Josh Thompson Classified Information Systems – Western Region

Slides:

Advertisements

Similar presentations

Windows Server ® 2008 and Windows Server ® 2008 R2 Active Directory ® Domain Services Infrastructure Planning and Design Published: February 2008 Updated:

Advertisements

NIST Special Publication , “Security Self- Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division.

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

Managing a “Data Spill” Corrie Velez Technical Security Orlando, Florida March 14, 2012.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

1 Office of the Designated Approving Authority (ODAA) April 2008.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Risk Management Framework

Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.

Complying With The Federal Information Security Act (FISMA)

An overview of the NIST Risk Management Framework ISA 652 Fall 2010

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

CDS CERTIFICATION AND ACCREDITATION PROCESS

NIST Special Publication Revision 1

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.

National Infrastructure Protection Plan (NIPP) Sector Specific Plan (SSP) AFDO Annual Meeting June 7, 2005 LeeAnne Jackson, Ph.D. Center for Food Safety.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

PAGE Agency ATO Quick Guide 1 September 21,

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Reliability Assurance Initiative (RAI) 101 Ben Christensen Senior Compliance Risk Analyst, Cyber Security.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Defense Security Service Contractor SIPRNet Process June 2013

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

ISSM 101 Break-Out Session

1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL

The Risk Management Framework (RMF)

Agency ATO Quick Guide September 21, 2015

Defense Security Service

Information Security Policy

IT Risk Management Assessor SPECTRIM Tool Training

Sample Fit-Gap Kick-off

Defense Security Service Risk Management Framework (RMF)

Components of Internal (Operational) Risk Management System at the Federal Treasury Deputy Head of the Federal Treasury А.Demidov.

Computer Security Division Information Technology Laboratory

EI Architecture Overview/Current Assessment/Technical Architecture

Defense Security Service Risk Management Framework (RMF)

Data Architecture World Class Operations - Impact Workshop.

ISO 9001:2015 Auditor / Registration Decision Lessons Learned

AGENDA 2063 FIRST TEN YEAR IMPLEMENTATION PLAN

Matthew Christian Dave Maddox Tim Toennies

NRC Cyber Security Regulatory Overview

U.S. EPA e-Manifest Program

Defense Security Service Risk Management Framework (RMF)

Project Charter I want to design a project

IUC / NHS 111 Workforce Blueprint

Involuntary Resettlement 0P 4.12: Planning Instruments

Contents subject to change.

Compliance Toolbox.

RMF Process in the NISP eMASS

Continuous Monitoring

Group Meeting Ming Hong Tsai Date :

Reliability Assurance Initiative (RAI) 101

FL DVR CBTAC Program Modules & Reporting.

Defense Security Service Top 10 Vulnerabilities

Security Policies and Implementation Issues

Capabilities Briefing

System Safety Regulation

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

Defense Security Service’s Risk Managed Framework (RMF) Authorization & Assessment Process Josh Thompson Classified Information Systems – Western Region Northrop Grumman

What is Risk Management Framework (RMF) It is a unified information security framework for the entire federal government that replaces legacy Certification and Accreditation (C&A) Processes applied to information systems RMF is a key component of an organization’s information security program used in the overall management of organizational risk

Why RMF

DSS A&A Process Flow

Primary Activities by Step Step 1 – Categorize Risk Assessment Report SSP System Identification Key Roles & Responsibilities System Environment General Description Purpose Interconnections Applicable Appendixes Must include at least a conceptual system/network diagram Step 1 Similar to completing the ISFO SSP Template High level overview to “register” the new system with DSS Gives your ISSP a heads up that a new system is being initiated

Primary Activities by Step Step 2 – Selection Updated Risk Assessment Plan (if required) SSP Updated Step 1 Information (If required) Control Selection Overlays Tailoring Include Continuous Monitoring Strategy Step 2 Initially a very short step This step is used to tailor, which will be more beneficial in the future. Need to better understand the controls and expectations before we can justify tailoring Continuous monitoring strategy is already (tentatively) defined

Primary Activities by Step Step 3 – Implementation Updated Risk Assessment Plan (if required) SSP Updated Step 1 & 2 Information (If required) Finalize System Description & Diagrams Must include HW/SW Lists Control Implementation Approach Each implemented control must be described/documented Systems Controls Implemented on all systems Step 3 This is where the real work begins Rather than completing the IS Profile template, the contractor must now explain how we are meeting the control Recommend relying heavily on the NIST- to-NISPOM Security Control Mapping document for guidance Requires participation from ISSM/ISSO, FSO, System Administrators, Program Management, other stakeholders

NIST to NISPOM Mapping

Primary Activities by Step Step 4 – Assess ISSM Develops Security Assessment Plan Primarily Based on the DSS Technical Assessment Guides ISSM Performs Initial Assessment & Develops a POA&M ISSM Provides Initial Assessment and POA&M to SCA SCA Performs On-site validation Step 4 SCAP is a big part of this step Tip – Run SCAP on your systems prior to submitting your step 3 documentation to DSS. Retain those results for DSS to review upon arrival Create a POAM on your system prior to DSS’s arrival identifying all open findings Your POAM may be classified based on your system’s SCG

Primary Activities by Step Step 5 – Authorize AO issues ATO Step 6 – Monitor ISSM Performs Continuing Monitoring Based On Continuous Monitoring Strategy Step 5 Same as it’s always been Step 6 Think weekly audits, AV updates, patching, and self-inspections We’ve always done these things Don’t get hung up on “ConMon”. Look at the requirement and think about how you’ve been doing this all along Biggest change – You can’t forget about the system just because you have an ATO

?