NCHER Knowledge Symposium Federal Contractor/TPS Session Infformation Security & Risk Management ATO & FISMA Compliance 2017 Presented by Mike Figgins, CIO/CTO November 2, 2017

Overview Cybercrime Authorization to Operate (ATO) U.S. Department of Education Minimum Compliance Standards NIST 800-53 Minimum Security Controls NIST 800-53 Privacy Controls U.S. Department of Education ISSO Deliverables Typical ATO Timeline Plan of Action and Milestones (POA&M) Embarking on ATO for the First Time

Cybercrime – The New Reality “ Cyber criminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups. New sophistication and innovation marked seismic shifts in the focus of attacks. Zero-day vulnerabilities and sophisticated malware were used less as nation states devolved from espionage to straight sabotage. Meanwhile, cyber criminals caused unprecedented levels of disruption with relatively simple IT tools and cloud services. 2017 Internet Security Threat Report - Symantec ”

Authorization To Operate (ATO) A Federal Contractor or Third Party Servicer is required to go through an arduous Information Technology security assessment according to federally mandated security and risk-management controls before receiving an ATO After contract award, Dept. of Ed will assign an Information Systems Security Analyst to oversee ATO process Contractor / TPS required to select a third party independent assessor approved by the Department of Education to complete the assessment After completing the assessment, Dept. of Ed can authorize the system for use, or grant an Authorization to Operate (ATO) Maintain effective security program that assures continual compliance Expect requirements to change

U.S. Department of Education – Minimum Compliance Standards Federal Information Security Management Act (FISMA) Minimum Security Requirements for Federal Information and Information Systems – FIPS 200 Standards for Security Categorization of Federal Information and Information Systems Assessment (FIPS 199 Assessment) NIST 199 – Security Categorization NIST Special Publication 800-53 - Catalog of security controls for all U.S. federal information systems FIPS 140-2 Security Requirements for Cryptographic Modules FedRAMP – Federal Risk and Authorization Management Program “Cloud Services” Quarterly FISMA Metrics Report Payment Card Industry Data Security Standard - (PCI DSS) Statement on Standards for Attestation Engagements No.18 (SSAE 18 SOC1)

NIST 800-53 Minimum Security Controls 214 Specific Controls Outlined Access controls Media Protection Awareness and Training Physical and Environmental Protection Audit and Accountability Planning Security Assessment and Authorization Program Management Configuration Management Personnel Security Contingency Planning Risk Assessment Identification and Authentication System and Services Acquisition Incident Response System and Communications Protection Maintenance System and Information Integrity

NIST 800-53 Privacy Controls 26 Specific Controls Outlined – “Principle of Least Privilege” Authority and Purpose Individual Participation and Redress Accountability, Audit and Risk Management Security Data Quality and Integrity Transparency Data Minimization and Retention Use Limitation

U.S. Department of Education – ISSO Deliverables Risk Assessment Cyber Security Role Based Training Program Boundary Document System Security Plan Vendor Management Review Configuration Management Plan Comprehensive System Event and Access log Management Contingency Plan Incident Response Plan Configuration Management Scans – Policy Compliance Disaster Recovery Plan Vulnerability Scans

Typical ATO Timeline – (6-8 mo.) Phase 1 Kick Off Review Phase 2 Kick Off Phase 2 Approval Phase 1 Select Assessor System Boundary Data Sensitivity Worksheet Business Impact Assessment Contingency Plan Disaster Recovery Plan Configuration Plan System Security Plan Incident Response Plan U.S. Department of Education Reviews and Approves Assessor: POA&M Process Assessor: Assessment Plan Assessor: Rules of Engagement Assessment Kick Off Conduct Assessment Remediate Findings Create POA&Ms ATO Package and Brief FSA injects POAM and CSAM FSA and ED Officials Review ATO Package FSA and ED Authorized Officials Sign ATO Decision

Ongoing Monitoring & Compliance What is a POA&M? A Plan of Action and Milestone (POA&M) is a management tool for tracking the mitigation of system security program findings and weaknesses. Where do POA&Ms come from? External findings (e.g., Dept. of Education, Treasury, etc.) Internal findings (e.g., In-house self-assessments, PEN & Security Scans, etc.) Audit findings (certification tests, etc.) Vulnerability Scan Findings must be remediated POA&Ms are updated and submitted quarterly

Embarking on ATO for the First Time? Recommendations Involve a trusted partner who has successfully secured ATO previously Select a third party assessor that understands your situation and fits your culture – interview several Be ready for changes Manage scope or system boundary carefully Have strict policies – lock down group and device policies Be vigilant – stay on top of vulnerabilities and remediate immediately Be committed! Not just during ATO process but for the long term! “There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure – ensuring those systems, components, and servers are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.” NIST 800-53 Revision 5 *draft*

Thank You! Questions? We’d love to help.