Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)
|
|
- Dominic Collins
- 6 years ago
- Views:
Transcription
1 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP) Network Services and Network Management Systems in accordance with (IAW) C (NIST FIPS 199 High-Impact Baseline) Version 1.0 November 4, 2016 Prepared by Qwest Government Services, Inc. dba CenturyLink QGS 4250 North Fairfax Drive Arlington, VA SFA# /NSP# i RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
2 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TABLE OF CONTENTS Revision History... iii Step 1 Define the Security System... 1 Task 1-1 Security Categorization... 1 Information System Owner... 3 Task 1-2 Information System Description... 4 System Environment... 7 Task 1-3 Information System Registration Step 2 Select Security Controls Task 2-1 Common Control Identification Overall CenturyLink Infrastructure Task 2-2 Security Control Selection Task 2-3 Monitoring Strategy Access Monitoring File Integrity and Configuration Monitoring Network Monitoring Automated Inventory Monitoring Real-Time Alerts Security Vulnerability Scanning Security Penetration Testing (C (20, 22)) Task 2-4 Security Plan Approval Step 3 Implement Security Controls Task 3-1 Security Control Implementation Task 3-2 Security Control Documentation Step 4 Assess Security Controls Task 4-1 Assessment Preparation Task 4-2 Security Control Assessment Task 4-3 Security Assessment Report (C (19)) Task 4-4 Remediation Actions Step 5 Authorize Information System Task 5-1 Plan of Action and Milestones Task 5-2 Security Authorization Package (C , C (1 through 27)) Task 5-3 Risk Determination Task 5-4 Risk Acceptance Step 6 Monitor Security Controls Task 6-1 Information System and Environment Changes Task 6-2 Ongoing Security Control Assessments Task 6-3 Ongoing Remediation Actions (C (24)) Task 6-4 Key Updates Task 6-5 Security Status Reporting Task 6-6 Ongoing Risk Determination and Acceptance Task 6-7 Information System Removal and Decommissioning SFA# /NSP# i RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
3 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan LIST OF FIGURES Figure 1. MTIPS 2.0 Standard Portal A&A Boundary... 7 Figure 2. MTIPS 2.0 Augment Portal A&A Boundary... 8 Figure 3. MTIPS 2.0 Standard Portal Traffic Flow Figure 4. MTIPS 2.0 Augment Portal Traffic Flow Figure 5. SOC Site 1 Logical Detail (San Diego) Figure 6. SOC Site 2 Logical Detail (Columbia, MD) Figure 7. Site Physical Detail San Diego Figure 8. Site Physical Detail Columbia, MD LIST OF TABLES Table 1. MTIPS Information Type Categorization... 2 SFA# /NSP# ii RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
4 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan REVISION HISTORY Revision Revision Description Authors Approval Date 1.0 Original Release Robert Ellis Peggy Macdonald 02/22/2016 SFA# /NSP# iii RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
5 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan STEP 1 DEFINE THE SECURITY SYSTEM TASK 1-1 SECURITY CATEGORIZATION The General Services Administration (GSA) assigned an information sensitivity category for Managed Trusted Internet Protocol Service (MTIPS) based on the federal government requirement and Federal Information Processing Standard (FIPS) 199. FIPS 199 requires MTIPS security to safeguard data and information from unauthorized disclosure, protect data from unauthorized modification, and ensure that services are available to meet mission requirements. Protection ratings are determined for each of these three categories: Confidentiality: MTIPS contains information that requires protection from unauthorized disclosure Integrity: MTIPS contains information that must be protected from unauthorized, unanticipated, or unintentional modification Availability: MTIPS contains information or provides services that must be available on a timely basis to meet mission requirements, or to avoid substantial losses MTIPS is rated as one of the following: High: the loss of confidentiality, integrity, or availability could expect to have a severe or catastrophic adverse effect on organization operations, organizational assets, or individuals Moderate: the loss of confidentiality, integrity, or availability could expect to have a serious adverse effect on organizational operations, organizational assets, or individuals Low: the loss of confidentiality, integrity, or availability could expect to have limited adverse effect on organizational operations, organizational assets, or individuals To determine the information types that MTIPS will potentially handle, GSA used National Institute of Standards and Technology (NIST) Special Publication (SP) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
6 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, and Volume 2 Revision 1, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. Following the Office of Management and Budget s (OMB) Federal Enterprise Architecture (FEA) Business Reference Model (BRM), GSA determined that the MTIPS business areas will deliver services and manage resources, serving in a supportive role to an agency s mission but not directly processing any agency mission-based information types. The information types that MTIPS will potentially handle with associated provisional impact levels, due to loss of any of the three security objectives (confidentiality, integrity, and availability), are shown in Table 1. The high watermark method was used to determine the overall information categorization. Table 1. MTIPS Information Type Categorization Information Type Confidentiality Integrity Availability Contingency planning Low Low High Continuity of operations Low Low High Service recovery Low Low High Goods acquisition Low Moderate Low Inventory control Low Moderate Low Logistics management Low Moderate Low Services acquisition Moderate Moderate Low System development Moderate Moderate Low Life cycle/change management Low Moderate Moderate System maintenance High Moderate Moderate Information technology (IT) infrastructure maintenance High High High MTIPS security Moderate Moderate High Record retention Moderate High Low Information management Moderate Moderate Moderate System and network monitoring High High High Information sharing Moderate Moderate Moderate Overall information categorization High High High As part of the MTIPS system development life cycle (SDLC) and security assessment and authorization (A&A) processes, CenturyLink periodically reviews the list of information types to add and remove data types, as necessary, and update the impact to the above security objectives. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
7 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan In summary, the MTIPS overall sensitivity rating is high based on the following: Requirements for confidentiality, integrity, and availability protections Related level of sensitivity Highest magnitude of harm directly resulting from loss, misuse, modification to, or unauthorized access to information on MTIPS Information System Owner GSA Name: Title: Agency: Kevin Gallo GSA System Owner GSA Address: 1800 F Street NW, Washington, DC Address: kevin.gallo@gsa.gov Phone Number: CenturyLink Name: Title: Agency: Tim Meehan Vice President Qwest Government Services, Inc. dba CenturyLink QGS Address: 4250 N Fairfax Drive, Arlington, VA Address: Timothy.Meehan@centurylink.com Phone Number: SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
8
9
10
11 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan System Environment Figure 1. MTIPS 2.0 Standard Portal A&A Boundary SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
12 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 2. MTIPS 2.0 Augment Portal A&A Boundary SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
13 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 3. MTIPS 2.0 Standard Portal Traffic Flow. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
14 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 4. MTIPS 2.0 Augment Portal Traffic Flow SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
15
16
17
18
19
20
21
22 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TASK 1-3 INFORMATION SYSTEM REGISTRATION The registration process will begin with the definition of the A&A (or authorization) boundary in the Security Assessment Boundary and Scope Document (BSD), as referenced in RFP Section C (2). This section identifies the information system and subsystems in the system inventory and establishes a relationship between the information system and the parent or governing organization that owns, manages, and/or controls the system. The information system owner has primary responsibility for registering each EIS information system that supports network services and network management systems. Primary Responsibility: CenturyLink Information System Owner Name: Title: Agency: Tim Meehan Vice President Qwest Government Services, Inc. dba CenturyLink QGS Address: 4250 N Fairfax Drive, Arlington, VA Address: Timothy.Meehan@centurylink.com Phone Number: Supporting Roles: CenturyLink Information Systems Security Officer (ISSO) Name: Title: Agency: Robert Ellis Information System Security Officer (ISSO) Qwest Government Services, Inc. dba CenturyLink QGS Address: th Street, Suite 1000B, Denver, CO Address: rob.ellis@centurylink.com Phone Number: GSA Information System Security Manager (ISSM) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
23 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Name: Title: Agency: David Trzcinski Information Systems Security Manager GSA Address: 1800 F Street, NW, Washington, DC Address: david.trzcinski@gsa.gov Phone Number: GSA ISSO Name: Title: Agency: William Olson Systems and Security Program Manager GSA Address: 1800 F Street, NW, Washington, DC Address: william.olson@gsa.gov Phone Number: GSA personnel have performed the security categorization of the MTIPS information systems, which are determined to be FIPS 199 high impact. STEP 2 SELECT SECURITY CONTROLS TASK 2-1 COMMON CONTROL IDENTIFICATION Common controls inherited within the MTIPS system authorization boundary will include Physical security controls Environmental controls Centralized authentication mechanisms SecurID Active directory Continuous monitoring systems SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Control Tailoring Workbook (CTW) (C (4)) Control Summary Table (C (5)) System Inventory (hardware, software, and related information) (C (7)) Security Incident Response Plan (IRP) (C (15)) Security Incident Response Test Plan Security Incident Response Test Report (C (16)) Supply Chain Risk Management (SCRM) Plan ((C (17)) Contingency Plan (CP), including the Disaster Recovery Plan (DRP) and Business Impact Assessment (BIA) (C (8)) Contingency Plan Test Plan (CPTP) (C (9)) Contingency Plan Test Report (CPTPR) (C (10)) Interconnection Security Agreements (ISA) (C (3)) Configuration Management Plan (CMP) (C (12)) Systems Baseline Configuration Standard Document (C (13)) Audit Monitoring Program Continuous Monitoring Program (security risk mitigation) (C (18)) Access monitoring Configuration Monitoring Vulnerability Monitoring (Scanning) Third-Party Penetration Test Report Automated reporting to customer (if customer is prepared for it) Continuous Monitoring Plan e-authentication documents e-authentication Executive Summary e-authentication Detail Report e-authentication Risk and Requirements Assessment Tool (database file) Independent External Penetration Test and Report (C (20)) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
44 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan User Access Authorization and Management Process Personnel Security Procedures Suitability Report (employee background investigation report) Security Test and Evaluation Plan (ST&E Plan) Security Test and Evaluation Report (ST&E Report) or Security Assessment Report (SAR) (C (6)) Annual FISMA Assessment (conducted per GSA CIO IT Security Procedural Guide 04-26, FISMA Implementation. ) (C (25)) In addition to the items above that are already included in our security A&A package or as deliverables, CenturyLink will include the following in its EIS MTIPS security A&A package or provide as deliverables: Code Review Report (if applicable) (C (21)) Monthly Reports on SCAP Common Configuration Enumerations (CCE) (NIST SP R4: CM-6) (C (26)) Monthly Reports on SCAP Common Platform Enumeration (CPE) (NIST SP R4: CM-8) (C (26)) Monthly Reports on SCAP Common Vulnerabilities and Exposures (CVE) (NIST SP R4: CM-8) (C (26)) Independent Internal Penetration Test and Report (C (20)) Document Management (C (27)) CenturyLink develops and maintains all current policy and procedure documents, as outlined in the specified NIST documents and applicable GSA IT Security Procedural Guides. For EIS, they will be verified and reviewed during the initial security assessment, and updates will be provided to the GSA Contracting Officer's Representative (COR)/ISSO/ISSM biennially to include the following. Access Control Policy and Procedures (NIST SP R4: AC-1) Security Awareness and Training Policy and Procedures (NIST SP R4: AT-1) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
45
46
47
48
49 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING CenturyLink follows a system-removal and decommissioning policy and procedures that ensure all data are securely erased or destroyed before storage elements leave CenturyLink premises. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016
existing customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationContinuous Monitoring Strategy & Guide
Version 1.0 June 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization
More informationAttachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan
Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203
More informationDavid Missouri VP- Governance ISACA
David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationFedRAMP Security Assessment Plan (SAP) Training
FedRAMP Security Assessment Plan (SAP) Training 1. FedRAMP_Training_SAP_v6_508 1.1 FedRAMP Online Training: SAP Overview Splash Screen Transcript Title of FedRAMP logo. FedRAMP Online Training; Security
More informationEVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011
EVALUATION REPORT Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011 OIG-12-A-04 November 9, 2011 All publicly available OIG
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More information10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?
WHAT IS NIST SP 800-53 & WHY SHOULD I CARE ABOUT IT? CHRIS JACKSON, STATE OF OHIO, OBM IT AUDIT MANAGER DANIEL MILKS, STATE OF OHIO, OBM SENIOR IT AUDITOR OVERVIEW Background & Understanding Importance
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More information3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act
Jonathan Cantor, Department of Commerce Gery Huelseman, U.S. Air Force Michael E. Reheuser, Department of Defense Background on FISMA-Reheuser NIST guidelines-cantor IT security-huelseman Federal Information
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationOutline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security
Outline Why protect CUI? Impacts to National Security Current Practices CUI Program & Existing Agency Practices Information Security Reform CUI Registry 32CFR2002 NIST SP 800-171 (Rev 1) Federal Acquisition
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationFedRAMP Training - Continuous Monitoring (ConMon) Overview
FedRAMP Training - Continuous Monitoring (ConMon) Overview 1. FedRAMP_Training_ConMon_v3_508 1.1 FedRAMP Continuous Monitoring Online Training Splash Screen Transcript Title of FedRAMP logo. Text
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationGuide to Understanding FedRAMP. Version 2.0
Guide to Understanding FedRAMP Version 2.0 June 6, 2014 Executive Summary The Federal Risk and Authorization Management Program (FedRAMP) provides a costeffective, risk-based approach for the adoption
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationBig Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation
Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation Bill Valyo CA Technologies February 7, 2013 Session #12765 Quick Abstract: About this Presentation This presentation
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationSECURITY PLAN CREATION GUIDE
2017 SECURITY PLAN CREATION GUIDE UTC IT0121-G UTC Information Technology Michael Dinkins, CISO 4/28/2017 CONTENTS 1. SCOPE... 2 2. PRINCIPLES... 2 3. REVISIONS... 2 4. OBJECTIVE... 2 5. POLICY... 2 6.
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSTUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System
Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationVol. 1 Technical RFP No. QTA0015THA
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Core Infrastructure IPSS Concept of Operations Per the IPSS requirements, we provide the ability to capture and store packet
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationImplementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy August 10, 2017 version WORKING DOCUMENT Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy This working
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationWe are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.
Description of document: Requested date: Released date: Posted date: Source of document: President's Council on Integrity and Efficiency Information (PCIE) Information Technology Investigations Sub- Committee
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationNIST Special Publication
DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationINFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010
INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationFederal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011
Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationSECURITY PLAN DRAFT For Major Applications and General Support Systems
SECURITY PLAN For Major Applications and General Support Systems TABLE OF CONTENTS EXECUTIVE SUMMARY A. APPLICATION/SYSTEM IDENTIFICATION A.1 Application/System Category Indicate whether the application/system
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationMeeting RMF Requirements around Compliance Monitoring
Meeting RMF Requirements around Compliance Monitoring An EiQ Networks White Paper Meeting RMF Requirements around Compliance Monitoring Purpose The purpose of this paper is to provide some background on
More informationThe "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:
Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4
More informationRisk Management Framework (RMF) 101 for Managers. October 17, 2017
Risk Management Framework (RMF) 101 for Managers October 17, 2017 DoD Risk Management Framework (RMF) Process DoDI 8510.01, Mar 2014 [based on NIST SP 800-37] Architecture Description Components Firmware
More informationAppendix 2B. Supply Chain Risk Management Plan
Granite Telecommunications, LLC. 100 Newport Ave. Ext. Quincy, MA 02171 Appendix 2B Supply Chain Risk Management Plan This proposal or quotation includes data that shall not be disclosed outside the Government
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More information1 RESEARCH COURT, SUITE 340 ROCKVILLE, MD GNS GNS-BD-CC
GLOBAL NETWORK SYSTEMS, INC. (GNS) 1 RESEARCH COURT, SUITE 340 ROCKVILLE, MD 20850 301-921-4GNS 301-921-4467 www.gns-us.com hqoffice@gns-us.com GNS-BD-CC-4001 209 2.09 Global Network Systems of Maryland,
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationFedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.1 September 3, 2015 FedRAMP Plan of Action & Milestones (POA&M) Template Completion Guide v1.1 September 3, 2015 Document
More informationPT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017
PT-BSC Primechain Technologies Blockchain Security Controls Version 0.4 dated 21 st October, 2017 PT-BSC version 0.3 PT-BSC (version 0.4 dated 21 st October, 2017) 1 Blockchain technology has earned the
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationInspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017
Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More information