Information Systems Security Requirements for Federal GIS Initiatives

Similar documents
The next generation of knowledge and expertise

June 1, 2006 FEA Security and Privacy Profile, Version 2.0 Page i

Appendix 12 Risk Assessment Plan

Streamlined FISMA Compliance For Hosted Information Systems

Appendix 12 Risk Assessment Plan

FedRAMP Security Assessment Framework. Version 2.0

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

David Missouri VP- Governance ISACA

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Fiscal Year 2013 Federal Information Security Management Act Report

INFORMATION ASSURANCE DIRECTORATE

FedRAMP Security Assessment Framework. Version 2.1

IT-CNP, Inc. Capability Statement

FISMAand the Risk Management Framework

Security and Privacy Governance Program Guidelines

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Agency Guide for FedRAMP Authorizations

FiXs - Federated and Secure Identity Management in Operation

INFORMATION ASSURANCE DIRECTORATE

Exhibit A1-1. Risk Management Framework

Information Security Program

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Innovating with Less Across the Federal IT Portfolio: The Role of Shared Services and Enterprise Architecture

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

INFORMATION ASSURANCE DIRECTORATE

NIST Security Certification and Accreditation Project

CLOSING IN FEDERAL ENDPOINT SECURITY

DoD Internet Protocol Version 6 (IPv6) Contractual Language

Risk Management Framework for DoD Medical Devices

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Federal Enterprise Architecture and E-Government: Issues for Information Technology Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

GAO INFORMATION SECURITY. Comments on the Proposed Federal Information Security Management Act of Testimony

National Defense University and IRMC. National Defense University

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

MIS Week 9 Host Hardening

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Cybersecurity Risk Management

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

IT Governance Framework at KIT

SAC PA Security Frameworks - FISMA and NIST

CCISO Blueprint v1. EC-Council

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

TEL2813/IS2820 Security Management

Recovery Accountability and Transparency Board

INFORMATION ASSURANCE DIRECTORATE

Guide to Understanding FedRAMP. Version 2.0

PKI and FICAM Overview and Outlook

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DIRECTIVE TRANSMITTAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

RISK MANAGEMENT FRAMEWORK COURSE

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

ROADMAP TO DFARS COMPLIANCE

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE INTELLIGENCE COMMUNITY POLICY MEMORANDUM NUMBER

Department of Defense INSTRUCTION

High Performance Computing Environment for Research on Restricted Data. Dr. Erik Deumens Rob Adams Dr. Alin Dobra

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Ensuring System Protection throughout the Operational Lifecycle

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Security Management Models And Practices Feb 5, 2008

FISMA Cybersecurity Performance Metrics and Scoring

DEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for

ICGI Recommendations for Federal Public Websites

Cyber Security Program

DFARS Cyber Rule Considerations For Contractors In 2018

Data Governance Strategy

ENCORE II REQUIREMENTS CHECKLIST AND CERTIFICATIONS

ENTERPRISE ARCHITECTURE

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

1 RESEARCH COURT, SUITE 340 ROCKVILLE, MD GNS GNS-BD-CC

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

10th International Command and Control Research and Technology Symposium The Future of C2

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Solutions Technology, Inc. (STI) Corporate Capability Brief

GAO. HOMELAND SECURITY OMB s Temporary Cessation of Information Technology Funding for New Investments

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

INFORMATION ASSURANCE DIRECTORATE

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Information Security Strategy

Federal Government. Each fiscal year the Federal Government is challenged CATEGORY MANAGEMENT IN THE WHAT IS CATEGORY MANAGEMENT?

Transcription:

Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1

Federal GIS "We are at risk," advises the National Research Council in Computers at Risk. "Although we trust them, computers are vulnerable to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun... To date, we have been remarkably lucky. The risk of fraud, waste, abuse, embarrassment to the government, and loss of public confidence increases as computer systems are more widely used and software becomes more complex. President s Management Council 2

Take Away from our Time Together... Information Systems Security Federal Regulations and Guidance Mandates... Historical Perspective GIS compliance with Federal Regulations and Guidance Mandates for Information Systems Security / Information Assurance Awareness of and Diligence toward INFO SEC Requirements, GISrelated Security Programs and Management Controls GIS INFO SEC -- Not just an Integral Part of Federal Workers and Contractors day-to-day Responsibilities... It s the Law! 3

Clinger-Cohen Cohen Act Clinger-Cohen Act (40 U.S.C. 1401(3)) Information Technology Management Reform Act of 1996 Implemented the Capital Planning Investment Control (CPIC) IT budget planning process Granted to the Director of the Office of Management and Budget (OMB) authority to oversee the acquisition, use, and disposal of information technology by the Federal government Established Chief Information Officer (CIO) positions in every department and agency in the federal government Established CIO Council from 28 major agencies (CIOC) and OMB Defined Information Technology Architecture (ITA) for evolving and acquiring Information Technology OMB grades IT projects and funds accordingly with an at-risk category. The risk involved is not receiving initial or on-going funding for the IT project. 4

FEA PMO 2001: Federal Enterprise Architecture Framework and FEA PMO As part of the President s Management Agenda (PMA)... OMB s Office of E-Government and Information Technology (E-Gov & IT) Support of the General Services Administration (GSA) Support of the Federal CIOC Established the Federal Enterprise Architecture (FEA) Program (replacing ITA) -- Comprehensive business-driven blueprint of the entire Federal Government. FEA Program Management Office (FEA PMO)... Located in OMB s Office of E-Gov and IT Equips OMB and Government with a common language and framework Describe and analyze IT investments Enhance collaboration Transform Government... citizen-centered, results-oriented and market-based 5

FEA PMO TODAY: Federal Enterprise Architecture Framework and FEA PMO FEA Reference Models designed to facilitate cross-agency... Analysis and Identification of Duplicative Investments Uncover Gaps and Opportunities for Collaboration within and across Agencies PRM (Performance Reference Model) BRM (Business Reference Model) SRM (Service Reference Model) DRM (Data Reference Model) TRM (Technical Reference Model) FEA Profiles framework... Cross-cut the inter-related FEA reference models Based upon a particular subject matter (Expertise Area) Security & Privacy (Phase I Final; 07/29/2004) Records Management (Version 1.0; 12/15/2005) Geospatial (Version 1.1; 01/27/2006) Describe how each Reference Model addresses Expertise Areas and how agencies can utilize resources, standards, best practices and use cases 6

OMB TODAY: Department/Agency Reports required by OMB For any IT project to be included for OMB review (i.e., Will the agency get its initial and continuing IT funding?) it must be mapped into the FEA. Initial and on-going reports for FEA compliance: OMB Circular A-11; Exhibit 53 (IT Investment Portfolio) OMB Circular A-11; Exhibit 300 (Business Case) OMB Circular A-130; Appendix III (Information Systems Security) Deficiencies & Material Weaknesses Summary of Department/Agency Security Plans 7

FISMA From Clinger-Cohen CPIC to GISRA to FISMA... Clinger-Cohen requires agencies to manage IT budgets by adhering to the CPIC process. Government Information Security Reform Act (GISRA expired in 2002) Provided Management Framework for Security of Government IT Required Agencies to Assess the Security of IT systems Included Risk Assessments and Security Needs in Budget Requests Federal Information Security Management Act (FISMA - December 2002) Title III of the E-Government Act Replaced GISRA FISMA Emphasizes a Risk-based Policy for Cost-Effective IT Security 8

FISMA FISMA requires executive agencies within the federal government to: Plan for Information Systems Security Ensure that Appropriate Officials are Assigned Security Responsibility Periodically Review the Security Controls in their Information Systems Authorize System Processing Prior to Operations, and Authorize System Processing Periodically thereafter Federal IT Managers and officials must understand the current status of their Security Programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments. - E-Gov Act; Title III; FISMA (2002) FISMA also authorizes and empowers the National Institute of Standards and Technology (NIST) to develop and implement a suite of security standards and guidelines required by the legislation. 9

Standards & Guidance Security Standards and Guidelines Development (2004-05)... FISMA Implementation focuses on the development of a suite of security standards and guidelines (NIST) necessary to create a robust information security program and effectively manage risk to agency operations and agency assets. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems NIST Special Publication 800-53A, Guide for Assessing the Security 10 Controls in Federal Information Systems

Standards & Guidance Security Standards and Guidelines Development continued... NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System FIPS Publication 200, Security Controls for Federal Information Systems (Draft) NIST Special Publication 800-26 Rev. 1, Assessment Guide for Information Systems and Security Programs NIST Special Publication 800-18 Rev. 1, Guide for Developing Security Plans for Information Systems 11

NIST FIPS & SP s NIST publishes two types of security documents: 1) Federal Information Processing Standards (FIPS); and 2) Special Publications (800-series guidance). IT S THE LAW! FISMA requires Federal Departments/Agencies to comply with FIPS. FIPS are mandatory and non-waiverable. Office of Management and Budget policy requires Federal Government to comply with NIST Special Publications (800-series guidance). The compliance dates for NIST Security Standards and Guidelines are as follows: For legacy information systems, compliance with NIST security standards and guidelines within one year of the final publication date. For information systems under development, compliance with NIST security standards and guidelines immediately upon deployment of the 12 information systems.

GIS and the Federal Government... Information Systems Security GIS Data Electronic Geospatial Information Systems (GIS) data resides in two basic areas: Bulk in some form of repository, such as a database or collection of individual files (called Data at Rest) Small quantities being transmitted over networks or the Internet (called Data on the Wire) GIS data is vulnerable no matter where it resides. While most agencies take precautions, many of those precautions turn out to be woefully lacking mandated management, personnel, operational and technical controls. The key lies in knowing the regulations and guidance that implements an approved Information Systems Security capability, knowing where vulnerabilities exist and making appropriate risk-based decisions. 13

GIS and the Federal Government... Information Systems Security Risk, SSP, C&A, etc. The assessment of risk and the development of security plans are two important activities in an agency's information security program that directly support the security accreditation process and are required under FISMA and OMB Circular A-130. The classification of data sensitivity and its relative importance to overall success of agency mission is integral to the assessment of risk. And, all federal information systems must undergo the process of Certification & Accreditation no matter if they are legacy systems, new software systems ready for production, or planned systems only in development. 14

Risk Assessment Risk Assessments... Influence the Development of the Security Requirements for Information Systems Influence the Security Controls implemented for Information Systems Generate information needed for System Security Plans (SSP) Influence the success of Certification and Accreditation (C&A) Varying guidance for civilian and defense All now must follow Security Best Practices and NIST Guidance: Civilian: C&A, SCAP, etc. DoD: DITSCAP (coming soon... DIACAP) 15

Risk Assessment Methodology... Information Systems Security Risk Assessment Identify System Assets (System Characterization) Define System Security Needs (Data Sensitivity Analysis, Rules of Behavior, etc.) Identify System Threats Analyze System Vulnerabilities Evaluate possible compromise to system and its mission Determine Risk Levels Develop the Risk Assessment Report 16

17

GIS and the Federal Government... Information Systems Security OMB Funding of IT Projects All agencies must implement the requirements of FISMA and report annually to OMB on the effectiveness of their security programs. OMB uses the information to help evaluate agency-specific and government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform on the development of the E-Government Scorecard under the President s Management Agenda. OMB uses a simple color-code to visually rank each agency s at-risk status (Green = Fully Compliant, Yellow = With Issues, and Red = Non-compliant). If an agency is not in the Green (i.e., at-risk) then they stand a good chance of not receiving and/or maintaining funding for their IT budgets. As GIS begins to take a more prominent position in the Federal Enterprise Architecture, GIS systems MUST come into compliance with FISMA and its related mandates. We should provide the expertise and tools to assist those agencies in meeting their Information Systems Security goals. 18

Additional GIS-related Guidance and Information... Information Systems Security Additional GIS Guidance President s Geospatial One-Stop Initiative... provide Federal, State, local and tribal agencies with a single point of access to map-related data enabling consolidation of redundant data. The goal is to improve the ability of the public and government to use geospatial information to support the business of government and improve decision making. Geospatial One-Stop awards contract to ESRI for Version 2 portal February 2, 2005. OMB has issued guidance (i.e., OMB Circulars A-11 and A-16) providing direction for Federal agencies producing, maintaining or using spatial data either directly or indirectly in the fulfillment of their mission. This direction includes general responsibilities for preparing, maintaining, publishing and implementing a strategy for advancing spatial data activities in support of the National Spatial Data Infrastructure (NSDI) strategy. It instructs agencies to use Federal Geographic Data Committee (FGDC) data standards. Annual reporting through A-11 Exhibit 300 submissions is also required. 19

Thank You for your Time and Attention! Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 207-230-0182 www.penbaymedia.com Alan Butler abutler@penbaymedia.com 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback