INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

Environmental Protection AgencyShared Service Center

Environmental Protection AgencyShared Service Center

Our VisionOur Vision

Help federal managers & and IT professionals understand

& successfully implement the federal risk management framework

so they can manage information and IT assets in accordance with

federal standards

2

Agenda/Presentation OverviewAgenda/Presentation Overview

SSC Goals

Role in the Risk Management Framework

ASSERT Capabilities

EPA’s SSC Process

Consortium Benefits

Implementation Timeframe

Pricing

Summary

3

Integrated Security Solution – Our Goals

Integrated Security Solution – Our Goals

Assist your information security program using proven, effective practices

Save time and resources spent on FISMA quarterly and annual reporting to OMB

Aid performance on the Annual Congressional Scorecard

4

EPA’s Integrated Security Solution

InformationSystem

800-60FIPS 200

800-53

800-30

800-18

800-64800-70

FIPS 200

800-37

800-53a

800-37

800-42

FIPS 200

FIPS 199

800-53a

5

ASSERTASSERT

Time to Talk About ASSERTTime to Talk About ASSERT

6

7

Secure Web Access

Portal for Ease of Use

System Categorization

System Inventory Management

Risk Identification

Control Tailoring

Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks)

Management Oversight

FISMA Reporting Compliance

ASSERT CapabilitiesASSERT Capabilities

“Since 2004 SSA has used the ASSERT tool.  It has met all our expectations and more as the IG and

their contractor have also given it a ‘thumbs up.’ 

… We at SSA highly recommend the tool.” 

Bob Burch, FISMA Manager

Social Security Administration

8

ASSERT Secure Web Access ASSERT Secure Web Access

Customized with your logo and colors

Post news and announcements for users

Conforms with Moderate Baseline & FIPS 140-2 encryption

9

ASSERT Portal: Ease of UseASSERT Portal: Ease of Use

Perform key functions at the click of a button

See summary information

Access details via links

Focus on critical items

What you see is based on your job assignments

10

Walks users through a structured interview or supports expert mode

Helps users identify Business Areas, Lines of Business

Extensive links to help Button navigation

ASSERT System Categorization Business Orientation

ASSERT System Categorization Business Orientation

11

Low LowModerate

Coaching for decisions on confidentiality, integrity, and availability

Helps identify Other Factors and Special Factors affecting categorization

ASSERT System Categorization Guidance for Users

ASSERT System Categorization Guidance for Users

ASSERT Inventory ManagementASSERT Inventory Management12

Maintain FISMA or full Agency Inventory

Identify GSS/MA Relationships across Agency

12

ASSERT Risk Identification and Control Tailoring

ASSERT Risk Identification and Control Tailoring13

Scoping Risk values

Review status13

14

ASSERT Continuous Monitoring: Implementation

ASSERT Continuous Monitoring: Implementation

Base Control

Enhancements

Implementation documented & available for export to Security Plan

15

ASSERT Continuous Monitoring: Testing

ASSERT Continuous Monitoring: Testing

Show expected test step results and require documentation of variances

Document the test step result

Certify the test step result

Roll up to Control status

16

Tasks for remediating the control

ASSERT Continuous Monitoring: Remediation

ASSERT Continuous Monitoring: Remediation

17

ASSERT Management OversightASSERT Management Oversight

Real-time report data

Export to PDF or Excel or on-screen view

18

ASSERT Management OversightASSERT Management Oversight

Color coding and words

19

ASSERT FISMA Reporting Compliance

ASSERT FISMA Reporting Compliance

Expands to show totals by categorization level

20

ASSERT FISMA Reporting Compliance

ASSERT FISMA Reporting Compliance

21

ASSERT Technical SpecificationsASSERT Technical Specifications

ColdFusion MX7 front-end

Oracle 10g database

Accessed via the Web using FIPS 140-2 compliant encrypted connection (https://)

No mobile code or special ports

Scalable for number of organizational units, systems and users

A Solid Foundation in ASSERTA Solid Foundation in ASSERT

A stable, effective, full-featured tool

Secure web-based access to a centralized database

Complies with Moderate baseline controls

Full cycle of FISMA-mandated activities supported

Reporting capabilities

“The elements and phases of the ASSERT SPM appear not only to

comply with DITSCAP requirements, but they are much more

comprehensive and specify many more steps in the software

accreditation and implementation process for EPA. In addition, each

element of the ASSERT System has very specific QA requirements for

documentation and approval.”

Kevin Hull, December 2006Independent QA Auditor

22

EPA’s Shared Service Center:Customized Services

EPA’s Shared Service Center:Customized Services

23

Participation Level Items

Government – Off-the-Shelf (GOTS) Downloadable software

Consortium Membership Technology updates and refreshesMembership on the Configuration

Control Board

Readiness Review Implementation Requirements

Additional ServicesData conversion

Training & reportsOther Security related services

EPA’s Shared Service Center Offerings

EPA’s Shared Service Center Offerings

Implementation support

Software deployment

Ongoing management & operational support

Technical hosting options

Consortium membership

24

SSC Implementation SupportSSC Implementation Support

Evaluate current processes and security environment

Recommend implementation plan based on effective practices

If requested, provide CISO and staff with business and technical consulting

Help migrate existing data, tailor controls

Offer user training and help desk support

25

SSC Software DeploymentSSC Software Deployment

Flexibility through customization of…• Agency logo and preferred colors• Organizational structure• Standardized terms

Support for loading information• System-user information• Assessment and POAM history

Agency specific NIST-compliant policies to referenceAgency specific common controls, risk management

decisions

26

SSC Management & Operational Support

SSC Management & Operational Support

Sharing of best practices FISMA management and reporting services:

• Management and business process consultation• Analysis, such as policy alignment• Customized reports• Staff augmentation

Comprehensive user training• Relates software to business processes• Can qualify as specialized IT training

Help desk support

27

SSC Technical Hosting OptionsSSC Technical Hosting Options

EPA hosting service• Centralized database instance for each agency, with

segregation of data • System platforms, management and monitoring• Fully certified and accredited environments

Participant agency hosting• Provide own system platforms, management and

monitoring

28

ASSERT ConsortiumASSERT Consortium

Consortium Board sets vision and directs software evolution

Configuration Control Board oversees the ASSERT feature set

Members share best practices and leverage costs Reasonably priced to accommodate agencies of

all sizes

2006 membership: EPA, GSA, SSA, USDA

29

Consortium Members’ Security Grades:

2001-2005

Consortium Members’ Security Grades:

2001-2005Agency 2001 2002

2003

2004

2005

Environmental Protection Agency

D+ D-Founded

C B A+

General Services Administration

D D D C+Joined

A-

Social Security Administration

C+ B- B+ BJoined

A+

NOTE: USDA joined in 2006.

30

Consortium ProcessConsortium Process

Gather Requirements Analyze & DefineReview by

Consortium Board

Formalize Request Approval by CCB Develop & Deploy

Process repeats as necessary

31

EPA’s Integrated Security Solution:

Getting There

EPA’s Integrated Security Solution:

Getting There

Timeframe Activities

FY 2007 Evaluation of current processes and security environment

FY 2008 Migrate data, implement system, and train users

FY 2009 Improved security program

32

Cost: Sliding ScaleCost: Sliding Scale

33

Participation Level Year 1 Annual

GOTS None None

Consortium Membership

Mega Agency TBN* Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency Shared instance

Mega Agency TBN Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency TBN

ReadinessReview

Mega Agency TBN Large Agency $25,000 Mid-size Agency $25,000 Small Agency Included Micro Agency TBN

None

Additional Services Priced per request

* To Be Negotiated

SummaryEPA’s Integrated Security Solution

SummaryEPA’s Integrated Security Solution

A proven business model

Conformance to the federal risk management

framework

Proven, stable software solution since 2002

Services to support implementation and beyond

Consortium in operation since 2004

Consortium members got “A’s” on 2005

Congressional Scorecard

34

BenefitsBenefits

Conforms to the federal risk management framework and federal standards

Standardizes and integrates security practices with

business processes

Affordable for agencies of all sizes

Comprehensive solution:• Services for implementation plus ongoing management

and operations support

• ASSERT software

35

Benefits (continued)Benefits (continued)

Well-integrated with OMB regulations and NIST

methodology for continuous monitoring of controls

Active consortium of government agencies

• Direct the system vision and development

• Reduce costs through shared resources

• Sets software feature direction

36

Summary: This ApproachSummary: This Approach

Standardizes and integrates security practices with business

processes…

…with the help of an agency that has been there before.

Standardizes and integrates security practices with business

processes…

…with the help of an agency that has been there before.

37

EPA Open HouseEPA Open House

Consortium Open House, April 5 from 9 am to 3 pm

At EPA East, 12th & Constitution, Rooms 1117A & B

Come for panel discussions, Q&A, and demos

38

For more information, please contact:

Marian Cody, CISOU.S. EPA202-566-0302cody.marian@epa.gov

Bernice BealleU.S. EPA202-566-0716bealle.bernice@epa.gov

Don HuddlestonU.S. EPA202-566-1462huddleston.don@epa.gov

FISMA Reporting Solution

39