CSAM Support for C&A Transformation

Similar documents
existing customer base (commercial and guidance and directives and all Federal regulations as federal)

MINIMUM SECURITY CONTROLS SUMMARY

Four Deadly Traps of Using Frameworks NIST Examples

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SAC PA Security Frameworks - FISMA and NIST

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

Using Metrics to Gain Management Support for Cyber Security Initiatives

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

READ ME for the Agency ATO Review Template

Fiscal Year 2013 Federal Information Security Management Act Report

Evolving Cybersecurity Strategies

Building Secure Systems

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Altius IT Policy Collection Compliance and Standards Matrix

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Altius IT Policy Collection Compliance and Standards Matrix

Continuous Monitoring Strategy & Guide

Because Security Gives Us Freedom

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

IASM Support for FISMA

NIST SP , Revision 1 CNSS Instruction 1253

ISACA Arizona May 2016 Chapter Meeting

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Streamlined FISMA Compliance For Hosted Information Systems

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

NIST Special Publication

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

INFORMATION ASSURANCE DIRECTORATE

FISMAand the Risk Management Framework

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

NIST Security Certification and Accreditation Project

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

ENTS 650 Network Security. Dr. Edward Schneider

Recommended Security Controls for Federal Information Systems and Organizations

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

SYSTEMS ASSET MANAGEMENT POLICY

MIS Week 9 Host Hardening

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

NIST Special Publication

Meeting RMF Requirements around Compliance Monitoring

FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

Threat and Vulnerability Assessment Tool

Risk Management Framework for DoD Medical Devices

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

CloudCheckr NIST Audit and Accountability

ITG. Information Security Management System Manual

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Appendix 12 Risk Assessment Plan

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Solutions Technology, Inc. (STI) Corporate Capability Brief

Varonis and FISMA Compliance

Ensuring System Protection throughout the Operational Lifecycle

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

CompTIA Cybersecurity Analyst+

Information Systems Security Requirements for Federal GIS Initiatives

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Using ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.

K12 Cybersecurity Roadmap

Appendix 12 Risk Assessment Plan

NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

INFORMATION ASSURANCE DIRECTORATE

The next generation of knowledge and expertise

TEL2813/IS2820 Security Management

FISMA Cybersecurity Performance Metrics and Scoring

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

CONTINUOUS VIGILANCE POLICY

Security Management Models And Practices Feb 5, 2008

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Information Security Continuous Monitoring (ISCM) Program Evaluation

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

NW NATURAL CYBER SECURITY 2016.JUNE.16

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

CloudCheckr NIST Matrix

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

Ransomware. How to protect yourself?

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis

Exhibit A1-1. Risk Management Framework

The New Security Heroes. Alan Paller

Certification Exam Outline Effective Date: September 2013

The Office of Infrastructure Protection

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.

Security Metrics and Their Importance

The NIST Cybersecurity Framework

How AlienVault ICS SIEM Supports Compliance with CFATS

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Risk Management Framework (RMF) 101 for Managers. October 17, 2017

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

Automating the Top 20 CIS Critical Security Controls

Transcription:

CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management Plan Enterprise vs System Solutions: Cost Schedule - Responsibilities System Security Planning and Implementation SSP 95% Documented Emphasis on Implementation & Validation Management Reporting (fully automated) Enterprise System Regulatory Ad Hoc Training & Quarterly Workshops C&A Web Authoring Tool & Knowledge Base Annual Computer Security Applications Conference (ACSAC) 2007 December 13, 2007

Cyber Security Assessment & Management CSAM Partnership Shared Service Center CSAM PARTNERSHIP USAID DOC DOE DOI DOL DOT NSF Treasury SEC FTC IMLS USDA DOJ Others Pending

IT Security Performance Dashboard (Executive Level) % Controls Implemented % Critical Controls Implemented 96% 90% 98% Eval Control Category % Impl POA&M Control Category % Impl POA&M Risk & IT Security Mgmt 96 96 Risk & IT Security Mgmt 98 96 Vulnerability Mgmt 85 94 Vulnerability Mgmt 96 96 Incident Response & Cont Planning 100 N/A Incident Response & Cont Planning 100 N/A Awareness & Training 97 100 Awareness & Training 96 100

IT Security Program Initiatives Strategic Goals/ Objectives Mission Based IT Security Priorities Risk & IT Security Mgmt Risk Assessment & Mgmt; RA, PL, CA Acquisition Config Mgmt; SA, CM Personnel/Physical& Environ Security; PS, & PE Vulnerability Mgmt Incident Mgmt & Contingency Mgmt Awareness Trng & Security Trng for IT Professionals I. Prevent Terrorism and Promote the Nation s Security Very High Critical Very High High Access Control; AC Systems & Comm Protect, Integrity; SC, SI, MA,AU Media Protection; MP Incident Response: IR Contingency Planning: CP Security Awareness & ROB IT Security Trng for IT Professionals Supporting Objectives & Programs VH M VH C C VH VH VH H H VH VH H C C VH VH VH H H VH VH H C VH VH VH H H H II. Prevent Crime, Enforce the Law and Represent the Rights and Interests of the American People Supporting Objectives & Programs III. Ensure the Fair and Efficient Operation of the Federal Justice System Supporting Objectives & Programs Very High Critical Very High High VH VH VH C C VH VH VH H H VH VH VH C C VH VH H H H VH H H C C H VH VH H M High High High High H H H H H H H H H H H H H H H M H H H H H M M H H M H H H M

CSAM Certification & Accreditation (DOJ IT Security Standards (FISCAM/FIPS 200/NIST 800-53) System Description Inventory/Interconnections (CA-3) Asset Discovery/Mgmt DB Application Discovery Security Requirements Selection and Assign Responsibilities (PL-2) Scope Security Category Inherit Common Controls (MOA/SLA) (CA-2) XML Structured Data SCAP Vulnerability Analysis Config Security Analysis Threat Analysis C&A Team Review/Update Risk Assessment POA&M & Funding Decision Security Mgmt Centralized Reporting Monthly Review Dashboard OMB Report Standardizing Specifications of Content Content Repositories 1. Vulnerability Mgmt Plan 2. Access Controls (AC 2-20) Vulnerability Mgmt (RA-5) Audit and Accountability (AU 2-11) Identification and Authentication ( IA 2-7) Systems & Communications Protection (SC 2-19) System and Information Integrity (SI 2-12) Asset Inventory Config Guides Vulner Analysis Threat Analysis Incident Response 3. Life Cycle Mgmt (SA-3) Configuration Management (PL-1) Exercise & Update Incident Response Plan ( IR-7) Exercise & Update Contingency Plan (CP-10) Awareness & Training (AT- 2 & 3) Physical/Environ Protection (PE-4) Personnel Security (PS-8) Media Protection (MP-7) 5

PRESIDENTS MANAGEMENT AGENDA FISMA, DCID 6/3 DOJ IT SECURITY STDS FISCAM, FIPS/NIST 800-53, Risk-based Management Controls Cost + Implementation Guidance RA-1 Risk Assessment and Procedures PL-1 Security Planning Policy and Procedures. SA-1 System & Services Acquisition Policy & Procedures CA-1 Certification & Accreditation & Security Assessment Policies and Procedures. Operational Controls Cost + Implementation Guidance PS-1 Personnel Security Policy & Procedures PE-1 Physical Environmental Protection Policy & Procedures CP-1 Contingency Planning Policy & Procedures CM-1 Configuration Management Policy & Procedures. Technical Controls Cost + Implementation Guidance IA-1 Identification and Authentication Policy & Procedures AC-1 Access Control Policy & Procedures AU-1 Audit & Accountability Policy & Procedures SC-1 System & Comm Protection Policy & Procedures. Cyber Security Assessment and Management (CSAM) Implementation Requirements Risk System Controls Common Controls Priority L M H L M H X X X X 5 X X X X X X X X 4 X X X 2 X 5 X 3 X X X 3 X X X X Test Case for Each Requirement (SCAP where available) Vulner Control Test Case nn.n.n. Test Case CA-1.3 Test Case SA-1.1 Test Case PL-1.8 Test Case RA-1.1 Control Objective (Subordinate Objective) Control Techniques Specific Criteria Prerequisite Controls Test Objective Test Set Up Test Steps Expected Results: Actual Results: Cost PASS Risk Assessment Vulner Threat Signif X X Level Level Level FAIL = Total Risk Plans of Action & Milestones (POA&M) OMB FISMA Reporting Cyber Security Assessment & Mgmt (CSAM) Vulnerabilities Requiring Correction Risk Impact: Plan Start: Actual Start: Planned Finish: Actual Finish: Validation Date: Cost: 6

Risk Management Framework Categorize Select Supplement Document Implement Threat Level Mission (Probability) Impact Vulnerability Level Exploitability -- Countermeasures Risk Assess Authorize Monitor Risk Mitigation Risk Assessment Evaluation & Assessment 7

Vulnerability/ Countermeasures Risk Assessment Exploitability (Hi=5 Low=1) (Actual) Counter Measures (Weak=0 Very Strong=2) Threat/s Total (0-5) Vulnerability/ Countermeasures and Threat Pairing (Security Countrols) Logical Access Controls Security controls can detect unauthorized access attempts. Access control software prevents fraudulent activity without collusion. Total Risk Vulnerability Level X Threat Level X Significance Level = EX-CT = Total C+H+G-A-D = Total DL+Ops+Equip = Total RISK TOTAL (VL*TL*SL) (0-120) RISK Ranking Capability (Hi=2 Low=1) History/Gain (Hi=2 Low=1) Attributable/Detectable (Easy=2 Difficult=0) Total (0-6) Loss of Life (Yes=4 No=0) Sensitivity (Yes=4 No=0) Ops Impact (Yes=2 No=0) Equipment Loss (Yes=2 No=0) TOTAL (0-4) 32 32 (medium) (Medium) 8.1, 11.1, 12.1, 13.1, 16.1 2 5 3 2 2 2 0 4 (Med) 0 2 2 0 4 32 32 (medium) (Medium) 6.1, 8.1, 11.1, 12.1, 13.1, 16.1 2 4 2 2 2 2 0 4 (Med) 0 2 2 0 4 Vulnerability Level Very High 5 8 High 4 Medium 3 Low 2 Very Low 1 Risk Scale Very High > 75 High 55 to 75 Medium 19 to 54 Low 6 to 18 Very Low < 6

Identifies Moderate and High Risk Weaknesses Provides impacts and costs to correct Identified weaknesses Documents POA&M to correct weaknesses 9

SCAP Security Content Automation Program Address Meta Control Set Resident in CSAM Community of Interest (COI) Standards http://nvd.nist.gov/scap/scap.cfm 800-53/53A CNSS/IC ISO HIPPA SOX PCI FISCAM Others SCAP Meta Controls DISA Platinum/Gold Vendor Guide NIST Special Pub NSA Guide Agency Baseline Configuration Agency Policies and Standards Machine readable Test Cases Vendor SCAP Assessment Tools XML CSAM Agency s Technical Vulnerability and Configuration Assessment Non-Machine Readable Test Cases Interview Examine, Test Results Attain Metrics POA&M Accept Risk Non-Machine Readable Mgmt, Operational, & Technical Controls Automated Checklists Interview Examine Test Results Non-Machine Readable Metrics and Scoring XML 10

My Schedule Tasking Synopsis System user Drill-down links you directly to the point of interest.

Performance Dashboard Clicking on the green, green checkmark, the yellow exclamation point, or the red X pops up the explanation of why they were given that grade. Clicking on the POAMS columns give a list of POA&Ms that are late for the org selected. Clicking on the Training % shows the Comments and the actual numbers that make up the percentages.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback