How to Plan, Procure & Deploy a PIV-Enabled PACS

Similar documents
Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Strategies for the Implementation of PIV I Secure Identity Credentials

FiXs - Federated and Secure Identity Management in Operation

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

National Strategy for CBRNE Standards

Section One of the Order: The Cybersecurity of Federal Networks.

INFORMATION ASSURANCE DIRECTORATE

000027

New Guidance on Privacy Controls for the Federal Government

Cybersecurity & Privacy Enhancements

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

TWIC / CAC Wiegand 58 bit format

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

Executive Order 13556

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Helping Meet the OMB Directive

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

NIST Security Certification and Accreditation Project

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Interagency Advisory Board Meeting Agenda, February 2, 2009

Information Systems Security Requirements for Federal GIS Initiatives

Security Guideline for the Electricity Sub-sector: Physical Security Response

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

June 17, The NPRM does not satisfy Congressional intent

Legal, Ethical, and Professional Issues in Information Security

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Information Security Policy

How AlienVault ICS SIEM Supports Compliance with CFATS

Interagency Advisory Board Meeting Agenda, April 27, 2011

Trust Services for Electronic Transactions

Statement for the Record

DHS Cybersecurity: Services for State and Local Officials. February 2017

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

PKI and FICAM Overview and Outlook

IMPLEMENTING AN HSPD-12 SOLUTION

Threat and Vulnerability Assessment Tool

The J100 RAMCAP Method

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

MIS Week 9 Host Hardening

Interagency Advisory Board Meeting Agenda, December 7, 2009

State of the Industry and Councils Reports. Access Control Council

Secure Government Computing Initiatives & SecureZIP

Department of Homeland Security Updates

Electronic Security Systems Process Overview

The Common Controls Framework BY ADOBE

National Information Assurance (IA) Policy on Wireless Capabilities

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

INFORMATION ASSURANCE DIRECTORATE

SAC PA Security Frameworks - FISMA and NIST

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Security and Privacy Governance Program Guidelines

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Security Challenges with ITS : A law enforcement view

INFORMATION ASSURANCE DIRECTORATE

Kansas City s Metropolitan Emergency Information System (MEIS)

IEEE-SA Internet of Things - Security & Standards

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cybersecurity and Data Protection Developments

SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department

NAVAL DISTRICT WASHINGTON SMARTSHORE CASE STUDY Jeff Johnson NDW CIO (N6)

The Office of Infrastructure Protection

Continuous protection to reduce risk and maintain production availability

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Department of Homeland Security

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Appendix 12 Risk Assessment Plan

TWIC or TWEAK The Transportation Worker Identification Credential:

Risk-Based Cyber Security for the 21 st Century

Cybersecurity for the Electric Grid

Security Standards for Electric Market Participants

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

V A Physical Security Assessments LESSONS LEARNED

FedRAMP Security Assessment Framework. Version 2.0

NATIONAL INFORMATION SHARING STRATEGY

Cybersecurity Overview

Monthly Cyber Threat Briefing

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Paul A. Karger

SOC 3 for Security and Availability

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

Appendix 12 Risk Assessment Plan

Leveraging HSPD-12 to Meet E-authentication E

SECURITY & PRIVACY DOCUMENTATION

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

National Policy and Guiding Principles

Transcription:

How to Plan, Procure & Deploy a PIV-Enabled PACS Access Control Council Webinar Series Session Two: Facility Characteristics & Risk Assessment

Introductions Randy Vanderhoof, Secure Technology Alliance Lars Suneborn, Secure Technology Alliance Michael Kelley, Parsons Corp. William Windsor, Department of Homeland Security 2 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Who We Are 3 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Access Control Council focuses on accelerating the widespread acceptance, use, and application of secure technologies in various form factors for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors. COUNCIL RESOURCES White Papers Commercial Identity Verification (CIV) Credential: Leveraging FIPS 201 and the PIV Card Standards A Comparison of PIV, PIV-I and CIV Credentials Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance Summary FIPS 201 and Physical Access Control: An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience Guide Specification for Architects and Engineers for Smart Card-based PACS Cards and Readers for Non-government PACS Personal Identity Verification Interoperability (PIV-I) for Non- Federal Issuers: Trusted Identities for Citizens across States, Counties, Cities and Businesses PIV Card/Reader Challenges with Physical Access Control Systems: A Field Troubleshooting Guide Smart Cards and Biometrics Strong Authentication Using Smart Card Technology for Logical Access Supporting the PIV Application in Mobile Devices with the UICC 4 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

National Center for Advanced Payment and Identity Security 5

National Center for Advanced Payments and Identity Security National Center for Advanced Payments and Identity Security in Crystal City Secure Technology Alliance Educational Institute is part of the center. Certifications Available CSCIP CSCIP/Payments CSCIP/Government CSEIP 6 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

What constitutes compliance? Secure and reliable forms of identification: are issued based on sound criteria for verifying an individual employee's identity are strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation can be rapidly authenticated electronically are issued only by providers whose reliability has been established by an official accreditation process The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application - Homeland Security Presidential Directive 12 Assert Authenticate Authorize Audit 7 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

The PIV-Enabled PACS Process Session Five Facility Characteristics Risks Scope Procurement Strategy Deployment Size Mission Assets Existing Conditions Regulatory Requirements Threats Likelihood Consequence Risks to be mitigated Costs and timelines Potential solutions Potential providers Responsibilities Standards Procurement vehicles Contract documents Funding Evaluation Award Management Design Installation and configuration Testing and acceptance Training Cutover Close out 8 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Facility Risk Assessment Guidance The Risk Management Process for Federal Facilities: An Interagency Committee Standard (https://hsin.dhs.gov/pages/home.aspx) Executive Branch agencies must use per E.Os 12977 and 13286 Adopted by DoD in 2012 and Integrated into Unified Facilities Criteria (UFC) 4-010-01) DoD Minimum Antiterrorism Standard for Buildings Factors for assessing facility risk Mission Criticality Symbolism Facility population Facility size Threat to agency ASIS International Risk Assessment Standard ANSI/ASIS/RIMS RA.1-2015 (https://www.asisonline.org/standards-guidelines/standards/pages/default.aspx) 9 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Asset Identification and Criticality What assets are you protecting? Facilities Campus, building, garage, storage facility, armory, suite, room Leased or owned (directly managed or through another agency) Single or multi-tenant occupied Environmental factors (terrain, adjacent facilities) Equipment, Materials and Information Asset Value What impacts are you trying to mitigate? Inability to perform critical/essential functions Productivity loss Personal safety threats Repair or replacement cost Confidence or reputation loss 10 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Correlation of Mission, Assets & Protection Public access Administrative Data processing Communications Medical Transportation Maintenance Law enforcement Intelligence Critical infrastructure 11 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Main Facility Lab Parking Garage Employee Entrance 12 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Asset Locations and Threats Where are the assets you are protecting? Geographic location of the facility Similar events nearby Accessibility to potential adversaries Location of assets within the facility Selection of authentication mechanisms What & Whom are the assets being protected from? Threat types Natural Man-made (Human initiated) Threat factors Tenant perception Nature of the mission Threats to the federal agency Threats to other tenants of a facility Local factors i.e. crime statistics 13 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Adversaries Adversary Motivation Money Ideology Coercion Ego Adversary Capabilities Tactics Funding Knowledge Tools, materials or special skills Appendix A ISC Design-Basis Threat Report (https://hsin.dhs.gov/pages/home.aspx) 14 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

PACS Assessment How are you currently protecting your assets? Begin at the perimeter and work inward Physical barriers Vehicle and personnel access control points Demographics PACS lifecycle Age and condition Hardware, firmware and software versions Supporting infrastructure Authority to Operate (ATO) Integrated systems Surveillance Intrusion detection Elevator control Fire alarm Command and control 15 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

PACS Effectiveness Does the existing PACS electronically authenticate credentials fast enough for the throughput? deny access to individuals presenting revoked, lost, stolen, expired, cloned, altered or otherwise fraudulent credentials? deny access to individuals with valid credentials but no proper authorization? accurately detect events? invalid card, access denied, door held, door forced, equipment tamper, power or communications failure properly annunciate events to responding personnel in a timely manner? support multifactor authentication? 16 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Legal and Regulatory Requirements Federal Laws Federal Information Security Modernization Act of 2014, P.L. 113 283 Privacy Act of 1974, 5 U.S.C. 552a Americans with Disabilities Act of 1990, 42 U.S.C. 12101 State and local laws May impose additional requirements, i.e. licensing and permits Varying applicability Agency Regulations Include requirements from other agencies, i.e. OMB, GSA, NIST, DHS Specific asset requirements Best Practices and Guidelines NIST ISC Secure Technology Alliance ASIS International Security Industry Association 17 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Risk = Probability x Consequence 1. Identify Threats * A. Criminal Activity B. Explosive Event C. Ballistic Attack D. Unauthorized Entry E. CBR Release F. Vehicle Ramming G. Hostile Surveillance H. Cyber Attack I. UAS Attack Probability Improbable Unlikely Possible Likely Almost Certain 10 9 8 7 6 5 4 3 2 1 Consequence Negligable Minor Moderate Severe Catastrophic 1 2 3 4 5 6 7 8 9 10 * From Appendix A ISC Design-Basis Threat Report For Illustration Only 18 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Risk = Probability x Consequence 2. Rank Threat Probability D. Unauthorized Entry H. Cyber Attack A. Criminal Activity G. Hostile Surveillance C. Ballistic Attack F. Vehicle Ramming B. Explosive Event I. UAS Attack E. CBR Release Probability Improbable Unlikely Possible Likely Almost Certain Consequence Negligable Minor Moderate Severe Catastrophic 1 2 3 4 5 6 7 8 9 10 10 D 9 H 8 A 7 G 6 C 5 F 4 B 3 I 2 E 1 19 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Risk = Probability x Consequence 3. Rank Threat Consequence H. Cyber Attack - 45 C. Ballistic Attack - 42 B. Explosive Event - 36 D. Unauthorized Entry - 30 F. Vehicle Ramming - 30 G. Hostile Surveillance - 28 E. CBR Release - 20 I. UAS Attack 15 A. Criminal Activity - 8 Probability Improbable Unlikely Possible Likely Almost Certain Consequence Negligable Minor Moderate Severe Catastrophic 1 2 3 4 5 6 7 8 9 10 10 D 9 H 8 A 7 G 6 C 5 F 4 B 3 I 2 E 1 20 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Risk Mitigation Risk cannot be eliminated, only reduced Countermeasures Appendix B Countermeasures (https://hsin.dhs.gov/pages/home.aspx) Reduce consequence Redundancy Insurance Reduce likelihood Restrict access to sensitive areas/materials Require higher levels of identity and authentication assurance Digital Identity Guidelines, NIST Special Publication 800-63-3 (https://csrc.nist.gov/publications/) Select appropriate authentication mechanisms A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), NIST Special Publication 800-116 (https://csrc.nist.gov/publications/) 21 How to Plan, Procure & Deploy a PIV-Enabled PACS: Facility Characteristics & Risk Assessment

Upcoming Sessions Establishing the Project Scope January 11, 2018 Developing the Procurement Strategy February 22, 2018 Implementing the Solution March 15, 2018 Use Cases and Lessons Learned April 19, 2018 All webinars begin at 2 p.m. ET/11 a.m. PT. Visit the Secure Technology Alliance web site to register for a session or to watch the recording of any previous session. 22 How to Plan, Procure & Deploy a PIV-Enabled PACS

Upcoming Sessions Stakeholders Session 1 10/19/2017 Session 2 11/30/2017 Session 3 1/11/2018 Session 4 2/22/2018 Session 5 3/15/2018 Session 6 4/19/2018 Acquisition Budget Customers / Tenants Engineering Executive Sponsors Facility Management Information Technology Legal Personnel Physical Security Safety 23 How to Plan, Procure & Deploy a PIV-Enabled PACS

Resources and Contacts http://www.securetechalliance.org Lars Suneborn, CSCIP/G, CSEIP Director, Training Programs, Secure Technology Alliance lsuneborn@securetechalliance.org Michael Kelley, CSCIP/G, CSEIP, PSP, CBP Principal ESS Technical Specialist, Parsons Corp. michael.p.kelley@parsons.com William Windsor, CSEIP Department of Homeland Security william.windsor@hq.dhs.gov 24 How to Plan, Procure & Deploy a PIV-Enabled PACS

191 Clarksville Road Princeton Junction, NJ 08550

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback