers in determining how to best allocate scarce human resources while addressing dynamic operational demands.

3 ANNUAL RISK MANAGEMENT FRAMEWORK LABOR SAVINGS Assumptions: The organization is using the NIST rev1 RMF (or equivalent) The organization has 100 systems (each requiring similar effort) Each system is of moderate size and complexity (450 desktops and 30 servers) Automation hours reflect efficiencies in workflow and standard knowledgebase of controls and validation methods Steps in the Risk Management Framework (RMF) Hours Required Per System Manual Methods Xacta Automated RMF-1: CATEGORIZE Information Systems Identify & document system purpose and usage model Identify & record system data types (NIST ) and C-I-A values for data Identify & document system boundary and architecture Register system & confirm C-I-A impact for entire system 8 2 Approve system impact through AO/DAA and senior agency official (SAISO) 8 6 RMF-2: SELECT Security Controls Identify common agency controls & security standards Identify minimum controls & supplemental and/or compensating controls Develop continuous monitoring strategy 24 4 Coordinate the security control approach & draft system security plan (SSP) RMF-3: IMPLEMENT Security Controls Implement system security controls resources technology, people, processes Complete security control documentation in system security plan (SSP) Coordinate transition to assessment step 16 8 RMF-4: ASSESS Security Controls Review & revise test cases for controls coverage Execute test procedures Conduct initial remediations & analyze residual risks Publish key reports for Assessment (SAR), Risk Reports, draft POA&Ms RMF-5: AUTHORIZE Information System Complete Plans of Action & Milestones (POA&Ms) Assemble final deliverables SSP, SAR, POA&Ms Make authorization decision & document decision 8 6 Total Labor Hours per year for RMF-1 through RMF RMF-6: MONITOR Security Controls Review & update all system operating characteristics, based on changes Periodically review control selection criteria, based on dynamic threat Maintain inventory of resources technology, people, processes Test controls Maintain/Remediate system, controls, and all security relevant documentation On-going security status reporting Total Labor Hours per year for RMF Total Labor Hours per year for RMF-1 through RMF-6 2,384 1,449 HOURS SAVED EACH YEAR 1,935

4 Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Return On Investment LABOR. Applying traditional C&A methods to the new Risk Management Framework (RMF) can require literally thousands of labor hours. Some specialized tools can help reduce the amount of labor required, but not to the degree that Xacta IA Manager reduces manual effort. For example, conducting security certification testing of servers typically requires about one hour for each server. However, with Xacta HostInfo and AutoTest capabilities, the same testing can often be performed in only five minutes. Using the example of 50 servers, that s a time savings of 46 hours. LABOR COST. Using an average labor rate of $100/hour, it can be seen that labor intensive methods are very expensive compared with Xacta IA Manager. AUTOMATED TOOLS. Commercial off-the-shelf and even some Government off-the-shelf tools are available to help automate parts of the RMF process. These include scanners that perform vulnerability and configuration testing. Xacta IA Manager contains a Security Content Automation Protocol (SCAP) -validated scanner to further automate security testing. The Xacta HostInfo and the Continuous Assessment capabilities have been SCAPvalidated. HostInfo automates technical testing by running scripts on machines, which is much more efficient than manual checks and is more accurate than network-based scans. Competitive SCAP products also automate testing, but do not have the ability to address the entire Risk Management Framework, and therefore do not reduce labor costs to the same degree as Xacta IA Manager. Xacta IA Manager is unique in that technical test results are mapped to standard controls, such as NIST , and tracked in the system s security authorization evidence and associated documentation. Finally, the Xacta IA Manager framework integrates with many common security tools, and Telos maintains security partnerships with other security product vendors. 3-YEAR LIFE-CYCLE COST CALCULATIONS AND SAVINGS ESTIMATE Assumptions: The organization is using the NIST rev1 RMF (or equivalent) The organization has 100 systems 85 systems have ATO and 15 systems are new each year The organization has 50,000 IT assets (45,000 desktops, 3,000 servers, 2,000 others) All labor is contractor labor (at an average of $100/hour) Hours Required Activities Manual Methods Xacta Automated Labor Hours for RMF-1 through RMF-5 (15 systems each year for 3 years) 51,480 32,895 Labor Hours for RMF-6 (85 systems per year for 3 years) 46,980 30,330 TOTAL Labor Hours 98,460 63,225 Hourly Rate $100 $100 Total Labor Cost $9,846,000 $6,322,500 Vulnerability & Configuration Scanner Cost and three years of maintenance $1,467,037 $0* Xacta IA Manager Perpetual License and three years of maintenance $0 $721,344 Total Product Cost $1,467,037 $721,344 Total 3-Year Cost $11,313,037 $7,043,844 PERCENT SAVED OVER THREE YEARS 38% * Xacta IA Manager is an SCAP-certified FDCC scanner and works with or without other existing security tools Includes Xacta IA Manager: Assessment Engone and Xacta IA Manager: Continuous Assessment

5 From Compliance To Security Certification and Accreditation is essentially a process whereby agencies evaluate every three years what defensive security protections are in place to prevent attacks on their key systems. The process costs taxpayers about $1.3 billion every year and it produces a good deal of paperwork that ends up stored in binders in some clutter-filled room. Source: Senator Tom Carper, Chairman of the Senate Homeland Security and Governmental Affairs Committee s Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, October 29, In 2002, 47% of all agency systems had a Certification & Accreditation in place; whereas, in 2009, 95% of systems had a Certification & Accreditation in place. Despite the improvements as reported by agencies, the Federal Government s communications and information infrastructure is still far from secure. The FISMA measures reported on annually have led agencies to focus on compliance. Source: Federal CIO Vivek Kundra, statement before the House Committee on Oversight and Government Reform Subcommittee on Government Management, Organization, and Procurement, March 24, As of 2010, OMB wants agencies to implement Continuous Monitoring of security controls and to automate their FISMA reporting. Telos is working closely with DHS representatives to realize the need for automating a feed to CyberScope, OMB s new FISMA portal.

6 CONGRATULATIONS! You Just Got Your System s ATO Approval to Operate. But suddenly, they ve changed the rules. Now you have to meet a whole new set of risk management practices, implement different security controls, continuously monitor the new controls, and report into CyberScope. What will that mean for you? How much will it cost to adapt your current methods to the new controls? It all depends on the risk management solution you choose. Take a look at the following table to see how costly and cumbersome or how cost-effective and hassle-free it can be: RISK MANAGEMENT FRAMEWORK CONVERSION COST CONSIDERATIONS Assumptions: The organization has 100 systems (each requiring similar effort) Tools and processes are in place for reporting based on DIACAP or DCID 6/3 Hours Required Activities Manual Methods Xacta Automated Re-categorizing systems based on CNSS Map Existing IA Controls to Agency-Tailored NIST controls Map existing test results to NIST A validation procedures Re-package security evidence in new formats TOTAL Labor Hours per system Hourly Rate $100 $100 TOTAL Labor Cost per system $55,200 $33,000 Staff re-training (6 people in 2 day class vs. 2 people) $5,436 $1,812 TOTAL Conversion Cost per system $60,636 $34,812 Process efficiency factor gain after completing first system transition Conversion Costs for an Agency of 100 systems $3,062,118 $724,090 PERCENT SAVED BY LEVERAGING AUTOMATED TEMPLATES 76% Telos Flexible Licensing for Xacta IA Manager Government IT risk management processes and FISMA reporting requirements make it necessary for an agency to account for all of its IT systems. Typical systems have a Program Manager, or System Owner, and are frequently managed using industry standard project management techniques. Consequently, Telos routinely licenses the Xacta IA Manager solution on a per-project basis, where a project correlates to an agency information system. When a perproject perpetual license is purchased, Xacta IA Manager is authorized for use on a specified number of systems, where the system boundary is defined by the customer, while the number of authorized users is unlimited. Some organizations have a preference to license software on a per-user basis. It can be difficult to anticipate the total number of users that might participate in the security management, risk management, and FISMA reporting processes over an extended period of time across an entire agency. When an organization can estimate the appropriate user population, Telos offers per-user licensing for Xacta IA Manager. When per-user perpetual licenses are purchased, Xacta IA Manager is authorized for use by the specified number of users, while the number of authorized projects, or systems, is unlimited. Choose the cost-effective, hassle-free solution. Choose Xacta IA Manager. Advanced technology solutions thatprotect your vital assets TM Ashburn Road, Ashburn, VA TELOS Copyright 2010 Telos Corporation. All rights reserved. XIAMTCO122010