Download presentation
Presentation is loading. Please wait.
1
FISMA 2.0: A CISO Perspective
Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC
2
INTRODUCTION FISMA 1.0: Focus on compliance rather than proven security measures. “FISMA 2.0” Senate Bill S. 3474, Senator Tom Carper Approved by Senate Homeland Security and Governmental Affairs Committee in September Purpose: Strengthen federal IT security
3
SIGNIFICANT CHANGES Annual independent audits rather than evaluations
Increased responsibility for the CISO Requirement for Operational Evaluations by DHS Establishment of a CISO Council Requirement for standard, government-wide contract language Annual DHS reports to Congress
4
ANNUAL INDEPENDENT AUDIT REQUIREMENT
Changes in auditing standards Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems Audit report must include overall conclusion about effectiveness of security controls
5
CISO RESPONSIBILITIES
Appointment by the agency head Separation of duties between CIO and CISO mandated Quarterly submission of “security architecture framework documentation” to US-CERT CISO directly responsible for security programs of subordinate organizations Responsible for creating IT security performance measurement system Authority to disconnect agency IT systems CISO granted enforcement authority
6
OPERATIONAL EVALUATIONS
To be conducted at least annually by DHS Agencies to establish security controls testing protocols Findings to be reported to the agency head, CIO, and CISO CISO to respond to results with corrective action plan within 30 days to agency head and CIO
7
CISO COUNCIL Purpose is to establish best practices and recommendations for operational evaluations Promote the development and use of standard performance metrics Recommend CISO qualifications
8
CONTRACT LANGUAGE OMB to publish standard security contract language in coordination with NIST Include standard terms for security of systems collection and transmission of information incident response procedures COTS products must comply with security requirements
9
ANNUAL DHS REPORT TO CONGRESS
DHS to report on results of operational evaluations and testing protocols Provide detailed information on agency evaluation including results and pending corrective actions Describe effectiveness of testing protocols Describe information security posture of the federal government
10
SIGNIFICANT CHANGES Annual Audits rather than Evaluations
Increased responsibility for the CISO Requirement for Operational Evaluations by DHS Establishment of a CISO Council Requirement for standard, government-wide contract language DHS annual report to Congress
11
QUESTIONS ?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.