Title: J-6 Information Operations
1Beyond FISMA Taking Federal Cyber Security to the
Next Level
IT Security Program Purpose Support Agency
Strategic Goals by ensuring Integrity,
Confidentiality, and Availability of information
and information systems.
- FISMA Compliance Requirements
- Beyond FISMA Compliance
- Cyber Security Assessment and Management (CSAM)
- Security Content Automation Program (SCAP)
- Number of Controls with Automated Validation
Support - Transition from Compliance Reporting to Automated
Validation Support -
Panel Members Panel Members Panel Members
Stephen Quinn National Institute of Standards and Technology Dennis Heretick Department of Justice J.R. Reagan Bearing Point
ITAA CISO Workshop November 2, 2006
2The Compliance Game
FISMA
HIPAA
SOX
GLB
INTEL
COMSEC 97
DoD 8500
ISO
Vendor
3rd Party
NSA Req
STIGs
17799
SP 800-53
???
???
???
DCID
Guide
Checklists
Guide
???
NSA Guides
???
SP 800-68
Finite Set of Possible Known IT Risk Controls
Application Configuration Options
Agency Tailoring Mgmt, Operational, Technical
Risk Controls
Millions of Settings to manage across the Agency
High
Enterprise
Moderate
Low
SP1
Mobile
Stand Alone
XP
Windows
SP2
SSLF
OS or Application
Version/ Role
Major Patch Level
Impact Rating or MAC/CONF
Environment
3FISMA Requirements Presidents Management
Agenda Federal Information System Controls Audit
Manual (FISCAM) OMB A-123 Managements
Responsibility for Internal Control Federal
Enterprise Architecture Security Privacy
Profiles
- Maintain 100 CA for Operational Systems
- Evaluate 96 of security control implementation
status - against the IT Security Standards
- Comprehensive Agency-wide Plan of Actions and
Milestones (POAM) for all Known System
Weaknesses Independently Verified by the
Inspector General - Report Security Costs for IT Investments Link
to Business Cases.
- Up to Date IT Security Plan/Risk Assessment
- Security Controls Evaluated
- Incident Response and Contingency Plans Tested
- Maintain Secure Configurations
- Conduct monthly vulnerability scans weekly, if
appropriate
- Conduct Configuration security validations
Agency Program
Component Program
- System SSP
- CA
- Validation Testing
- OMB A-123 Managements Responsibility for
Internal Control Separate assessment and report
on internal controls over financial reporting
4FISMA Compliance Model
Information System Security Configuration
Settings NIST, NSA, DISA, Vendors, Third Parties
(e.g., CIS) Checklists and Implementation Guidance
5 Cyber Security Assessment Mgmt (CSAM)
(Certification Accreditation) FISCAM/FIPS
200/NIST 800-53/NSS/DCID 6/3/PII)
Security Requirements Selection and Assign
Responsibilities (PL-2)
System Description
- Inventory/Interconnections (CA-3)
- Scope
- Security Category
- Inherit Common Controls (MOA/SLA) (CA-2)
Asset Discovery/Mgmt
DB Application Discovery
Dec 05 Dec 06
Accreditation Maintenance
Jan 06 Jan 07
Testing Integrated into Implementation
- CA Team Review/Update
- Risk Assessment
- POAM Funding Decision
- Monthly Review
- Dashboard
- OMB Report
Implement/Maintain Technical/Operational Controls
2.
- Life Cycle Mgmt (SA-3)
- Configuration Management (PL-1)
- Exercise Update Incident Response Plan (IR-7)
- Exercise Update Contingency Plan (CP-10)
- Awareness Training (AT- 2 3)
Vulnerability Scans
1.
Vulnerability Mgmt Plan
- Access Controls (AC 2 - 20)
- Vulnerability Mgmt (RA-5)
- Audit and Accountability (AU 2 - 11)
- Identification and Authentication ( IA 2 - 7)
- Systems Communications Protection (SC 2-19)
- System and Information Integrity (SI 2 -12)
3.
- Physical/Environ Protection (PE-4)
- Personnel Security (PS-8)
- Media Protection (MP-7)
Feb 06 Mar 07 with ongoing maintenance
6Cyber Security Assessment and Management (CSAM)
PRESIDENTS MANAGEMENT AGENDA
FISMA, DCID 6/3 DOJ IT SECURITY STDS
FISCAM, FIPS/NIST 800-53
Plans of Action Milestones (POAM)
Implementation Requirements
Manual Vs. Automated Validation
OMB FISMA Reporting
Management Controls
Cost Implementation Guidance RA-1
Risk Assessment and Procedures PL-1 Security
Planning Policy and Procedures. SA-1 System
Services Acquisition Policy Procedures CA-1
Certification Accreditation Security
Assessment Policies and Procedures.
Test Case nn.n.n.
Test Case CA-1.3
Test Case SA-1.1
Test Case PL-1.8
Cyber Security Assessment Mgmt (CSAM)
Test Case RA-1.1
- Control Objective
- (Subordinate Objective)
- Control Techniques
- Specific Criteria
- Prerequisite Controls
- Test Objective
- Test Set Up
- Test Steps
- Expected Results
- Actual Results
- Cost
Operational Controls
Cost Implementation Guidance PS-1
Personnel Security Policy Procedures PE-1
Physical Environmental Protection Policy
Procedures CP-1 Contingency Planning Policy
Procedures CM-1 Configuration Management Policy
Procedures.
Technical Controls
Cost Implementation Guidance IA-1
Identification and Authentication Policy
Procedures AC-1 Access Control Policy
Procedures AU-1 Audit Accountability Policy
Procedures SC-1 System Comm Protection Policy
Procedures.
PASS
FAIL
Risk Assessment
Total Risk
Vulner Control
Vulner Level
Threat Level
Signif Level
X
X
7Current ProblemsConceptual Analogy
Standardize Automate
a.) Troubleshoot/Analyze
a.) Troubleshoot/Analyze
- Conduct Testing
- Is there a problem?
- Cause of error condition?
- Is this check reporting correctly?
- Is there a problem?
- Cause of error condition?
- Is this check reporting correctly?
b.) Document/Report Findings
More DATA
c.) Recommendations
d.) Remediate
8Current ProblemsConceptual Analogy (Continued)
Before
After
Error Report
Problem Air Pressure Loss
Diagnosis Accuracy All Sensors Reporting
Diagnosis Replace Gas Cap
Expected Cost 25.00
9SCAPSecurity Content Automation Program
http//nvd.nist.gov/scap/scap.cfm
Address
DISA Platinum
DISA/ NSA/ NIST SCAP Program
Vendor Guide
Vendor Assessment Tools
Agencys Technical Vulnerability
and Configuration Assessment
DISA Gold
NIST Special Pub
NSA Guide
Agency Baseline Configuration
Agency Policies and Standards
10Setting Ground Truth/Defining Security
For each OS/application
FISMA/FIPS 200
List of all known vulnerabilities
800-53
Low Level Checking Specification
Required technical security controls
Secure Configuration Guidance
- Security Specifications for Platforms
- And Application
- Vulnerabilities
- Required Configurations
- Necessary Security Tools
11Automated Security Compliance and Measurement
System
Automated Measurement System
Definition of What it means to Be Secure
FISMA Security Requirements
Vulnerability Checking Tools
Organizational Impact Rating
FIPS 199
Impact to the System
Impact to the Agency
Deviation from Requirements
Impact Scoring System
12Beyond FISMA Number of Controls with Automated
Validation Support
Full Automation 21 (13) Partial Automation 28
(17)
Cyber Security Assessment and Mgmt
Full Automation 31 (19) Partial Automation
39 (24)
Security Content Automation Program
Machine-readable Security Report Formats
Future Automation Techniques 44 (27) or
No Automation
Total Controls 163 (100)
13Beyond FISMATransition from Compliance Reporting
to Validated Security Implementation
- Cyber Security Assessment Mgmt -- Automated
Support for All CA Documentation - Security Content Automation Program (SCAP)
- Provision of an enhanced IT security data
repository - No cost and license free
- CVE/OVAL/XCCDF/CVSS/CCE
- Cover both patches and configuration issues
- Elimination of duplication of effort
- Cost reduction through standardization
- Federal Agencies
- Automation of Management, Operational, and
Technical control compliance (FISMA) - Ability of agencies to specify how systems are to
be secured
System Security Plan (SSP) and Supporting
Artifacts Stored in a Digital Container (NIST SP
800-18, rev 1)
9. General System Description/Purpose 10. System
Environment 11. System Interconnections/Informatio
n Sharing 12. Related Laws/Regulations/Policies 14
. Information System Security Plan Completion
Date 15. Information System Security Plan
Approval Date
1. Information System Name/Title 2. Information
System Categorization 3. Information System
Owner 4. Authorizing Official 5. Other
Designated Contacts 6. Assignment of Security
Responsibility 7. Information System Operational
Status 8. Information System Type
14Beyond FISMA is NOW
People
Process
Technology
- Where can Automation Benefit FISMA
- Agency Best Practices
- Vendor Roles/Responsibilities/Practices
- How Can Agencies Partner With Industry Providers
To Extend - Beyond FISMA Compliance
- Can FISMA Framework Extend FISMA Beyond Intended
Use - Does This Help Integrate Security Architectures
- How to Break Down Silos Among FISMA/NSS/OMB
A-123/ - FISCAM/COBIT