Streamlined FISMA Compliance For Hosted Information Systems

Similar documents
IT-CNP, Inc. Capability Statement

INFORMATION ASSURANCE DIRECTORATE

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Information Systems Security Requirements for Federal GIS Initiatives

SYSTEMS ASSET MANAGEMENT POLICY

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

TEL2813/IS2820 Security Management

Security Management Models And Practices Feb 5, 2008

Introduction to AWS GoldBase

FISMAand the Risk Management Framework

SAC PA Security Frameworks - FISMA and NIST

Protecting your data. EY s approach to data privacy and information security

The next generation of knowledge and expertise

Agency Guide for FedRAMP Authorizations

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

The Common Controls Framework BY ADOBE

Appendix 12 Risk Assessment Plan

INFORMATION ASSURANCE DIRECTORATE

David Missouri VP- Governance ISACA

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Solutions Technology, Inc. (STI) Corporate Capability Brief

RISK MANAGEMENT FRAMEWORK COURSE

MIS Week 9 Host Hardening

INFORMATION ASSURANCE DIRECTORATE

Appendix 12 Risk Assessment Plan

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Certified Information Security Manager (CISM) Course Overview

PROFESSIONAL SERVICES (Solution Brief)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

COMPLIANCE IN THE CLOUD

ROADMAP TO DFARS COMPLIANCE

ASD CERTIFICATION REPORT

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

American Association for Laboratory Accreditation

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

MINIMUM SECURITY CONTROLS SUMMARY

NIST Security Certification and Accreditation Project

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

DoDD DoDI

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

INFORMATION ASSURANCE DIRECTORATE

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

Ensuring System Protection throughout the Operational Lifecycle

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Compliance with NIST

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Automating the Top 20 CIS Critical Security Controls

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Executive Order 13556

NIST Special Publication

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Department of Defense Fiscal Year (FY) 2014 IT President's Budget Request Defense Media Activity Overview

CSAM Support for C&A Transformation

CIP Cyber Security Personnel & Training

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

INFORMATION ASSURANCE DIRECTORATE

NIST Special Publication

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SECURITY & PRIVACY DOCUMENTATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Student Guide Course: Introduction to the NISP Certification and Accreditation Process

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Altius IT Policy Collection Compliance and Standards Matrix

CISA Training.

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Exhibit A1-1. Risk Management Framework

Rev.1 Solution Brief

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

Security and Privacy Governance Program Guidelines

locuz.com SOC Services

Altius IT Policy Collection Compliance and Standards Matrix

INFORMATION ASSURANCE DIRECTORATE

Symantec Security Monitoring Services

CIP Cyber Security Systems Security Management

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Security Standards for Electric Market Participants

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Fiscal Year 2013 Federal Information Security Management Act Report

Transcription:

Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER

:: Executive Summary Federal, State and Local Government agencies alike are increasingly turning to web-based outsourced hosted solutions. Achieving an operational level of FISMA security compliance is time and resource intensive, even for hosted solutions. IT-CNP has a mature methodology to minimize the time and risk associated with information system Certification and Accreditation process. :: Hosted Solutions Overview Created exclusively to serve the demanding hosting needs of Federal, State and Local government agencies, GovDataHosting.Com serves as a unique hosting solutions provider that delivers governmental proven past performance, solid value and hosting industry's best practices at a cost-effective price. GovDataHosting.Com is a division of IT-CNP, Inc., a national provider of FISMA compliant secure hosting, information management and cyber security services as a standard set of its service offerings. IT-CNP provides industry leading certified professionals with solid technical background experience, able to support a full range of cyber security, hosted hardware and software support issues. For hosted Federal information system under our care, we specialize in providing a package of secure FISMA compliant hosting solutions, required level of security controls and a set of all-inclusive C&A documentation support services to accommodate all aspects of government security requirements. Hosted systems within our secure NIST and DIACAP compliant telecommunications infrastructure are supported by technology specialists experienced in all aspects of FISMA compliance. :: What Is FISMA Compliance? FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 10-34) in December 2002. By setting a uniform policy for information security across the Executive Branch of the government, FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA requirements are applicable to all civilian agencies, the Department of Defense, the Intelligence Community and many quasigovernment organizations. Specifically, FISMA requires federal departments and agencies to: Maintain an inventory of information systems Categorize information systems by risk Implement policies and procedures to reduce risk Certify and accredit information systems Implement the appropriate security controls Periodically test information assurance controls Implement continuity of operations Implement security incident response The benefits of FISMA compliance lead to: The implementation of cost-effective, risk-based information security programs The establishment of a level of security due diligence for federal agencies and contractors Consistent and cost-effective application of security controls across the federal government information technology infrastructure Enterprise-wide mission risks visibility for all information systems Improved information systems security for the critical infrastructure of the United States Page 2 Streamlined FISMA Compliance For Hosted Information Systems

Page 3 Streamlined FISMA Compliance For Hosted Information Systems :: Certification and Accreditation The Certification and Accreditation (C&A) process is the process whereby the government audits the policies, procedures, controls and contingency planning of each Federal government information system. The C&A process is much more comprehensive than just a security audit of the application or the server infrastructure. The C&A process incorporates a thorough review of the organization s security policies and procedures (management controls), physical facility infrastructure (operational controls) as well as network, server and application security testing, penetration testing and scanning (technical controls), encompassing four phases. Initiation Security Certification Security Accreditation Continuous Monitoring The Initiation consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan analysis, update, and acceptance. The purpose of this phase is to ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan, before the assessment of the security controls in the information system. The Certification consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and meet the security requirements for the system in accordance to its risk classification. C&A Process Overview Initiation Certification The Accreditation consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation. This phase is completed when a high-ranking government official approves the operation of the information system by issuing an Authorization To Operate (ATO) based on the results of the certification documentation and audit of all applicable technical, operational and management security controls. The Continuous Monitoring consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose of this phase is to oversee and monitor the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system. The C&A process is much more comprehensive than just a security audit of the application or the server infrastructure. The C&A process incorporates a thorough review of the organization s security policies and procedures (management controls), physical facility infrastructure (operational controls) as well as network, server and application security testing, penetration testing and scanning (technical controls). Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment. Continuous Monitoring Accreditation Each system must receive an ATO before a system can be legitimately used for production purposes.

:: C&A Certification Package The goal of the preparation for the C&A process is to compile a collection of information system-specific documents that describe the security posture of the system, evaluate risks, and make recommendations for correcting any known deficiencies. The documents package is commonly known as the Certification Package. A typical Certification Package usually contains at least a half a dozen components, though significantly more documentation is required if the system contains classified information or high risk data. Once a Certification Package is prepared, the government agency IA auditors review the package and make decisions on whether or not the systems should be accredited. Core Certification Package System Security Plan System Contingency Plan In preparing a C & A Certification Package, the following components are prepared as required: System Overview, Stakeholder Identification, System Security Boundary, Network and System Diagrams, Software, Firmware and Hardware Inventory, System Risk Assessment, System Contingency Plan, Self-Assessment, System Security Plan, Other agency-specific documents. :: C&A Methodologies Security Self Assessment Agency Specific Documentation To comply with FISMA requirements, the following two C&A methodologies are mainly used. NIST C&A Methodology is used for most civilian (e.g. Transportation, HUD, USDA, Commerce, Treasury) and quasi-government agencies. NIST stands for the National Institute Of Standards and Technology. :: NIST C&A Methodology NIST created a series of Special Publications that provide specific C&A guidance on implementing the provisions of FISMA and related policies. These Special Publications collectively define a Risk Management Framework for Federal information systems. NIST C&A process is defined in Special Publication 800-3 while Special Publication 800-53 contains a standardized set of applicable security control requirements for information systems, grouped by functional areas as listed below. NIST Control Subject Area Risk Assessment Planning System and Services Acquisition Certification, Accreditation and Security Assessments Personnel Security Physical and Environmental Protection Contingency Planning Configuration Management Maintenance System and Information Integrity Media Protection Incident Response Awareness and Training Identification and Authentication Access Control Audit and Accountability System and Communications Protection C&A Methodologies FISMA Compliance # of Controls 5 5 11 8 1 10 6 12 4 20 11 19 DIACAP C&A Methodology is used for the Department of Defense agencies. DIACAP stands for the Defense Information Assurance Certification and Accreditation Process. NIST C&A Methodology DIACAP C&A Methodology Page 4 Streamlined FISMA Compliance For Hosted Information Systems

Page 5 Streamlined FISMA Compliance For Hosted Information Systems :: DIACAP C&A Methodology DIACAP C&A Methodology is driven by the U.S. Department of Defense (DoD) regulatory policy listed in DoD Directive 8500 (Information Assurance). All applicable DIACAP Information Assurance (IA) controls are referenced in DoD Instruction 8500.2 (Information Assurance Implementation) and grouped by functional areas as listed in below. DIACAP Control Subject Area Security Design and Configuration Identification and Authentication Enclave and Computing Environment Enclave Boundary Defense Physical and Environmental Personal Continuity Vulnerability and Incident Management # of Controls 31 9 48 8 2 24 3 Under the DIACAP methodology, each information system is classified as one of the following Mission Assurance Categories (MAC): MAC I (equivalent of high risk and availability) MACII (equivalent of moderate risk and availability) MAC III (equivalent of low risk and availability) Additionally, the Confidentiality Level (CL) measures each information system s confidentiality requirements based on the type of information processed. The CL categories used are Classified, Sensitive and Public. To determine the applicable level of DIACAP IA controls applicable to a specific system, the government uses a combination of both the MAC and CL levels (e.g. MACII, Public). Each of the 9 unique MAC/CL combinations are cross-referenced to a set of applicable IA controls for each information system. :: Streamlined NIST and DIACAP C&A Processes IT-CNP significantly streamlines the C&A process by accelerating the Initiation of the process. To streamline the Initiation IT-CNP utilizes: Technical personnel experienced in NIST and DIACAP Documentation personnel experienced in the preparation of the Certification Package Proven NIST and DIACAP artifact document templates Operational, Management and Technical controls that have been audited by the government Datacenter facilities audited by the government Benefits of IT-CNP s Streamlined C&A Process A streamlined C&A process can be viewed by the stakeholders as beneficial from a number of different perspectives: Decrease in C&A process duration by over 50% Significant decrease of system deployment risk Decrease the C&A process cost by over 50% Predictable and successful system accreditation Increase in customer and stakeholder satisfaction IT-CNP significantly streamlines the C&A process by accelerating the Initiation of the process, which has a dramatic effect on the overall process. Moderate Risk (MACII) C&A Process Comparison Example Traditional C&A IT-CNP s Accelerated C&A I C I A C A C&A Legend I C A Initiation Certification Accreditation Time (Months) 1 2 3 4 5 6 8 9 Authorization To Operate (ATO) A traditional approach of accomplishing a C&A process on a hosted moderate risk system can last from - 9 months to accomplish all the necessary compliance tasking while IT-CNP s streamlined process typically takes 3-4 months. Please contact us for further information how we can streamline your C&A process with our FISMA compliant hosting infrastructure.

About IT-CNP IT-CNP, Inc., is a leading national provider of the premier government-oriented high availability hosting, information management, cyber security and custom helpdesk solutions. Created exclusively to serve the demanding hosting needs of Federal, State and Local government agencies, IT-CNP serves as a unique government oriented hosting solutions provider that delivers proven government past performance, solid value and secure hosting industry's best practices. Corporate Headquarters 9160 Red Branch Road Columbia, MD 21045 Tel 410.884.1004 Fax 410.884.0412 U.S. Toll Free 800.96.1004 www.it-cnp.com www.govdatahosting.com 2014 IT-CNP, Inc. All Rights Reserved. GovDataHosting.Com is a division of IT-CNP, Inc. Reproduction in whole or in part in any form or medium without express written permission is prohibited. IT-CNP and GovDataHosting logos are registered trademarks. Other trademarks contained herein are the property of their respective owners. IT-CNP believes that the information in this publication is accurate as of its publication date and such information is subject to change without notice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback