METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

Slides:



Advertisements
Similar presentations
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
Advertisements

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Software Quality Assurance Plan
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert
Systems Engineering in a System of Systems Context
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Framework
The topics addressed in this briefing include:
LEVERAGING THE ENTERPRISE INFORMATION ENVIRONMENT Louise Edmonds Senior Manager Information Management ACT Health.
Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.
SQA Architecture Software Quality By: MSMZ.
CDS CERTIFICATION AND ACCREDITATION PROCESS
FY2010 PEMP Notable Outcomes October 15, FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.
C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell.
DoD Acquisition Domain (Sourcing) (DADS) Analysis of Alternatives (AoA) E-Business/SPS Joint Users’ Conference November 15-19, 2004 Houston, TX.
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.
NIST Special Publication Revision 1
Move over DITSCAP… The DIACAP is here!
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
IT PMB: Executive Oversight and Decision Authority for Application and Infrastructure Projects at NASA Larry Sweet Chair, IT PMB JSC CIO August 2010.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
© MCR, LLC MCR Proprietary - Distribution Limited Earned Value Management Application, Guidance, and Education Neil F. Albert President/CEO MCR, LLC
MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
P1516.4: VV&A Overlay to the FEDEP 20 September 2007 Briefing for the VV&A Summit Simone Youngblood Simone Youngblood M&S CO VV&A Proponency Leader
Jewuan Davis DSN Voice Connection Approval Office 18 May 2006 DSN Connection Approval Process (CAP)
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
0 Office of Performance Assessments and Root Cause Analyses (PARCA) PARCA EVM Update Presenter: Phone:
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
RECOMMENDATIONS OF THE GOVERNOR ’ S TASK FORCE ON CONTRACTING AND PROCUREMENT REVIEW Report Overview PD Customer Forum September 2002.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
 Local commanders understand impact of IA on mission accomplishment  Standard allies and coalition partners can emulate  IA for other workforces (acquisition,
Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment, Safety, and Occupational Health Opportunities in DoD Business Transformation May 4, 2006.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
EZSource Electronic Source Selection Tool
Defense Information Systems Agency A Combat Support Agency
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
Identify the Risk of Not Doing BA
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
Introduction to the Federal Defense Acquisition Regulation
Software Requirements
The Open Group Architecture Framework (TOGAF)
Certification and Accreditation
Taking the STANDARDS Seriously
Data Governance & Management Skills and Experience
Presentation transcript:

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE

Purpose Provide an overview of the a DLA Information Assurance initiative entitled Metrics and Controls for Defense in Depth (McDiD) Illustrate how McDiD applies the Federal Information Technology Security Assessment Framework within the DoD Information Technology Security Certification and Accreditation Process (DITSCAP)

McDiD Impetus Department of Defense Mandate DoD Instruction , Security Requirements for Automated Information Security Systems (AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal computers, connected systems and networks. DoD Instruction , DoD Information Technology Security Certification and Accreditation Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and general certification and accreditation criteria. DoD Chief Information Officer Guidance and Policy Memorandum No , DoD Global Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-in- depth). Chairman of the Joint Chiefs of Staff Instruction , Information Assurance Metrics, 15 March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness Reports. Need for Improved Security Internetworking is increasing the business/mission impact of disruption. Vulnerability is increasing due to the ease of access to cyber weapons and capabilities. Agency security assessment program has revealed systemic security issues.

McDiD Objectives Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism for all information assurance requirements and initiatives Shift certification and accreditation focus and resources from documentation & reporting to active security management Improve quality and consistency of certification and accreditation efforts Create an integrated enterprise management view to: Support information assurance oversight Ensure protection across accreditation boundaries Distinguish enterprise versus local roles and responsibilities Make policy and technical information easily accessible to DLA security professionals Facilitate and enable information/best practices exchange and collaboration within the DLA security community Structure information so as to: Satisfy multiple information assurance reporting requirements Maximize information reuse among related programs and disciplines, e.g., Architecture, Program and Budget, Asset Management, Configuration Management, Continuity Planning Provide for continuous Information Assurance process improvement

Tested and Reviewed Procedures & Controls Documented Procedures & Controls Fully Integrated Procedures and Controls Documented Policy Implemented Procedures & Controls Federal Information Technology Security Assessment Framework LEVELS

DoD Information Technology Security Certification and Accreditation Process Phase 3: Validation Compliance with controls is independently tested Authority to Operated is granted Phase 4: Post Accreditation SSAA is updated to reflect changes in IT baseline Security assessment is updated quarterly Compliance with controls is periodically independently tested Phase 1: Definition SSAA is drafted Security requirements are identified SSAA is negotiated and approved Phase 2: Verification Security Procedures and Controls are implemented Phase 0 [Implicit] Department and Agency policies are established C&A process is established

Certification & Accreditation Roles & Responsibilities

Security Controls - Translate General Requirements into Actionable and Testable Objective Security Conditions Control NumberControl NameControl Description Metrics

Master list of IA Controls Number Name Desc National & DoD Policy DLA Policy DLA Program Review Findings Vulnerability Assessments IG/GAO/Other Audit Findings Agency System / Network Connection Agreements Commercial Best Practices Local Security Policy Local System / Network Connection Agreements Local Configuration Mgmt Practices Information Category (Sensitivity and Classification) DLA Wide System Specific Legend DAA Specified Requirements Controls are Derived from Many Sources

A COTS Requirements Management System Maintains Controls Traceablity Provides “provenance” or traceability to authority for or origin of each control Ensures all policy mandates are addressed Supports Agency level policy assessment and formulation Enables continuous improvement of controls

A COTS Free Form Database Provides a Repository for IA Reference Material Enables research and analysis with Lexus-Nexus like functionality Makes IA reference material widely available via web

1. Centralized authorship and promulgation of the enterprise portions 2. Narrative translated into “fill in the blank” Threat Assessment Security Requirements (Controls) Security CONOPS Test & Evaluation Procedures Risk Assessment 3. Centralized development and promulagation of standard templates for Authors, Testers, & Reviewers 4. Centralized adminstration of a a web- based COTS Configuration Management system for SSAA document management and workflow Standard Tools and Methods Improve the Quality and Consistency of Certification and Accreditation Process System Security Authorization Agreement Better, Cheaper, Faster

Master list of IA Controls Number Name Desc McDiD is Administered Through a Comprehensive IA Knowledge-Base (CIAK) Navigation Aid for “Drill Down” to Supporting Engineering Guides and Contract Clauses Navigation Aid to “Trace Back” to Policy & Requirements Each Control is Supported by Metrics McDiD Implementation Schedules Drive C&A and Budget CIAK Feeds Defense Operational Readiness Reporting System Controls Provide an “Index” for the IA Knowledge-Base

Conclusion The McDiD Information Assurance initiative, while still early in its implementation, has: –Reduced SSAA preparation costs & time by an order of magnitude –Improved quality Standard controls & metrics Standard scope & level of effort Infused learning & common understanding –Identified additional opportunities for collaboration and process improvement