1. US Department of State Jay Coplon

2. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be answered

3. Key Points Quantitative Metrics Toolkits, Tools and Templates Continuous Monitoring Questions and Answers

4. Decision Memo Authorization to Operate When the Control Limits have not been exceeded.

5. Decision Memo Authorization to Operate When the Control Limits have been exceeded.

6. Risk Score in iPost

7. Fully Reporting in iPost System Owner will maintain a high level of hosts fully reporting (to iPost) within the accreditation boundary. Fully means current reporting on hardware, software, patch, vulnerability, and compliance

8. Low or No Medium Traditional Risk The System Owner will maintain a level or state of low or no Medium business risk as determined by traditional C&A.

9. Notification of Change Metrics Exceeding the Specification Limits Exceeding the Control Limits

10. C&A – How we communicate with our customers. SharePoint Website  Policy, Procedure, Standard Document Center  Organized by categories Alert Notifications  Page and/or Document Workshops  Tools

11. SharePoint

15. Get Ready Get Set STOP! Exceed any specification limit Readiness to Start C&A Checklist

16. FIPS 199 and OMB M-04-04 Categorize your System Determine the Assurance Level

17. Control Selection Tool Identify which controls have been implemented How each control has been implemented C&A and Annual Security Control Assessments Manage controls over the systems lifecycle

18. POA&M Tester Database Tool Linked to the system FIPS 199 categorization Import Open Findings from previous assessments Finding and Recommended remediation Failed Controls are identified Standardizes the risk is calculated for each finding Risk Scoping

19. iPost Continuous Monitoring

20. IPost Continuous Monitoring

21. Questions and Answers