The FISMA Secret October 29, 2009. 2 Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA.

Slides:

Advertisements

Similar presentations

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Advertisements

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Incorporating Investment Decisions in Medium Term and Annual Budgets Robert H. Goldberg Office of Management and Budget Executive Office of the President.

© 2005 SHRM SHRM Weekly Online Survey: March 8, 2005 Social Security Sample comprised of 298 randomly selected HR professionals. Analyzing 298 responses.

Briefing for Maryland Legislators 1. 2 New Maryland Waiver Five year demonstration program State of Maryland and CMS signed agreement in January 2014.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

DOD Counterfeit Parts: The ISO Asset Management System Opportunity June 16, 2014 Asset Leadership Network Presenter: Jim Dieter, Executive Director.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

The 2009 Cloud Consensus Report July 28, 2009 Bringing the Cloud Down to Earth Sponsored by the Merlin Federal Cloud Initiative.

Federal Budget Process

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

ASSESSMENT WORKSHOP: SESSION 1 ADMINISTRATIVE SUPPORT SERVICES ACADEMIC AND STUDENT SUPPORT SERVICES PRESENTED BY THE DIVISION OF INSTITUTIONAL EFFECTIVENESS.

(ISC) Global Information Security Workforce Study (GISWS) Results U.S. Federal Government.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

1 Annual Giving District Assembly 6/4/11 How the Foundation Works How we spend the money How we might spend more money (District Goal $1 million per year)

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Understanding the Security Vulnerability Assessment Copyright Jean Perois, CPP, PSP, FSyI.

SiteLock Internet Security: Big Threats for Small Business.

Complying With The Federal Information Security Act (FISMA)

That’s Really not the Point… haroon meer | charl van der walt SensePost.

Chapter 13: Data Security & Disaster Recovery Database Management Systems.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.

Move over DITSCAP… The DIACAP is here!

FISMA’s Facelift: In the Eye of the Beholder? October 4, 2010.

Needs Assessment LIBM Needs Assessment  Consider this definition from Wikipedia:  “A needs assessment is a systematic process for determining.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

PAGE Intelligence Meets Vulnerability Management NYC ISSA January 24, 2013.

Department of Defense Knowledge Fair Tim Young Office of Management and Budget September 27, 2007.

Federal Budget Federal Budget: Federal Budget: Issued yearly by the Office of Management and BudgetIssued yearly by the Office of Management and Budget.

PhRMA Perspective on FDA Final Report FDA Advisory Committee on Pharmaceutical Sciences October 20, 2004 G.P. Migliaccio, Pfizer Inc.

Gordon Shevlin Founder, Chief Executive Officer Allgress, Inc.

Work Group 3 Outbrief: (Governance Innovation for Security and Development) Peacekeeping and Stability Operations Training and Education Workshop 2014.

HHSCC Funding Study An Analysis of Health and Human Services Funding in Pinellas County FY March 2008.

Defense Security Service Joint Industrial Security Awareness Council March 20, 2015.

ArcBlue Consulting It’s Time for Procurement Chris Newman Director ArcBlue Consulting

THE REGULATORY PROCESS Dennis Randolph City of Grandview October 22, 2014.

Government-wide Performance Data Standards Discussion Document Performance and Personnel Management Dr. Jim Rolfes Program Director, Federal Performance.

15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. The Rebellious Teenage Years.

US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

January 14, 2015 · Costa Mesa, CA. Lessons Learned from Our Work January 14, 2015 · Costa Mesa, CA.

A Case Study of GAO’s Review of FY06 Exhibit 300s “Agencies Need to Improve the Accuracy & Reliability of Investment Information” GAO Carol Cha.

FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.

US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

Disaster Unpreparedness June 3, 2013 Underwritten by:

Reactive  Proactive Assuring Human Subject Protection and Regulatory Compliance in a High- Visibility Environment Timothy J. O’Leary.

DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009.

Security and resilience for Smart Hospitals Key findings

Team 1 – Incident Response

It’s Time for Procurement

Cyber Threat Intelligence Sharing Standards-based Repository

Download Latest CompTIA CAS-002 Exam Dumps PDF Questions - CAS-002 Best Study Material - Realexamdumps.com

Matthew Christian Dave Maddox Tim Toennies

Federal budget and tax policy for children’s advocates

Skybox Cyber Security Best Practices

It’s Time for Procurement

Financing Government Chapter 16.

Modernizing Risk Management to Support Evolution of IT

Enterprise Cybersecurity Initiative Department of Information Technology Vince Martinez, State CIO, Executive Sponsor Lorenzo Ornelas, Managing Director.

Presentation transcript:

The FISMA Secret October 29, 2009

2 Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA Certification and Accreditation (C&A) paperwork. *OMB’s Fiscal Year 2008 Report to Congress on Implementation of the Federal Information Security Management Act of 2002: **Average across the three FISMA system categories’ C&A costs applied to the population of “not categorized” systems to monetize the dangling element. FISMA System Category Population of FISMA Systems Cost Associated with Executing FISMA C&A Total FISMA C&A Cost High1,143x$193,205=$220,833,315 Moderate3,924x$167,643=$657,831,132 Low4,507x$74,057=$333,774,899 Not Categorized683x$144,968**=$99,013,144 TOTAL:10,257$1,311,452,490

Is the cost of FISMA in line with its value? “There is no correlation between money spent to meet FISMA compliance and improvements in an agency’s security posture.” “While FISMA has provided us great insight into system vulnerabilities, there is little money left over to actually fix anything.” CISOs Say: 27% 73% * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

Could we reinvest these funds in a proactive versus paper approach to better secure America? CISOs Say: “Yes. Using a risk management approach, which means assessing risk and applying the majority of funding to mitigate against those risks that can ‘hurt’ the most.” “Many of the same vulnerabilities appear in multiple systems/applications. A more proactive approach would be to reinvest these funds in enterprise-wide solutions as opposed to a system-by-system approach.” 91% 9% * Study based on survey of 11 Federal CISOs, which is approximately 10 percent of the population of Federal CISOs

Federal CISOs: What do you recommend? “Take a more risk-based approach that looks at what the actual vulnerabilities/threats are that exist and use the money to address these specifically rather than produce volumes of documentation of test results that don’t necessarily help us improve our security. FISMA should spend more time making sure the activities in question are actually being performed, as opposed to just confirming that the paperwork exists.” “We need to move away from paperwork and toward actual demonstration of security. We always joke that FISMA compliance is nothing but a stack of paperwork.” “We need to figure out a better way to relate investment to security, which we’re not currently doing. We’re analyzing compliance, not risk, which is not the right path.” “Use a risk management approach to security – investing in innovation and technologies that mitigate what we know about future attack vectors.”

Thank You Steve O’Keeffe (703) ext. 111