J-6 Information Operations - PowerPoint PPT Presentation

About This Presentation
Title:

J-6 Information Operations

Description:

Number of Controls with Automated Validation Support ... Inherit Common Controls (MOA/SLA) (CA-2) C&A Team Review/Update. Risk Assessment ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 14
Provided by: nvdN
Learn more at: http://nvd.nist.gov
Category:

less

Transcript and Presenter's Notes

Title: J-6 Information Operations


1
Beyond FISMA Taking Federal Cyber Security to the
Next Level
IT Security Program Purpose Support Agency
Strategic Goals by ensuring Integrity,
Confidentiality, and Availability of information
and information systems.
  • FISMA Compliance Requirements
  • Beyond FISMA Compliance
  • Cyber Security Assessment and Management (CSAM)
  • Security Content Automation Program (SCAP)
  • Number of Controls with Automated Validation
    Support
  • Transition from Compliance Reporting to Automated
    Validation Support

Panel Members Panel Members Panel Members
Stephen Quinn National Institute of Standards and Technology Dennis Heretick Department of Justice J.R. Reagan Bearing Point

ITAA CISO Workshop November 2, 2006
2
The Compliance Game
FISMA
HIPAA
SOX
GLB
INTEL
COMSEC 97
DoD 8500
ISO
Vendor
3rd Party
NSA Req
STIGs
17799
SP 800-53
???
???
???
DCID
Guide
Checklists
Guide
???
NSA Guides
???
SP 800-68
Finite Set of Possible Known IT Risk Controls
Application Configuration Options
Agency Tailoring Mgmt, Operational, Technical
Risk Controls
Millions of Settings to manage across the Agency
High
Enterprise
Moderate
Low
SP1
Mobile
Stand Alone
XP
Windows
SP2
SSLF
OS or Application
Version/ Role
Major Patch Level
Impact Rating or MAC/CONF
Environment
3
FISMA Requirements Presidents Management
Agenda Federal Information System Controls Audit
Manual (FISCAM) OMB A-123 Managements
Responsibility for Internal Control Federal
Enterprise Architecture Security Privacy
Profiles
  • Maintain 100 CA for Operational Systems
  • Evaluate 96 of security control implementation
    status
  • against the IT Security Standards
  • Comprehensive Agency-wide Plan of Actions and
    Milestones (POAM) for all Known System
    Weaknesses Independently Verified by the
    Inspector General
  • Report Security Costs for IT Investments Link
    to Business Cases.
  • Up to Date IT Security Plan/Risk Assessment
  • Security Controls Evaluated
  • Incident Response and Contingency Plans Tested
  • Maintain Secure Configurations
  • Conduct monthly vulnerability scans weekly, if
    appropriate
  • Conduct Configuration security validations

Agency Program
Component Program
  • System SSP
  • CA
  • Validation Testing
  • OMB A-123 Managements Responsibility for
    Internal Control Separate assessment and report
    on internal controls over financial reporting

4
FISMA Compliance Model
Information System Security Configuration
Settings NIST, NSA, DISA, Vendors, Third Parties
(e.g., CIS) Checklists and Implementation Guidance
5
Cyber Security Assessment Mgmt (CSAM)
(Certification Accreditation) FISCAM/FIPS
200/NIST 800-53/NSS/DCID 6/3/PII)

Security Requirements Selection and Assign
Responsibilities (PL-2)
System Description
  • Inventory/Interconnections (CA-3)
  • Scope
  • Security Category
  • Inherit Common Controls (MOA/SLA) (CA-2)

Asset Discovery/Mgmt
DB Application Discovery
Dec 05 Dec 06
Accreditation Maintenance
Jan 06 Jan 07
Testing Integrated into Implementation
  • CA Team Review/Update
  • Risk Assessment
  • POAM Funding Decision
  • Monthly Review
  • Dashboard
  • OMB Report

Implement/Maintain Technical/Operational Controls
2.
  • Life Cycle Mgmt (SA-3)
  • Configuration Management (PL-1)
  • Exercise Update Incident Response Plan (IR-7)
  • Exercise Update Contingency Plan (CP-10)
  • Awareness Training (AT- 2 3)

Vulnerability Scans
1.
Vulnerability Mgmt Plan
  • DB App Scan
  • Access Controls (AC 2 - 20)
  • Vulnerability Mgmt (RA-5)
  • Audit and Accountability (AU 2 - 11)
  • Identification and Authentication ( IA 2 - 7)
  • Systems Communications Protection (SC 2-19)
  • System and Information Integrity (SI 2 -12)
  • Web App Scan
  • Config Sec

3.
  • Physical/Environ Protection (PE-4)
  • Personnel Security (PS-8)
  • Media Protection (MP-7)
  • Security
  • Info Mgmt

Feb 06 Mar 07 with ongoing maintenance
6
Cyber Security Assessment and Management (CSAM)
PRESIDENTS MANAGEMENT AGENDA
FISMA, DCID 6/3 DOJ IT SECURITY STDS
FISCAM, FIPS/NIST 800-53
Plans of Action Milestones (POAM)
Implementation Requirements
Manual Vs. Automated Validation
OMB FISMA Reporting
Management Controls
Cost Implementation Guidance RA-1
Risk Assessment and Procedures PL-1 Security
Planning Policy and Procedures. SA-1 System
Services Acquisition Policy Procedures CA-1
Certification Accreditation Security
Assessment Policies and Procedures.
Test Case nn.n.n.
Test Case CA-1.3
Test Case SA-1.1
Test Case PL-1.8
Cyber Security Assessment Mgmt (CSAM)
Test Case RA-1.1
  • Control Objective
  • (Subordinate Objective)
  • Control Techniques
  • Specific Criteria
  • Prerequisite Controls
  • Test Objective
  • Test Set Up
  • Test Steps
  • Expected Results
  • Actual Results
  • Cost

Operational Controls
Cost Implementation Guidance PS-1
Personnel Security Policy Procedures PE-1
Physical Environmental Protection Policy
Procedures CP-1 Contingency Planning Policy
Procedures CM-1 Configuration Management Policy
Procedures.
Technical Controls

Cost Implementation Guidance IA-1
Identification and Authentication Policy
Procedures AC-1 Access Control Policy
Procedures AU-1 Audit Accountability Policy
Procedures SC-1 System Comm Protection Policy
Procedures.
PASS
FAIL
Risk Assessment
Total Risk
Vulner Control
Vulner Level
Threat Level
Signif Level
X
X

7
Current ProblemsConceptual Analogy
Standardize Automate
a.) Troubleshoot/Analyze
a.) Troubleshoot/Analyze
  • Conduct Testing
  • Is there a problem?
  • Cause of error condition?
  • Is this check reporting correctly?
  • Is there a problem?
  • Cause of error condition?
  • Is this check reporting correctly?

b.) Document/Report Findings
More DATA
c.) Recommendations
d.) Remediate
8
Current ProblemsConceptual Analogy (Continued)
Before
After
Error Report
Problem Air Pressure Loss
Diagnosis Accuracy All Sensors Reporting
Diagnosis Replace Gas Cap
Expected Cost 25.00
9
SCAPSecurity Content Automation Program
http//nvd.nist.gov/scap/scap.cfm
Address
DISA Platinum
DISA/ NSA/ NIST SCAP Program
Vendor Guide
Vendor Assessment Tools
Agencys Technical Vulnerability
and Configuration Assessment
DISA Gold
NIST Special Pub
NSA Guide
Agency Baseline Configuration
Agency Policies and Standards
10
Setting Ground Truth/Defining Security
For each OS/application
FISMA/FIPS 200
List of all known vulnerabilities
800-53
Low Level Checking Specification
Required technical security controls
Secure Configuration Guidance
  • Security Specifications for Platforms
  • And Application
  • Vulnerabilities
  • Required Configurations
  • Necessary Security Tools

11
Automated Security Compliance and Measurement
System
Automated Measurement System
Definition of What it means to Be Secure
FISMA Security Requirements
Vulnerability Checking Tools
Organizational Impact Rating
FIPS 199
Impact to the System
Impact to the Agency
Deviation from Requirements
Impact Scoring System
12
Beyond FISMA Number of Controls with Automated
Validation Support
Full Automation 21 (13) Partial Automation 28
(17)
Cyber Security Assessment and Mgmt
Full Automation 31 (19) Partial Automation
39 (24)
Security Content Automation Program
Machine-readable Security Report Formats
Future Automation Techniques 44 (27) or
No Automation
Total Controls 163 (100)
13
Beyond FISMATransition from Compliance Reporting
to Validated Security Implementation
  • Cyber Security Assessment Mgmt -- Automated
    Support for All CA Documentation
  • Security Content Automation Program (SCAP)
  • Provision of an enhanced IT security data
    repository
  • No cost and license free
  • CVE/OVAL/XCCDF/CVSS/CCE
  • Cover both patches and configuration issues
  • Elimination of duplication of effort
  • Cost reduction through standardization
  • Federal Agencies
  • Automation of Management, Operational, and
    Technical control compliance (FISMA)
  • Ability of agencies to specify how systems are to
    be secured

System Security Plan (SSP) and Supporting
Artifacts Stored in a Digital Container (NIST SP
800-18, rev 1)
9. General System Description/Purpose 10. System
Environment 11. System Interconnections/Informatio
n Sharing 12. Related Laws/Regulations/Policies 14
. Information System Security Plan Completion
Date 15. Information System Security Plan
Approval Date
1. Information System Name/Title 2. Information
System Categorization 3. Information System
Owner 4. Authorizing Official 5. Other
Designated Contacts 6. Assignment of Security
Responsibility 7. Information System Operational
Status 8. Information System Type
14
Beyond FISMA is NOW
People
Process
Technology
  • Where can Automation Benefit FISMA
  • Agency Best Practices
  • Vendor Roles/Responsibilities/Practices
  • How Can Agencies Partner With Industry Providers
    To Extend
  • Beyond FISMA Compliance
  • Can FISMA Framework Extend FISMA Beyond Intended
    Use
  • Does This Help Integrate Security Architectures
  • How to Break Down Silos Among FISMA/NSS/OMB
    A-123/
  • FISCAM/COBIT
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "J-6 Information Operations" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!