ISSM 101 Break-Out Session CINCO DE MAYO 2016 Anna Nye-Schaffroth, Leidos ISSM Introduce myself. Introduce session: overview of how to obtain accreditation and maintain compliance with NISPOM Chapter 8 Slides posted on ISAC web site HOLD QUESTIONS UNTIL Q&A SD ISAC Information System Security Subcommittee (IS3)
ISSM 101 Outline DSS ODAA Documentation How to Obtain Accreditation How to Maintain Compliance Introduction to RMF by Alan Polley, Leidos Senior ISSO OBMS Demonstration Q&A Panel Go over outline. Due to RMF, some of info will be changing in future.
DSS Office of the Designated Approving Authority (ODAA) Documentation First, go over documentation. Point out what ODAA stands for.
DSS ODAA Documentation DSS ISFO ODAA Manual for the Certification and Accreditation of Classified Systems under the NISPOM (Version 3.2, 11/15/13) AKA, “ODAA Process Manual” or “ISFO Process Manual” Soon to be replaced with the DSS Assessment and Authorization Process Manual (July 2016) Baseline Technical Security Configuration of Microsoft Windows 7 and Microsoft Server 2008 R2 (Version 1.0, July 2013) System Security Plan Templates (5/29/14) System Security Plan (SSP) Information System (IS) Profile IS Security Package Submission and Certification Statement First on list: ISSM “Bible” published in 2013 contains lots of info including: Roles & responsibilities Data spills Media protection Non-OS specific technical controls “Baseline Standards” Contains specific security settings to comply with NISPOM requirements DSS won’t be creating these standards documents anymore For Windows versions beyond Windows 7/2008 use DISA STIGs (Security Technical Implementation Guides) or vendor docs SSP Templates In the “old” days we had to create our own SSP text. Certification Statement Certifying that all information in SSP & IS Profile are accurate. Security settings have been tested & are working properly.
How to Obtain Accreditation
How to Obtain Accreditation Verify Contract & DD254 Closed Area Approval (DSS Form 147), if applicable Obtain hardware Install software Configure security settings Test security settings Prepare SSP paperwork Submit paperwork via OBMS Obtain 180-day IATO DSS on-site certification visit Obtain 3-year ATO Created 11 steps based on my own experience. Before starting certification process, need to verify contract info – next slide.
Verify Contract & DD254 Contract DD254 Authorized to work on contract at your location? Period of Performance (POP) expired? DD254 Box 1b Box 11c I’m sure you all know more about contracts & DD254s than I do. I always like to check a few things before starting the IS approval process.
How to Obtain Accreditation Verify Contract & DD254 Closed Area Approval (DSS Form 147), if applicable Obtain hardware Install software Configure security settings Test security settings Prepare SSP paperwork Submit paperwork via OBMS Obtain 180-day IATO DSS on-site certification visit Obtain 3-year ATO Closed area needs to have an approved DSS Form 147 BEFORE you submit your SSP. Obtain hardware from a reputable vendor like Dell or HP. These days, “supply chain integrity” is more important than ever. Ensure all software, including antivirus software and OS patches, is installed BEFORE configuring security settings. We discovered the hard way that installing MS Office after security lock-down is painful. Manually can take hours. A script can take minutes. Use SCAP Tool. NCMS created benchmark for NISPOM. Security Content Automation Protocol (SCAP) Compliance Checker Download templates from OBMS web site and fill in blanks. Demo Not sure how this will change with RMF.
How to Maintain Compliance
How to Maintain Compliance Weekly Review automated audit logs and check seals Keep for one year or one inspection cycle, whichever is longer Monthly Update virus definitions (every 30 days) Install Microsoft patches (“Patch Tuesday”) WSUS Offline Update tool SRO fix tool (cecil.b.king@amsec.hii-nns.com) Re-run SCAP tool Tasks req’d to maintain compliance normally done by ISSO -> ISSM -> YOU Audit review: Gone for a week? Get a backup. Don’t have a backup? Inform DSS. WSUS Offline Update tool Determines which updates are needed and installs them for you. SRO fix tool: Windows file auditing settings may change after installing Windows updates. Cecil King, ISSM at AMSEC, created a tool to reset the auditing settings on the 200+ files. Send email to Cecil to obtain tool. SCAP tool: Re-run to verify auditing settings have been fixed. Security Content Automation Protocol
How to Maintain Compliance (continued) Bi-monthly (every 60 days) Change backup-admin/root passwords Periodically Backup audit logs MUSA – quarterly LAN – automated weekly Self-Inspection Minimum - yearly Preferred - biannually Built-in admin account disabled, but can create generic backup-admin account. Audit log backups: If HDD crashes, you lose audit logs and you will get dinged on DSS SVA. MUSA – backup to DVD LAN – backup to network drive
How to Maintain Compliance (continued) Annually Rebrief users and ISSOs (and re-sign user briefing forms) Always Media/Equipment classification labeling Hardware/Software Baselines up-to-date SSP Binder Annual rebriefing: Do not just have users re-sign briefing forms. We actually ask users questions since they should already know the requirements. Media/Equipment Labeling: check every week during audit review Hardware/Software Baselines: don’t wait until right before DSS SVA to update baselines SSP Binder: neat, logs complete, info up-to-date
Introduction to RMF ALAN Polley | CISSP Leidos Senior ISSO
What is RMF? C&A revitalization Basically, it’s the new means for obtaining authorization to process classified information. Working with it for a couple years and have sought several authorizations under RMF. I’ll be speaking from experience versus intent. Disclaimer: This is a high-level sample of RMF and does not speak to DSS implementation or templates.
What is RMF? Six step process that provides a more holistic and strategic risk management process throughout the system’s life cycle. Goals Common framework, language and policy derivatives NIST Publications (800 series) Basically, it’s the new means for obtaining authorization to process classified information. Working with it for a couple years and have sought several authorizations under RMF. I’ll be speaking from experience versus intent. Disclaimer: This is a high-level sample of RMF and does not speak to DSS implementation or templates.
What’s Changing? Terms Documentation Guidance Regional Designated Accrediting Authority (RDAA) | Regional Authorizing Official (RAO) ISSP | Security Control Assessor (SCA) Program Manager (PM) | Information System Owner (ISO) Documentation MSSP | Information Assurance Standard Operating Procedures (IA SOP) SSP/Profile | System Security Plan (SSP) Risk Assessment Report (RAR) Security Controls Traceability Matrix (SCTM) Plan of Action and Milestones (POAM) Guidance Joint SAP Implementation Guide (JSIG Rev 4 April ‘16) DSS uses for SAPs DSS Authorization and Assessment Process Manual (DAAPM) Due July ‘16 A lot of new roles and responsibilities | Know right now Customer Provided Templates SSP Trimmed down compared to current template SCTM
Current Authorization Process
RMF Authorization Process Work with your SCA to bring your system to an acceptable level of risk for the AO.
Steps of RMF (Step 1): Categorize Assigning values to information and information systems based on protection needs determined by the impact from a loss of Confidentiality, Integrity, and Availability (CIA). Impact Levels: Low, Moderate, or High Work with ISO, ISSM, Facilities and SCA to create a BODY OF EVIDENCE for determining security category. Information System Type Boundaries User Base Overlays
Steps of RMF (Step 2): Select Controls Controls are safeguards and countermeasures prescribed for the IS. 18 Control Families with 864 total controls Types: Common, System Specific, and Hybrid Security Controls Traceability Matrix (SCTM) Families Access Control Account Management Audit Policies Configuration management IA SOP, Privileged Users Guide
Steps of RMF (Step 3 & 4): Implement Controls Assess SCTM Updated Control Status Reference documents Assess Security Assessment Plan (if required) Results of control implementation Methods Testing, Examine, or Interview Submit results Security Assessment Report (SAR) Provided by SCA Details the results of your BoE and recommended corrective actions (POA&M) Implement Controls Control status (Implemented, Planned, or Tailored) Reference Documents IA SOP PUG Assess Work with SCA to determine assessment type Test Automated Tools SCAP, WASSP, etc Examine Review documentation Facility SOP, Guard SOP Interview Discussion with knowledgeable staff IT Manager, general user, FSO
Steps of RMF (Step 5): Authorize Security Authorization Package ISO to SCA to AO BOE IA, SOP, SSP, RAR, SCTM, POA&M, etc. Authorization Decision Authorization to Operate (ATO) Interim Authorization to Test (IATT) Denial of Authorization to Operate (DATO)
Steps of RMF (Step 6): Monitor Configuration Management Monitor Continuous Monitoring (ConMon) Information System Continuous Monitoring Plan (ISCM) Frequency determined in SCTM template Monitor like you test Self-Inspections Configuration Management Manage changes to the IS Update POA&M and SSP Configuration Control Board (CCB) ISO, ISSM/ISSO, IT Manager, FSO Monitor
Summary RMF is coming August 1st Start now! Guidance Review RMF documentation NIST 800 Publications http://csrc.nist.gov/publications/PubsSPs.html#SP%20800 Joint SAP Implementation Guide (JSIG) Rev 4 published in April Training (CDSE) Guidance New process manual (DAAPM) July ‘16 Familiarize yourself with the JSIG and templates Attend training Work with your ISSOs and IT staff to come up with solid baseline for standard systems Figure out where you can access platforms STIGs and security benchmarks
ODAA Business Management System (OBMS) Demonstration
OBMS Demonstration “OBMS is a secure, web-based system, designed to automate and streamline the Certification and Accreditation (C&A) process for timeliness, accuracy, and efficiency.” Demonstrate submittal of an SSP package for a Multi-User Standalone (MUSA) Information System (IS)
Q&A Panel Tim Weaver, Western Regional Authorizing Official (RAO) Rick Disney, Information System Security Professional (ISSP) Anna Nye-Schaffroth, ISSM (Leidos) Alan Polley, Senior ISSO (Leidos) Introduce DSS