Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCHER Knowledge Symposium Federal Contractor/TPS Session

Published byHollie Crawford Modified over 6 years ago

Similar presentations

Presentation on theme: "NCHER Knowledge Symposium Federal Contractor/TPS Session"— Presentation transcript:

1 NCHER Knowledge Symposium Federal Contractor/TPS Session
Infformation Security & Risk Management ATO & FISMA Compliance 2017 Presented by Mike Figgins, CIO/CTO November 2, 2017

2 Overview Cybercrime Authorization to Operate (ATO)
U.S. Department of Education Minimum Compliance Standards NIST Minimum Security Controls NIST Privacy Controls U.S. Department of Education ISSO Deliverables Typical ATO Timeline Plan of Action and Milestones (POA&M) Embarking on ATO for the First Time

3 Cybercrime – The New Reality
Cyber criminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups. New sophistication and innovation marked seismic shifts in the focus of attacks. Zero-day vulnerabilities and sophisticated malware were used less as nation states devolved from espionage to straight sabotage. Meanwhile, cyber criminals caused unprecedented levels of disruption with relatively simple IT tools and cloud services Internet Security Threat Report - Symantec

4 Authorization To Operate (ATO)
A Federal Contractor or Third Party Servicer is required to go through an arduous Information Technology security assessment according to federally mandated security and risk-management controls before receiving an ATO After contract award, Dept. of Ed will assign an Information Systems Security Analyst to oversee ATO process Contractor / TPS required to select a third party independent assessor approved by the Department of Education to complete the assessment After completing the assessment, Dept. of Ed can authorize the system for use, or grant an Authorization to Operate (ATO) Maintain effective security program that assures continual compliance Expect requirements to change

5 U.S. Department of Education – Minimum Compliance Standards
Federal Information Security Management Act (FISMA) Minimum Security Requirements for Federal Information and Information Systems – FIPS 200 Standards for Security Categorization of Federal Information and Information Systems Assessment (FIPS Assessment) NIST 199 – Security Categorization NIST Special Publication  - Catalog of security controls for all U.S. federal information systems FIPS Security Requirements for Cryptographic Modules FedRAMP – Federal Risk and Authorization Management Program “Cloud Services” Quarterly FISMA Metrics Report Payment Card Industry Data Security Standard - (PCI DSS) Statement on Standards for Attestation Engagements No.18 (SSAE 18 SOC1)

6 NIST 800-53 Minimum Security Controls
214 Specific Controls Outlined Access controls Media Protection Awareness and Training Physical and Environmental Protection Audit and Accountability Planning Security Assessment and Authorization Program Management Configuration Management Personnel Security Contingency Planning Risk Assessment Identification and Authentication System and Services Acquisition Incident Response System and Communications Protection Maintenance System and Information Integrity

7 NIST 800-53 Privacy Controls
26 Specific Controls Outlined – “Principle of Least Privilege” Authority and Purpose Individual Participation and Redress Accountability, Audit and Risk Management Security Data Quality and Integrity Transparency Data Minimization and Retention Use Limitation

8 U.S. Department of Education – ISSO Deliverables
Risk Assessment Cyber Security Role Based Training Program Boundary Document System Security Plan Vendor Management Review Configuration Management Plan Comprehensive System Event and Access log Management Contingency Plan Incident Response Plan Configuration Management Scans – Policy Compliance Disaster Recovery Plan Vulnerability Scans

9 Typical ATO Timeline – (6-8 mo.)
Phase 1 Kick Off Review Phase 2 Kick Off Phase 2 Approval Phase 1 Select Assessor System Boundary Data Sensitivity Worksheet Business Impact Assessment Contingency Plan Disaster Recovery Plan Configuration Plan System Security Plan Incident Response Plan U.S. Department of Education Reviews and Approves Assessor: POA&M Process Assessor: Assessment Plan Assessor: Rules of Engagement Assessment Kick Off Conduct Assessment Remediate Findings Create POA&Ms ATO Package and Brief FSA injects POAM and CSAM FSA and ED Officials Review ATO Package FSA and ED Authorized Officials Sign ATO Decision

10 Ongoing Monitoring & Compliance
What is a POA&M? A Plan of Action and Milestone (POA&M) is a management tool for tracking the mitigation of system security program findings and weaknesses. Where do POA&Ms come from? External findings (e.g., Dept. of Education, Treasury, etc.) Internal findings (e.g., In-house self-assessments, PEN & Security Scans, etc.) Audit findings (certification tests, etc.) Vulnerability Scan Findings must be remediated POA&Ms are updated and submitted quarterly

11 Embarking on ATO for the First Time?
Recommendations Involve a trusted partner who has successfully secured ATO previously Select a third party assessor that understands your situation and fits your culture – interview several Be ready for changes Manage scope or system boundary carefully Have strict policies – lock down group and device policies Be vigilant – stay on top of vulnerabilities and remediate immediately Be committed! Not just during ATO process but for the long term! “There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure – ensuring those systems, components, and servers are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.” NIST Revision 5 *draft*

12 Thank You! Questions? We’d love to help.

Download ppt "NCHER Knowledge Symposium Federal Contractor/TPS Session"

Similar presentations

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Framework

Risk Management Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Ensuring Information Security

Ensuring Information Security
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google