FISMA Cybersecurity Performance Metrics and Scoring

Similar documents
Information Security Continuous Monitoring (ISCM) Program Evaluation

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

October 30, 2015 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

FISMAand the Risk Management Framework

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity: Incident Response Short

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

The NIST Cybersecurity Framework

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Designing and Building a Cybersecurity Program

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

No More Excuses: Feds Need to Lead with Strong Authentication!

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

CYBERSECURITY FEDERAL UPDATE. NCSL Cybersecurity Task Force

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Framework for Improving Critical Infrastructure Cybersecurity

Fiscal Year 2013 Federal Information Security Management Act Report

FedRAMP Security Assessment Framework. Version 2.1

FedRAMP Security Assessment Framework. Version 2.0

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

CISO as Change Agent: Getting to Yes

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

NIST Special Publication

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Automating the Top 20 CIS Critical Security Controls

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

CCISO Blueprint v1. EC-Council

INFORMATION ASSURANCE DIRECTORATE

Agency Guide for FedRAMP Authorizations

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

CYBER SECURITY POLICY REVISION: 12

Critical Infrastructure Sectors and DHS ICS CERT Overview

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Framework for Improving Critical Infrastructure Cybersecurity

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Emerging Issues: Cybersecurity. Directors College 2015

CLOSING IN FEDERAL ENDPOINT SECURITY

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Cybersecurity for Health Care Providers

Data Recovery Policy

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Information Systems Security Requirements for Federal GIS Initiatives

FiXs - Federated and Secure Identity Management in Operation

ACR 2 Solutions Compliance Tools

Updates to the NIST Cybersecurity Framework

Notification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

INFORMATION ASSURANCE DIRECTORATE

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

REPORT 2015/149 INTERNAL AUDIT DIVISION

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

New Guidance on Privacy Controls for the Federal Government

FFIEC Cybersecurity Assessment Tool

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Business continuity management and cyber resiliency

Cybersecurity Overview

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Using Metrics to Gain Management Support for Cyber Security Initiatives

CYBERSECURITY RESILIENCE

Cybersecurity and the Board of Directors

Certified Information Security Manager (CISM) Course Overview

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

OFFICE OF INSPECTOR GENERAL

Why you should adopt the NIST Cybersecurity Framework

DHS Cybersecurity: Services for State and Local Officials. February 2017

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

The next generation of knowledge and expertise

Cybersecurity & Privacy Enhancements

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

NCSF Foundation Certification

NW NATURAL CYBER SECURITY 2016.JUNE.16

Defensible Security DefSec 101

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

CYBERSECURITY MATURITY ASSESSMENT

Transcription:

DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov

2. Cybersecurity Metrics OMB receives agency FISMA metrics through DHS s CyberScope System. Metrics reporting schedule per M-17-05 1. Quarterly CIO FISMA metrics (CFO Act only) 2. Monthly PIV/CAC submissions (CFO Act Only) 3. Annual IG, CIO, and SAOP Metrics (All Agencies)

3. Cybersecurity Metrics in Action OMB uses FISMA metrics for nine processes and products that drive agency Performance: 1. President s Management Council (PMC) Assessment 2. Cybersecurity Cross-Agency Priority (CAP) Reports 3. Annual FISMA Report to Congress 4. CyberStat Reviews 5. PortfolioStat Reviews 6. FedStat Reviews 7. President s Budget Cybersecurity Crosscut 8. Cabinet Engagements 9. Policies and Guidance

4. Annual FISMA Report to Congress FY 2016 Annual FISMA Report to Congress One Pagers Agency one-pagers provide greater context for FY 2016 cybersecurity performance data Goal of improving readability and look and feel of report. FY 2016 IG Metrics provide independent assessment of FY 2016 CIO metrics. OMB anticipates a decrease in IG scores due scoring methodology changes. One-pagers will also serve as one-stop summary for future OMB, DHS and IG oversight discussions (e.g., CyberStat, etc.).

5. PMC Assessment Background In the wake of the OPM incidents, OMB recognized the need for a cybersecurity performance assessment that provides agency Deputy Secretaries and EOP with an understand of the agency s hygiene. OMB developed the PMC Cybersecurity Assessment in late 2014 using agencies FISMA metrics data and assessment criteria from the NIST Cybersecurity Framework. This assessment is a vehicle for driving agency performance and ensuring accountability from the Deputy Secretary on down through the organization. OMB has matured the assessment process and products to ensure clear and effective communication to agencies, and uses the output from this process to inform its oversight and budget processes.

6. Leveraging the NIST Cybersecurity Framework The 23 Civilian CFO-Act Agencies receive a quarterly assessment from OMB that provides overall rating based on performance across the five NIST Cybersecurity Framework function areas: Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

7. Rating Standards EOP provides ratings to agencies for each NIST framework function area on a 0-3 scale: 0 1 2 3 Agency has not met foundational targets Agency has met foundational targets Agency has met government-wide targets Agency has exceeded government-wide targets In first quarter of FY 2016, only five agencies had information security programs that met or exceeded government-wide performance goals. By the end of FY 2016, 13 agencies had met these targets and all others were making significant progress toward this end as a direct result of PMC Assessment process.

8. Sample of Individual Agency Scorecard 1 2 2 Overall Example Justice has agency met government-wide has met government-wide targets targets Overall rating is the average of the component scores, rounded to the nearest whole number. (1+2+2+3+3)/5 = 2 Identify 1 2 3 Hardware Asset Management (CAP) 100% Software Asset Management (CAP) 97% Unclassified systems with security ATO 87% Review of contracts with sensitive information Policy empowering incident commanders Protect 1 2 3 Vulnerability Management (CAP) 100% Secure Configuration Management (CAP) 95% Unprivileged PIV logical access (CAP) 95% Privileged PIV logical access (CAP) 100% Remote access security Insider Threat Program Media destruction policy 2 3 3 Detect 1 2 3 Anti-Phishing and Malware Defense (CAP) Anti-Phishing 5 of 7 Malware Defense 3 of 5 Other Defense 2 of 4 EINSTEIN Program Attempts to access data detected and investigated Test exfiltration attempts are caught Respond 1 2 3 Incident response plan Participating in C-CAR protocol Roles and responsibilities are verified No active critical vulnerabilities > 30 days Recover 1 2 3 Disaster and incident recovery plans Incident notification 100% Credit monitoring BPA Credit repair contract Legend Criteria Met Criteria Not Met Criteria NA To achieve a particular rating in a framework area, an agency must meet all criteria within both the given level and all prior levels. Level 1 - Foundational targets Level 2 - Government-wide targets Level 3 - Exceeding government-wide targets

9. Baseline Metrics In addition to the metrics underlying the PMC Assessment, OMB also analyzes agency performance on measures not used to calculate agency scores. The intent is to better understand current agency performance so ambitious but realistic targets can be set for future assessments. Current Baseline Metrics include: HTTPS implementation (M-15-13) Endpoints with data encrypted at rest (FIPS 140-2) Users with significant security responsibilities who have completed role-based security training Time to revoke role-based credentials following the termination of employees/contractors

10. Appendix: EOP Cybersecurity Assessment Criteria Identify Protect Detect Respond Recover Hardware Asset Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Software Asset Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Unclassified information systems with a security ATO Level 1 80% Level 2 95% Level 3 100% Review of contracts with sensitive information Level 1 Review of key contracts is in progress Level 2 Review of key contracts is completed Level 3 All contracts contain clauses on protection, detection, reporting of information Policy empowering incident commanders Level 1 In place Vulnerability Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Secure Configuration Management (CAP) Level 1 80% Level 2 95% (CAP Goal) Level 3 100% Remote access security Level 1 FIPS 140-2 validated Level 2 30 minute time out Level 3 prohibit split tunneling Unprivileged PIV logical access (CAP) Level 2 85% (CAP Goal) Privileged PIV logical access (CAP) Level 2 100% (CAP Goal) Insider Threat Program Level 1 Initial operating capability Level 2 Full operating capability Media destruction policy Level 1 In place Anti-Phishing and Malware Defense (CAP) Level 1 1 of 3 key indicators 90% Level 2 All key indicators 90% (CAP Goal) Level 3 All key indicators 100% EINSTEIN Program Level 2 Fully Implemented Attempts to access large volumes of data are detected and investigated Level 2 Detected and investigated Test exfiltration attempts are caught Level 3 Test conducted in past year and attempt was caught Incident response plan Level 1 Developed, tested once annually Level 2 Tested twice annually Level 3 No more than 180 days old Participating in C-CAR protocol Level 1 Participated in most recent C-CAR call Roles and responsibilities are verified Level 2 Verified during incident response testing No active critical vulnerabilities > 30 days Level 2 No vulnerabilities identified Disaster and incident recovery plans Level 1 Developed, but not tested regularly Level 2 Tested annually Level 3 Less than one year old Incident notification Level 1 Policy that establishes timeline for public or internal notifications after the detection or discovery of a compromise of PII is in place Level 2 Metrics tracking for notifications in place Level 3 Metrics indicate 100% compliance Credit monitoring BPA Level 2 In place Credit repair contract Level 3 In place

11. Appendix: Sample Action Items The following items require additional information/details on how the agency is working to meet government-wide targets: Category Criteria Questions Actions Needed Identify CAP Goal: Hardware Asset Management 1.2, 1.4, 3.16 Identify CAP Goal: Software Asset Management 1.5, 3.17 Detail actions to improve Hardware Asset Management capabilities or explain impediments to OMB Detail actions to improve Software Asset Management capabilities or explain impediments to OMB Identify Review of key contracts with sensitive information 1.8 Complete review of key prioritized contracts or explain impediments to OMB Protect CAP Goal: PIV logical access (unprivileged users) 2.4, 2.4.1 Protect CAP Goal: PIV logical access (privileged users) 2.5, 2.5.1 Detail actions to improve PIV usage amongst unprivileged users or explain impediments to OMB Detail actions to improve PIV usage amongst privileged users or explain impediments to OMB Protect Privileged user count has achieved target 2.5 Reduce number of privileged users where possible Protect Insider Threat Program, per E.O. 13587 2.30 Provide a status update of program implementation in next submission Respond Recover Incident response plan developed and tested biannually Recovery plans have been developed and tested annually 4.7 5.5 Increase specificity regarding the frequency of incident response plan testing and updating Ensure that enterprise-wide incident recovery plan is in place and updated on annual basis

12. Annual Assessment Timeline March 1 Annual FISMA report to congress released (from previous FY) January 1-15 CFO Act Agencies complete Q1 FISMA CIO assessment April 1-15 CFO Act Agencies complete Q2 FISMA CIO assessment July 1-15 CFO Act Agencies complete Q3 FISMA CIO assessment October 1-31 All agencies complete annual FISMA CIO assessment February 15 Q1 PMC assessments delivered to agency CIOs May 15 Q2 PMC assessments delivered to agency CIOs August 15 Q3 PMC assessments delivered to agency CIOs December 15 Q4 PMC assessments delivered to agency CIOs EOP conducts FY Q1 PMC assessments EOP conducts FY Q2 PMC assessments EOP conducts FY Q3 PMC assessments EOP conducts FY Q4 PMC assessments

IG FISMA Metrics - History Collaboration with OMB, DHS, CIGIE, and other stakeholders Historically, the OIG FISMA metrics were mostly yes/no questions that did not enable an easy determination of Effectiveness In 2015, a FISMA metrics subcommittee of the FAEC IT Committee was formed to develop effectiveness based measures

Maturity Model Approach Maturity model incorporates Federal requirements and maps to best practices (e.g., CMMI, CoBIT, NIST, C2M2) Maturity indicators map to CIO metrics, NIST 800-53 and supporting special publications, President s Management Council, and other governmentwide focus areas/initiatives FISMA Metrics Subcommittee has incorporated comments from various stakeholders including FAEC, CIGIE, and the CIO/CISO community 14

Effectiveness within the Maturity Model Level 1 Ad-hoc Level 2 Defined Level 3 Consistently Implemented Level 4 Managed & Measurable Operate Implement Level 5 Optimized Desired Results Effectiveness

FISMA IG and CIO Metrics FY 2017 FISMA IG Metrics are broadly aligned with the FY 2017 FISMA CIO Metrics Function (Section) IG Metrics CIO Metrics Identify (Risk Assessment) X X Protect (Configuration Management) X X Protect (Identification and Authentication) X X Protect (Security Training) X X Detect (ISCM) X X Respond (Incident Response) X X Recover (Contingency Planning) X X

Scoring Methodology FY 2017 FISMA IG Metrics scoring methodology will seek to provide a balanced assessment of agency information security capabilities Agency IGs will assess capabilities on a spectrum of potential maturity levels Overall maturity for each NIST Function will be recommended based on its average maturity level Goal is to provide a representative maturity level, but IGs can substitute a different score if they choose Overall agency maturity will be determined by the IG with no automatically generated recommendation This allows IGs to customize their assessments based on agency circumstances

Next Steps Access the metrics at DHS.gov/FISMA Hold follow-on training session in July Work with DHS to make changes to the Cyberscope application For 2018, develop a review guide or companion document to the metrics for IG use

Q&A Sample of the common questions received by the FISMA Metrics Subcommittee When is the due date for FISMA this year? Will the scoring methodology be different this year? Will specific questions be weighted differently than others? Is Level 4 still considered to be the bar for Effectiveness? Can an agency have an Effective program at Level 3? Will IGs be required to provide comments in Cyberscope for all responses not at a Level 4?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback