MIS Week 9 Host Hardening

Transcription

1 MIS 5214 Week 9 Host Hardening

2 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

3 NIST Risk Management Framework

4 NIST Risk Management Framework

5 NIST Risk Management Framework

6 NIST Risk Management Framework

7 NIST Risk Management Framework

8 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

9 A security configuration checklist is a document containing instructions or procedures for: Configuring an information technology (IT) product to an operational environment Verifying that the product has been configured properly Identifying unauthorized changes to the product Checklists can help you: Minimize the attack surface Reduce vulnerabilities Lessen the impact of successful attacks Identify changes that might otherwise go undetected

10 Security Technical Implementation Guides (STIGs) Defense Information Systems Agency (DISA) Creates configuration documents and implementation guidelines which include recommended information security administrative processes that span an application system s lifecycle DISA s Security Technical Implementation Guides (STIGs) help standardize: Secure installations of computer software and hardware Security maintenance of computer software and hardware Information security audits to analyze risk and identify configuration vulnerabilities

11 Security Technical Implementation Guides (STIGs) STIGs contain technical guidance to harden and "lock down" information systems and software that might otherwise be vulnerable to a malicious computer attack

12 Downloading the STIG Viewer

13 Launching the STIG Viewer

14 The STIG Viewer

15 SRG-STIG Library SRG = Security Requirements Guide STIG = Security Technical Implementation Guide FOUO = For Official Use Only

16

17

18 Severity Category Code (CAT) Levels Classification of computer and network configuration settings. The DISA STIG assigns a Severity Code to each system IA security weakness to indicate the risk level associated with the IA security weakness and the urgency with which the corrective action must be completed CAT I Severity Code is assigned to findings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted CAT II Severity Code is assigned to findings that have a potential to lead to unauthorized system access or activity. CAT II findings shall be corrected or satisfactorily mitigated before an Authorization to Operate will be granted. A system with a CAT II weakness can be granted an ATO only when there is clear evidence that the CAT II weakness can be corrected or satisfactorily mitigated within 180 days of the accreditation decision. CAT III Severity Code is assigned to recommendations that will improve IA posture but are not required for an authorization to operate

19

20

21

22

23

24 STIG Guidance

25

26

27 The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations

28 Which controls aid in Host Hardening?

29

30 NIST Risk Management Framework

31 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

32 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

33 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test Budget and schedule determine depth and coverage (breadth) of assessment Depth 1. Basic 2. Focused 3. Comprehensive Coverage (breadth) 1. Basic 2. Focused 3. Comprehensive

34 Examine security and privacy controls Definition: Process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects Facilitates understanding, achieves clarification, or obtains evidence Results used to support determining security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time

35 Examine security and privacy controls Assessment Objects: 1. Specifications Policies, plans, procedures, system requirements, and designs 2. Mechanisms Functionality implemented in hardware, software or firmware 3. Activities System operations, administration, management, and exercises

36 Examine security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Reviewing information security policies, plans, and procedures Analyzing system design documentation and interface specifications Observing system backup operations Reviewing the results of contingency plan exercises Observing incident response activities Studying technical manuals and user/administration guides Checking, studying or observing the operation of an information technology mechanism in the information system hardware/software Checking, studying, or observing physical security measures related to the operation of an information system

37 Interview security and privacy controls Assessment Objects: 1. Individuals 2. Groups of individuals Definition: Process of conducting discussions with individuals or groups within an organization Facilitates understanding, achieves clarification, or leads to location of evidence, Results used to determine security and privacy control Existence Functionality Correctness Completeness Potential for improvement over time

38 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination

39 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Consists of high-level reviews, checks, observations, or inspections using a limited body of evidence or documentation E.g. Functional-level descriptions for mechanisms; high-level process descriptions for activities; actual documents for specifications

40 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that controls are implemented correctly and operating as intended Consists of high-level reviews, checks, observations, or inspections and more-in-depth studies/analyses Conducted using a substantial body of evidence or documentation e.g. functional-level descriptions, high-level design information for mechanisms, high-level process descriptions and implementation procedures for activities; and actual specification documents

41 Examine Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the examination process 3 Depths: 1. Basic examination 2. Focused examination 3. Comprehensive examination Provides understanding of security and privacy controls Determines whether controls are implemented and free of obvious errors Determines whether there are further increased grounds for confidence that controls are implemented correctly and operating as intended on an ongoing and consistent basis, Determines that there is support for continuous improvement in the effectiveness of the controls Consists of high-level reviews, checks, observations, or inspections and more-in-depth, detailed, and thorough Conducted using an extensive body of evidence or documentation e.g. functional-level descriptions, high-level design information, low-level design information and implementation information for mechanisms, high-level process descriptions and detailed implementation procedures for activities; and specification documents

42 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination Uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors

43 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination Uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors whether there are increased grounds for confidence that controls are implemented correctly and operating as intended

44 Examine Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the examination process and includes types of assessment objects to be examined, the number of objects to be examined by type, and specific objects to be examined The organization considers a variety of factors (e.g. available resources, importance of the assessment, overall goals and objectives of the assessment) and confers with assessors and provides direction on the type, number, and specific objects to be examined for the particular level of coverage desired 3 Coverages: 1. Basic examination 2. Focused examination 3. Comprehensive examination Uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective To provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and To determine whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and To determine there is support for continuous improvement in the effectiveness of the controls

45 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

46 Interview security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Interviewing agency heads, chief information officers, senior agency information security officers, authorizing officials, information owners, information system and mission owners, information system security officers, information system security managers, personnel officers, human resource managers, facilities managers, training officers, information system operators, network and system administrators, site managers, physical security officers, and users

47 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview 3. Comprehensive interview 3 Coverages: 1. Basic interview 2. Focused interview 3. Comprehensive interview

48 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview Interview that consists of broad-based, high-level discussions with individuals or groups of individuals Conducted using a set of generalized, high-level questions Provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview

49 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Depths: 1. Basic interview 2. Focused interview Interview that consists of broad-based, high-level discussions and more in-depth discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth questions in specific areas where responses indicate a need for more in-depth investigation. Focused interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview

50 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Depth: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that consists of broad-based, high-level discussions and more in-depth, probing discussions in specific areas with individuals or groups of individuals. This type of interview is conducted using a set of generalized, high-level questions and more in-depth, probing questions in specific areas where responses indicate a need for more in-depth investigation. Comprehensive interviews provide a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls.

51 Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed The organization, considering a variety of factors (e.g., available resources, importance of the assessment, the organization s overall assessment goals and objectives), confers with assessors and provides direction on the type, number, and specific individuals to be interviewed for the particular attribute value described 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview

52 Interview Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the interview process and includes the types of individuals to be interviewed (by organizational role and associated responsibility), the number of individuals to be interviewed (by type) and specific individuals to be interviewed 3 Levels of Coverage: 1. Basic interview Interview that uses a representative sample of individuals in key organizational roles to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused interview 3. Comprehensive interview

53 Interview Attributes: Depth, Coverage Depth: addresses the rigor and level of detail in the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview Interview that uses a representative sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive interview

54 Interview Attributes: Depth, Coverage Coverage: addresses the scope and breadth of the interview process 3 Levels of Coverage: 1. Basic interview 2. Focused interview 3. Comprehensive interview Interview that uses a sufficiently large sample of individuals in key organizational roles and other specific individuals deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls

55 Assessment Methods 3 assessment methods can be used by assessors during security and privacy control assessments: 1. Examine 2. Interview 3. Test

56 Test security and privacy controls Assessment Objects: 1. Mechanisms (e.g. hardware, software, firmware) 2. Activities (e.g. system operations, administration, management; exercises) Definition: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security and privacy control existence, functionality, correctness, completeness, and potential for improvement over time. Testing is typically used to determine if mechanisms or activities meet a set of predefined specifications. Testing can also be performed to determine characteristics of a security or privacy control that are not commonly associated with predefined specifications (e.g. penetration testing).

57 Test security and privacy controls Supplemental guidance: Typical assessor actions may include, for example: Testing access control, identification and authentication, and audit mechanisms; Testing security configuration settings; Testing physical access control devices; Conducting penetration testing of key information system components; Testing information system backup operations; Testing incident response capability; Exercising contingency planning capability

58 Test: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing 3 Coverages: 1. Basic testing 2. Focused testing 3. Comprehensive testing

59 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing Test methodology (also known as black box testing) that assumes no knowledge of the internal structure and implementation detail of the assessment object. This type of testing is conducted using a functional specification for mechanisms and a high-level process description for activities. Basic testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors. 2. Focused testing 3. Comprehensive testing

60 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing Test methodology (gray box testing) that assumes some knowledge of the internal structure and implementation detail of the assessment object Conducted using A functional specification Limited system architectural information (e.g., high-level design) for mechanisms and a High-level process description and high-level description of integration into operational environment Determines if controls are implemented and free of obvious errors Determines if controls are implemented correctly and operating as intended 3. Comprehensive testing

61 Test Attributes: Depth, Coverage Depth: addresses the types of testing to be conducted 3 Depths of testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Test methodology (also known as white box testing) based on explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Conducted using Functional specification Extensive system architecture information (e.g., high-level design, low-level design) and implementation representation (e.g., source code, schematics) for mechanisms and a High-level process description Detailed description of integration into the operational environment for activities Determines if Controls are implemented and free of obvious errors Controls are implemented correctly and operating as intended on an ongoing and consistent basis There is support for continuous improvement in the effectiveness of the controls.

62 Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of testing process and includes: Types of assessment objects to be tested Number of objects to be tested (by type) Specific objects to be tested 3 coverage levels for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing

63 Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing Testing uses a representative sample of assessment objects (by type and number within type) Provides a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors 2. Focused testing 3. Comprehensive testing

64 Test Attributes: Depth, Coverage 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing Testing uses a representative sample of assessment objects (by type and number within type) Testing other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether security and privacy controls are implemented and free of obvious errors Determines whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended. 3. Comprehensive testing

65 Test Attributes: Depth, Coverage Coverage: addresses the scope or breadth of the testing process and includes the types of assessment objects to be tested, the number of objects to be tested (by type), and specific objects to be tested 3 Levels of coverage for testing: 1. Basic testing 2. Focused testing 3. Comprehensive testing Uses a sufficiently large sample of assessment objects (by type and number within type) Users other specific assessment objects deemed particularly important to achieving the assessment objective Determines whether the security and privacy controls are implemented and free of obvious errors and Determines whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis Determines if there is support for continuous improvement in the effectiveness of the controls

66 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

67 SCAP (Security Content Automation Protocol) pronounced ess-cap Purpose: Used for continuously monitoring deployed computer systems and applications for detectable vulnerabilities and assure they incorporate security upgrades to software ( patches ) and deploy updates to configurations SCAP based on a number of open standards, widely used to enumerate software flaws and configuration issues related to security The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP Vendors can get their computer system configuration scanner product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way Validated tools for automating collection of assessment objects used in Examine, Inspect and Test activities

68 Examine: SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects Common SCAP uses Security configuration verification Compare settings in a checklist to a system s actual configuration Verify configuration before deployment, audit/assess/monitor operational systems Map individual settings to high-level requirements (requirements traceability) Verifying patch installation and identifying missing patches Check systems for signs of compromise Known characteristics of attacks, such as altered files or the presence of a malicious service

69

70 SCAP Compliance Scan Results

71 SCAP: Individual compliance check result for scanned host

72 SCAP (Security Content Automation Protocol) validated tools may be used to automate collection of assessment objects National Vulnerability Database (NVD) National Checklist Program (NCP): NIST SP , Guide to Adopting and Using SCAP NIST SP r2, The Technical Specification for SCAP NIST SP r2, National Checklist Program for IT Products More documentation and tools:

73 DISA STIG Tool + SCAP Tool

74 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

75 SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook

76 Back to our SSP s Technical Controls: Section 13

77 Technical Controls

78 Identification and Authentication (IA) Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

79 Identification and Authentication (IA)

80 IA-1 Identification and Authentication Policy and Procedures Control: The organization: a. Develops, documents, and disseminates to [Assignment: organizationdefined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: a. Identification and authentication policy [Assignment: organization-defined frequency]; and b. Identification and authentication procedures [Assignment: organization-defined frequency].

81

82 IA-1 Identification and Authentication Policy and Procedures

83 Identification and Authentication (IA)

84 IA-2 Identification and Authentication (Organizational Users) Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)

85 IA-2 Identification and Authentication SSP

86 Identity Assurance

87 Identity Assurance

88 Authenticator Assurance AAL1 : = 1 Factor AAL2 : = 2 Factors AAL3 : = 2 Factors: Hardware-based authenticator and an authenticator that provides verifier impersonation resistance AAL = Authenticator Assurance Level

89 IA-2 Identification and Authentication

90 IA-2 Identification and Authentication Control Enhancement:

91 IA-2 Identification and Authentication Control Enhancement: (12) Acceptance of PIV Credentials: The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials SP Ar4

92 Technical Controls

93 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts

94 SSP Table of Contents 1 INFORMATION SYSTEM NAME/TITLE 2 INFORMATION SYSTEM CATEGORIZATION 2.1 Information Types 2.2 Security Objectives Categorization (FIPS 199) 2.3 E-Authentication Determination 3 INFORMATION SYSTEM OWNER 4 AUTHORIZING OFFICIAL 5 OTHER DESIGNATED CONTACTS 6 ASSIGNMENT OF SECURITY RESPONSIBILITY 7 INFORMATION SYSTEM OPERATIONAL STATUS 8 INFORMATION SYSTEM TYPE 8.1 Cloud Service Models 8.2 Cloud Deployment Models 8.3 Leveraged Authorizations 9 GENERAL SYSTEM DESCRIPTION 9.1 System Function or Purpose 9.2 Information System Components and Boundaries 9.3 Types of Users 9.4 Network Architecture 10 SYSTEM ENVIRONMENT AND INVENTORY 10.1 Data Flow 10.2 Ports, Protocols and Services 11 SYSTEM INTERCONNECTIONS 12 LAWS, REGULATIONS, STANDARDS AND GUIDANCE 12.1 Applicable Laws and Regulations 12.2 Applicable Standards and Guidance 13 MINIMUM SECURITY CONTROLS 14 ACRONYMS 15 ATTACHMENTS ATTACHMENT 1 - Information Security Policies and Procedures ATTACHMENT 2 - User Guide ATTACHMENT 3 e-authentication Worksheet Introduction and Purpose Information System Name/Title E-Authentication Level Definitions Review Maximum Potential Impact Levels E-Authentication Level Selection ATTACHMENT 4 PTA / PIA Privacy Overview and Point of Contact (POC) Applicable Laws and Regulations Applicable Standards and Guidance Personally Identifiable Information (PII) Privacy Threshold Analysis Qualifying Questions Designation ATTACHMENT 5 - Rules of Behavior ATTACHMENT 6 Information System Contingency Plan ATTACHMENT 7 - Configuration Management Plan ATTACHMENT 8 - Incident Response Plan ATTACHMENT 9 - CIS Report and Worksheet ATTACHMENT 10 - FIPS 199 Introduction and Purpose Scope System Description Methodology ATTACHMENT 11 - Separation of Duties Matrix ATTACHMENT 12 FedRAMP Laws and Regulations ATTACHMENT 13 FedRAMP Inventory Workbook

95 Cloud Service Models: IaaS? PaaS? SaaS?

96 Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST Ar4 How Controls are Assessed SCAP - Security Content Automation Protocol FedRAMP System Security Plan s Section 13 A controls deep dive Identity and Authentication controls assessment questions Team Project - SSP drafts