NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

Slides:

Advertisements

Similar presentations

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:

Advertisements

Enterprise Performance Life Cycle (EPLC) Stage Gate Reviews

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Enterprise Continuous Monitoring Program Training Date.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Adjusting EPLC to your Project Colleen Robinson & Teresa Kinley Friday, February 6, 2009.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Helen Schmitz Update on EA July 13, 2011 NIH Enterprise Information Technology Architecture Contact:

Risk Management Framework

EPLC Deliverables Sherry Brown-Scoggins & Wanda Hall

Complying With The Federal Information Security Act (FISMA)

An overview of the NIST Risk Management Framework ISA 652 Fall 2010

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

NIST Special Publication Revision 1

Roles and Responsibilities

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Effectively Integrating Information Security into the Enterprise Performance Life Cycle (EPLC) Daniel Sands, NIH Chief Information Security Officer April.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Understanding the Privacy Impact Assessment (PIA) Introduction The PIA is a checklist or tool to ensure that new or modified electronic collections of.

Project Kick-off Meeting Presented By: > > > > Office of the Chief Information Officer.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.

The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Project Management Center of Excellence June 13, 2012 Project Management Community Meeting.

Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

Project Management Community Meeting Project Management Center of Excellence July 13, 2011.

Project Management Center of Excellence Project Management Community Meeting May 13, 2009.

New Paradigms for Capital Planning in IT Security Sandy Washington Federal Railroad Administration July 22, 2008.

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.

The Risk Management Framework (RMF)

Agency ATO Quick Guide September 21, 2015

Agenda FISMA – an introduction Roles and Responsibilities

Computer Security Division Information Technology Laboratory

JU September Stakeholder Engagement Conference Webinar #1

Introduction to the Federal Defense Acquisition Regulation

The Open Group Architecture Framework (TOGAF)

Matthew Christian Dave Maddox Tim Toennies

IT RISK MANAGEMENT ITS All Staff Meeting Jason Pufahl, CISO

PRELIMINARY DESIGN Stage Gate Reviews

NCHER Knowledge Symposium Federal Contractor/TPS Session

Purchasing & IT Security Originally Presented at Fall ACCBO

Capabilities Briefing

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Presentation transcript:

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project Management Community Meeting October 18, 2011 “ OCIO - Enabling the NIH Research Mission”

.

NIST Updates Updated Special Publications (SP) : Information Security Continuous Monitoring for Federal Information Systems and Organizations (Sept 2011) : Guide for Security-Focused Configuration Management of Information Systems (Aug 2011) Appendix J: Draft Privacy Control Catalog (July 2011) : Managing Information Security Risk: Organization, Mission and Information System View (Mar 2011) : Draft Guide for Conducting Risk Assessments (Sept 2011) , Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Feb 2010) “ OCIO - Enabling the NIH Research Mission”

New Terms Certification & Accreditation (C&A) is now: System Authorization Designated Authorizing Authority (DAA) is now: Authorizing Official (AO) Project Categorization is now: System Categorization System Certification is now: Security Control Assessment System Re-certification/Re-Accreditation is now: System Re-Authorization “ OCIO - Enabling the NIH Research Mission”

New (and old) Emphasis Risk Management – more involvement by the system owner and project manager Continuous Monitoring – new approaches and tools coming “Continuous Authorization to Operate” – More to come from HHS on this new concept Cloud Computing – new contract language POAMs and validation of mitigation – tracked in NIH Certification & Accreditation Tool (NCAT) Remote Access and 2-factor authentication of moderate and high impact systems – ensure it is built into new systems “ OCIO - Enabling the NIH Research Mission”

Acronyms FISMA – Federal Information System Management Act NCAT – NIH Certification & Accreditation Tool NEAR - NIH Enterprise Architecture Repository HEAR - HHS Enterprise Architecture Repository SPORT – HHS Security and Privacy Online Reporting Tool POAM – Plan of Action and Milestones PMT – Portfolio Management Tool (for Capital Planning [CPIC]) ISSO – Information System Security Officer CISO - NIH Chief Information Security Officer CIO – Chief Information Officer ISAO – Information Security and Awareness Office NIH Master Glossary of IT Security Terms: “ OCIO - Enabling the NIH Research Mission”

New Changes Coming (Things to watch for) All systems must be input into NEAR and NCAT in order to be listed in HEAR – Once systems are in HEAR, SPORT will be populated so PIAs can be started – Coordination done through the NCAT team Coordinate with your ISSO and Privacy Coordinator New Privacy Controls will be part of SP POAM updates will be sent to HHS every two weeks Alignment of HEAR/NEAR/SPORT/PMT and new HHS Data Warehouse “ OCIO - Enabling the NIH Research Mission”

Changes to Security Approach and Deliverables Per EPLC 1.4 (Phased in over time) Privacy Impact Assessment (PIA) – Preliminary done in Concept Phase per EPLC 1.4 – Final PIA must be done in coordination with the Implementation Phase – Work with your IC Privacy Coordinator and ISSO Security Approach – Removed based on new SP methodology – : Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach “ OCIO - Enabling the NIH Research Mission”

Changes to Security Approach and Deliverables Per EPLC 1.4 (Phased in over time) Interconnection Security Agreement (ISA) – Could be part of a Computer Match Agreement (CMA) – Does not take the place of a CMA – NIH has ISA template More to come on CMAs and ISAs New Security templates in NCAT coming soon “ OCIO - Enabling the NIH Research Mission”

Other Changes to the EPLC Rev 1.4 Related to Security Project Manager responsibilities regarding POAMs updated – Work with your ISSO and NCAT representative – Validation of mitigation is very important (audit issue) – Ongoing process – Various sources for weakness identification (vulnerability scans, Security Control Assessments, continuous monitoring, audits, etc.) – New HHS reporting process coming POAM information will be sent to HHS every two weeks starting in 2012 “ OCIO - Enabling the NIH Research Mission”

Other Changes to the EPLC Rev 1.4 Related to Security An Authority to Operate may be granted for a period of time to be determined by the Authorizing Official (AO) in compliance with HHS policies (not just three year periods – more to come) Ensure that all high impact risks are documented and mitigated prior to entering the implementation phase Flexibility and tailoring regarding security control implementation is permitted Compensating controls can be utilized, but must be documented and accepted If waivers are required, submit them in a timely manner to the NIH CISO (via your ISSO) “ OCIO - Enabling the NIH Research Mission”

Security Critical Partners – What we look for Comprehensive indication that security risks and compliance are being included and evaluated. Some examples include: – Access control & segregation of duties implemented – Configuration standards documented, followed and tested – Privacy evaluated – Security Authorization costs included in budget – Accurate and thorough design documentation included – ISSO involvement – Vulnerability scans/penetration tests performed and issues mitigated – Security Plan accurate and up-to-date – Contingency Plans tested – POAMs documented, tracked and mitigated in timely manner – Residual Risk mitigated or accepted by appropriate authority New program coming CIO/CISO acceptance of risk may be needed for NIH HIGH RISKS “ OCIO - Enabling the NIH Research Mission”

Remember…. Security should be built-in during system concept and design phases, not added on at the end A good design document is worth its weight in gold Reach out to your IC ISSO, the NIH Privacy Office and ISAO if you have questions (we really are here to help) New programs and processes are being developed to assist you and your input is very important Security needs to be implemented and monitored on a continuous basis The “bad guys” don’t take vacations…………..;-) “ OCIO - Enabling the NIH Research Mission”

Reference Links NIST Special Publications NCAT Support Team Office of the Senior Official for Privacy OCIO Security Website “ OCIO - Enabling the NIH Research Mission”

Contact Info Kathleen (Kay) Coupe NIH FISMA Program Coordinator Information Security and Awareness Office Office of the Chief Information Officer Room 3G12 Fernwood Building “ OCIO - Enabling the NIH Research Mission”