Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Slides:



Advertisements
Similar presentations
IND 205 Audit Analysis of an Outcome
Advertisements

June 27, 2005 Preparing your Implementation Plan.
INTERNAL CONTROLS.
Planning, Budgeting, Acquisition & Management of Capital Assets Capital programming is an integrated process within an agency for planning, budgeting,
FEMA Approval of Local Hazard Mitigation Plans
Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.
Effective Contract Management Planning
…by your side. …working collaboratively. …to add value.
Federal Concierge LLC All Rights Reserved FAC-P/PM– Compliance Discussion.
IT Security Law for Federal Agencies As of: 30 December 2002.
4/28/20151 Presented by: Anne Taylor, NECTAC David Steele, OSEP OSEP Part C Fiscal Management Verification: What Is It And How Do I Prepare For It?
GSA Expo 2009 Overview of Major Acquisition Management Jack Kelly Office of Management and Budget.
ClosingExecuting/ Controlling ControllingPlanningInitiatingOpportunityAssessment Client AcceptancePlanning ApprovalInitiating ApprovalOpportunity Assessment.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
1 Purchasing and Procurement Processes Module Four Revision Date: 2/06/2015.
Specification Writing Presentation Training & Development.
NASA Johnson Space Center Contracting Officer and Contracting Officer’s Technical Representative.
Project Management Framework. PMBOK ® Guide, Third Edition.
PRESENTED BY TRUST THOMAS EROMOSELE STUDENT NO:
Federal Acquisition Service 1 Grants Management Support Services FABS Industry Day January 22, 2010.
Ann Murphy, Office of the Chief Administrative Officer NOAA Trusted Agent Training Silver Spring, MD October 2014 National Oceanic and Atmospheric Administration.
Project Life Cycle Introduction and Overview © Ed Green Penn State University All Rights Reserved.
Complying With The Federal Information Security Act (FISMA)
Project Management Lecture 5+6 MS Saba Sahar.
SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Project Management Process Overview
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
FAR PART 45 – Government Property
Federal Information System Security Educators Association
Department of the Interior CPIC Forum Department of the Interior CPIC Forum Capital Planning and Investment Control (CPIC) Revisions to the Construction.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Advanced Project Management Project Procurement/Contract Management Ghazala Amin.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Department of Commerce Information Technology Conference April 12-14, 2005 Acquisitions for the Department of Commerce Greg Crider Office of Acquisition.
PMP Study Guide Procurement Management (Chapters 9, 10, and 12)
Office of Management and Budget NDIA Program Management Systems Committee May 3, 2005 EVMS Compliance Requirements David Muzio.
Project Management Processes for a Project
DOE Order 413.3A Program and Project Management for the Acquisition of Capital Assets Catherine Santana Deputy Director, Project Management Systems, OECM.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
FAR Part 8.4 – Federal Supply Schedule Process Map1 of 2 Obtain required solicitation reviews and approvals in accordance with agency procedure: NOAA AGO.
DOE ASSET MANAGEMENT PLAN
NASA Procedural Requirement, Administration of Property in the Custody of Contractors NPR Michael (Mike) Showers 1.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Metrics for Property Management Eric Fassett. Metrics - standards of measurement by which efficiency, performance, progress, or quality of a plan, process,
ORDER ENVIRONMENTAL PROTECTION PROGRAM WORKSHOP OVERVIEW OF ORDER Larry Stirling
Internal Sales Policy and Procedure Updates. Agenda o Policy o Procedures o Roles & Responsibilities o Definitions o Questions & Answers anytime during.
OMB Status 09/30/04 Monday, November 15, 2004 OMB Progress 09/30/04 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonSteve Isakowitz Best in Government!
OMB Status 03/31/05 Monday, June 6, 2005 OMB Progress 03/31/05 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonGwen Sykes Best in Government! Steps to.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Agenda  Purpose  Processes  Deliverables  Executing Activities 4.3.
Small Business and Subcontracting. Subcontracting for Small Business 6 steps to successful subcontracting 6. Report Contractor performance 1. Consider.
Acquisition Support New Horizons Consulting Services, LLC’s, premier business unit is an offering of a full range of services and support for acquisition.
Subrecipient Monitoring
Internal and Governmental Financial Auditing and Operational Auditing
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Contracting by Negotiation Process Map – Part 15 (1 of 3)
Federal Acquisition Service
Matthew Christian Dave Maddox Tim Toennies
Presentation transcript:

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration

Section 4: Effective Integration Overview: The IT system life cycle has 5 phases: 1. Initiation 4. Operation/Maintenance 2. Development/Acquisition 5. Disposal 3. Implementation The procurement life cycle has 5 phases: 1. Mission & Business Planning 4. Contract Performance 2. Acquisition Planning 5. Disposal and Closeout 3. Acquisition To effectively integrate IT security into the procurement process, security must be considered throughout the entire procurement life cycle.

Section 4 cont’d: Effective Integration Overview: How do the Procurement and IT System life cycles relate? Procurement Life Cycle Phases Mission and Business Planning Acquisition PlanningAcquisitionContract PerformanceDisposal and Contract Closeout InitiationDevelopment/AcquisitionImplementationOperation/ Maintenance Disposal IT System Lifecycle Phases ALL 5 phases in the procurement life cycle must address IT security requirements.

Section 4 cont’d: Effective Integration What Security Considerations need to be addressed during the Procurement Life Cycle? Procurement Life Cycle Phase 1 Mission and Business Planning PROCUREMENT CYCLE ACTIIVTIES Mission/Business Planning results in a needs determination which defines the problem to be resolved through the procurement process. Components of the needs determination are: - basic system idea - preliminary requirements definition - approval

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 1 Mission and Business Planning SECURITY CONSIDERATIONS The Needs Determination for IT systems and applications should result in a Preliminary System Security Plan compliant with NIST Special Publication that establishes the need, links the need to performance objectives, and addresses alternatives. The Procurement Initiator must obtain a unique system identifier number from the bureau’s Office of the Chief Information Office (OCIO). The procurement initiator should conduct a preliminary sensitivity assessment in accordance with Federal Information Processing Standard (FIPS)199. The procurement initiator must utilize criteria in Federal Information Processing Standard 199 to determine sensitivity as High, Moderate, or Low

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 2 Acquisition Planning PROCUREMENT CYCLE ACTIIVTIES Acquisition Planning results in a Requirements Analysis which is an in-depth study of the need and the initial beginnings of the Statement of Work (SOW). Other activities in this phase include: Considering market research, socioeconomic programs Acquisition planning in accordance with FAR Part 7 Funding the requirement: The project team is responsible for funding the requirement by completing a Capital Asset Plan as required by OMB Circular A-11, Section 300. The Capital Asset Plan and a Business Case may also be required to be presented to the ITRB when requested.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 2 Acquisition Planning SECURITY CONSIDERATIONS Security Considerations include:  Integrity, Availability, and Confidentiality Analysis  Sensitivity Assessment Update  Level of Assurance Analysis  Risk Assessment Preparation  For IT systems or major applications, development of the Security Plan.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 3 Acquisition PROCUREMENT CYCLE ACTIIVTIES This phase includes the development and issuance of the solicitation and the receipt and evaluation of offers or quotations. All considerations surrounding the acquisition of the product or service must be addressed in this phase. This includes the Statement of Work; how it will be acquired (Source Selection Plan); how it will be evaluated, tested, and accepted (offer or quotation evaluation plan); and how the contract will be administered.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 3 Acquisition SECURITY CONSIDERATIONS Develop security requirements for inclusion in the Statement of Work. Assignment of Contract Security Risk Establish Personnel Security requirements Establish Security Offer or Quotation Evaluation & Acceptance Criteria & Conduct Evaluation of offers or quotations Security Review of Solicitation Obtain Security Classification Guidance from Program Manager Ensure Contractor IT Security Awareness Training

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 4Contract Performance PROCUREMENT CYCLE ACTIIVTIES This phase involves contractor monitoring. The COR may require IT security expertise to assist in reviewing contract performance measurement documentation, inspecting IT security deliverables, or evaluating contract modifications.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 4Contract Performance SECURITY CONSIDERATIONS IT Security must be considered when: Inspecting and accepting deliverables Monitoring performance measures Reviewing of contractor compliance with IT contract IT security requirements Updating the Risk Assessment Annual reviews of all systems and contracted IT facilities are required by DOC policy and FISMA in accordance with the NIST Special Publication self- assessment guidance. The COR should participate in these reviews as well as monitor the contractor's daily operation of the system.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 5Disposal and Contract Closeout PROCUREMENT CYCLE ACTIIVTIES The phase includes determining the following:  Appropriateness of disposal  Exchange and sale of property  Transfer and/or donation of property Contract Closeout activities are also performed.

Module 2 Review Summary Procurement & IT System Life Cycles ALL 5 phases in the procurement life cycle must address IT security requirements.