INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service...

39
INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center

Transcript of INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service...

Page 1: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

Environmental Protection AgencyShared Service Center

Environmental Protection AgencyShared Service Center

Page 2: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Our VisionOur Vision

Help federal managers & and IT professionals understand

& successfully implement the federal risk management framework

so they can manage information and IT assets in accordance with

federal standards

2

Page 3: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Agenda/Presentation OverviewAgenda/Presentation Overview

SSC Goals

Role in the Risk Management Framework

ASSERT Capabilities

EPA’s SSC Process

Consortium Benefits

Implementation Timeframe

Pricing

Summary

3

Page 4: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Integrated Security Solution – Our Goals

Integrated Security Solution – Our Goals

Assist your information security program using proven, effective practices

Save time and resources spent on FISMA quarterly and annual reporting to OMB

Aid performance on the Annual Congressional Scorecard

4

Page 5: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

EPA’s Integrated Security Solution

InformationSystem

800-60FIPS 200

800-53

800-30

800-18

800-64800-70

FIPS 200

800-37

800-53a

800-37

800-42

FIPS 200

FIPS 199

800-53a

5

ASSERTASSERT

Page 6: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Time to Talk About ASSERTTime to Talk About ASSERT

6

Page 7: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

7

Secure Web Access

Portal for Ease of Use

System Categorization

System Inventory Management

Risk Identification

Control Tailoring

Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks)

Management Oversight

FISMA Reporting Compliance

ASSERT CapabilitiesASSERT Capabilities

“Since 2004 SSA has used the ASSERT tool.  It has met all our expectations and more as the IG and

their contractor have also given it a ‘thumbs up.’ 

… We at SSA highly recommend the tool.” 

Bob Burch, FISMA Manager

Social Security Administration

Page 8: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

8

ASSERT Secure Web Access ASSERT Secure Web Access

Customized with your logo and colors

Post news and announcements for users

Conforms with Moderate Baseline & FIPS 140-2 encryption

Page 9: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

9

ASSERT Portal: Ease of UseASSERT Portal: Ease of Use

Perform key functions at the click of a button

See summary information

Access details via links

Focus on critical items

What you see is based on your job assignments

Page 10: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

10

Walks users through a structured interview or supports expert mode

Helps users identify Business Areas, Lines of Business

Extensive links to help Button navigation

ASSERT System Categorization Business Orientation

ASSERT System Categorization Business Orientation

Page 11: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

11

Low LowModerate

Coaching for decisions on confidentiality, integrity, and availability

Helps identify Other Factors and Special Factors affecting categorization

ASSERT System Categorization Guidance for Users

ASSERT System Categorization Guidance for Users

Page 12: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

ASSERT Inventory ManagementASSERT Inventory Management12

Maintain FISMA or full Agency Inventory

Identify GSS/MA Relationships across Agency

12

Page 13: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

ASSERT Risk Identification and Control Tailoring

ASSERT Risk Identification and Control Tailoring13

Scoping Risk values

Review status13

Page 14: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

14

ASSERT Continuous Monitoring: Implementation

ASSERT Continuous Monitoring: Implementation

Base Control

Enhancements

Implementation documented & available for export to Security Plan

Page 15: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

15

ASSERT Continuous Monitoring: Testing

ASSERT Continuous Monitoring: Testing

Show expected test step results and require documentation of variances

Document the test step result

Certify the test step result

Roll up to Control status

Page 16: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

16

Tasks for remediating the control

ASSERT Continuous Monitoring: Remediation

ASSERT Continuous Monitoring: Remediation

Page 17: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

17

ASSERT Management OversightASSERT Management Oversight

Real-time report data

Export to PDF or Excel or on-screen view

Page 18: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

18

ASSERT Management OversightASSERT Management Oversight

Color coding and words

Page 19: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

19

ASSERT FISMA Reporting Compliance

ASSERT FISMA Reporting Compliance

Expands to show totals by categorization level

Page 20: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

20

ASSERT FISMA Reporting Compliance

ASSERT FISMA Reporting Compliance

Page 21: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

21

ASSERT Technical SpecificationsASSERT Technical Specifications

ColdFusion MX7 front-end

Oracle 10g database

Accessed via the Web using FIPS 140-2 compliant encrypted connection (https://)

No mobile code or special ports

Scalable for number of organizational units, systems and users

Page 22: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

A Solid Foundation in ASSERTA Solid Foundation in ASSERT

A stable, effective, full-featured tool

Secure web-based access to a centralized database

Complies with Moderate baseline controls

Full cycle of FISMA-mandated activities supported

Reporting capabilities

“The elements and phases of the ASSERT SPM appear not only to

comply with DITSCAP requirements, but they are much more

comprehensive and specify many more steps in the software

accreditation and implementation process for EPA. In addition, each

element of the ASSERT System has very specific QA requirements for

documentation and approval.”

Kevin Hull, December 2006Independent QA Auditor

22

Page 23: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

EPA’s Shared Service Center:Customized Services

EPA’s Shared Service Center:Customized Services

23

Participation Level Items

Government – Off-the-Shelf (GOTS) Downloadable software

Consortium Membership Technology updates and refreshesMembership on the Configuration

Control Board

Readiness Review Implementation Requirements

Additional ServicesData conversion

Training & reportsOther Security related services

Page 24: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

EPA’s Shared Service Center Offerings

EPA’s Shared Service Center Offerings

Implementation support

Software deployment

Ongoing management & operational support

Technical hosting options

Consortium membership

24

Page 25: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

SSC Implementation SupportSSC Implementation Support

Evaluate current processes and security environment

Recommend implementation plan based on effective practices

If requested, provide CISO and staff with business and technical consulting

Help migrate existing data, tailor controls

Offer user training and help desk support

25

Page 26: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

SSC Software DeploymentSSC Software Deployment

Flexibility through customization of…• Agency logo and preferred colors• Organizational structure• Standardized terms

Support for loading information• System-user information• Assessment and POAM history

Agency specific NIST-compliant policies to referenceAgency specific common controls, risk management

decisions

26

Page 27: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

SSC Management & Operational Support

SSC Management & Operational Support

Sharing of best practices FISMA management and reporting services:

• Management and business process consultation• Analysis, such as policy alignment• Customized reports• Staff augmentation

Comprehensive user training• Relates software to business processes• Can qualify as specialized IT training

Help desk support

27

Page 28: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

SSC Technical Hosting OptionsSSC Technical Hosting Options

EPA hosting service• Centralized database instance for each agency, with

segregation of data • System platforms, management and monitoring• Fully certified and accredited environments

Participant agency hosting• Provide own system platforms, management and

monitoring

28

Page 29: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

ASSERT ConsortiumASSERT Consortium

Consortium Board sets vision and directs software evolution

Configuration Control Board oversees the ASSERT feature set

Members share best practices and leverage costs Reasonably priced to accommodate agencies of

all sizes

2006 membership: EPA, GSA, SSA, USDA

29

Page 30: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Consortium Members’ Security Grades:

2001-2005

Consortium Members’ Security Grades:

2001-2005Agency 2001 2002

2003

2004

2005

Environmental Protection Agency

D+ D-Founded

C B A+

General Services Administration

D D D C+Joined

A-

Social Security Administration

C+ B- B+ BJoined

A+

NOTE: USDA joined in 2006.

30

Page 31: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Consortium ProcessConsortium Process

Gather Requirements Analyze & DefineReview by

Consortium Board

Formalize Request Approval by CCB Develop & Deploy

Process repeats as necessary

31

Page 32: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

EPA’s Integrated Security Solution:

Getting There

EPA’s Integrated Security Solution:

Getting There

Timeframe Activities

FY 2007 Evaluation of current processes and security environment

FY 2008 Migrate data, implement system, and train users

FY 2009 Improved security program

32

Page 33: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Cost: Sliding ScaleCost: Sliding Scale

33

Participation Level Year 1 Annual

GOTS None None

Consortium Membership

Mega Agency TBN* Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency Shared instance

Mega Agency TBN Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency TBN

ReadinessReview

Mega Agency TBN Large Agency $25,000 Mid-size Agency $25,000 Small Agency Included Micro Agency TBN

None

Additional Services Priced per request

* To Be Negotiated

Page 34: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

SummaryEPA’s Integrated Security Solution

SummaryEPA’s Integrated Security Solution

A proven business model

Conformance to the federal risk management

framework

Proven, stable software solution since 2002

Services to support implementation and beyond

Consortium in operation since 2004

Consortium members got “A’s” on 2005

Congressional Scorecard

34

Page 35: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

BenefitsBenefits

Conforms to the federal risk management framework and federal standards

Standardizes and integrates security practices with

business processes

Affordable for agencies of all sizes

Comprehensive solution:• Services for implementation plus ongoing management

and operations support

• ASSERT software

35

Page 36: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Benefits (continued)Benefits (continued)

Well-integrated with OMB regulations and NIST

methodology for continuous monitoring of controls

Active consortium of government agencies

• Direct the system vision and development

• Reduce costs through shared resources

• Sets software feature direction

36

Page 37: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

Summary: This ApproachSummary: This Approach

Standardizes and integrates security practices with business

processes…

…with the help of an agency that has been there before.

Standardizes and integrates security practices with business

processes…

…with the help of an agency that has been there before.

37

Page 38: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

EPA Open HouseEPA Open House

Consortium Open House, April 5 from 9 am to 3 pm

At EPA East, 12th & Constitution, Rooms 1117A & B

Come for panel discussions, Q&A, and demos

38

Page 39: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center.

For more information, please contact:

Marian Cody, CISOU.S. [email protected]

Bernice BealleU.S. [email protected]

Don HuddlestonU.S. [email protected]

FISMA Reporting Solution

39