DHS Information Security Performance Plan

Transcription

1 Department of Homeland Security Fiscal Year 2014 DHS Information Security Performance Plan January 27, 2014 Version 1.0 This document was prepared for authorized distribution only. Department of Homeland Security

2 Table of Contents 1. Executive Summary Introduction Purpose Scope Audience Goals and Objectives Strategy Verification and Validation Inventory Management System Inventory Asset Inventory Mission Essential Systems (MES) ISO Inventory Reviews FISMA System Inventory Refresh Inventory Refresh Major Area of Focus Inventory Management SharePoint Site Information Security Continuous Monitoring ISCM Capabilities Federal ISCM Plan and CDM Procurement DHS s Approach to ISCM and the CDM Procurement Existing ISCM Capability Groups and Tools ISCM Data Asset Management Vulnerability Management Configuration Management Information Security Vulnerability Management Endpoint Protection and Antivirus Data Collection ISCM Data Aggregation and Storage Security Management...18 FY14 DHS Information Security Performance Plan i Department of Homeland Security

3 5.1 FISMA Compliance Management Authorization Common Controls Ongoing Authorization Document Review Initiation Package Categories Document Review Checklists Security Plan Results Conference Calls Re-reviews Component Auto-Validation Privacy Weakness Remediation ISO Security Reviews Component Outreach Assist Visits Critical Control Review (CCR) Cloud Service Assessment Security Assessment Security Training Annual Information Technology Security Awareness Privileged User Training Event Management Enterprise and CIO FISMA Metrics Continuous Monitoring Trusted Internet Connection Consolidation Mandatory PIV ISO General Support Outreach & Training FISMA Reporting SharePoint Component Forms/Data Submissions DHS Executive FISMA Scorecard Page...41 FY14 DHS Information Security Performance Plan ii Department of Homeland Security

4 9. Scorecard and Reporting Daily Reports Overall ISCM and SPM Reports DHS Executive FISMA Information Security Scorecard...42 Appendix A: Metrics...46 Metric 1: In-Scope Assets...48 Metric 2: Managed Assets...49 Metric 3: Hardware Managed Assets...50 Metric 4: Scan Coverage...51 Metric 5: Software Asset Management (SWAM)...52 Metric 6: Whitelisting...53 Metric 7: Configuration Management...54 Metric 8: Vulnerability Management...55 Metric 9: ISVMs...56 Metric 10: Anti-Virus...57 Metric 11: Overall ISCM Score...58 Metric 12: FISMA Systems...59 Metric 13: Mission Essential Systems...60 Metric 14: Authorization...61 Metric 15: Ongoing Authorization...62 Metric 16: Privacy...63 Metric 17: Weakness Remediation...64 Metric 18: CyberSecurity Training...65 Metric 19: Event Management...66 Metric 20: TIC Consolidation...67 Metric 21: Mandatory Access (PIV)...68 Metric 22: Overall SPM Score...69 Appendix B: Document Review Quality Assurance...70 Appendix C: POA&M Checks...73 Appendix D: Waivers/Exceptions...75 Appendix E: POA&M Reasonableness Criteria...76 Appendix F: DHS NIST RMF Workflow...86 Appendix G: POA&M Process Map...87 FY14 DHS Information Security Performance Plan iii Department of Homeland Security

5 Appendix H: Metric POCs and Related Reports...88 Appendix I: Selected CCE Settings...89 Appendix J: Points of Contact...92 Appendix K: Resource, Reference, and Site Links...94 Appendix L: Acronyms...96 FY14 DHS Information Security Performance Plan iv Department of Homeland Security

6 List of Figures Figure 1: Examples of Performance Plan Strategic Inputs... 1 Figure 2: Inventory Refresh Phases Figure 3: Example of an ISCM Program Figure 4: Ongoing Auththorization Process Figure 5: Document Review Process Flowchart Figure 6: Document Review Methodology Steps Figure 7: POA&M Process Map Figure 8: FY14 ISCM FISMA Scorecard Figure 9: FY14 SPM FISMA Scorecard Figure 10: FY14 Trend Chart Figure 11: Sample Cover Sheet Figure 12: Sample SP Checklist Figure 13: Sample CP Checklist Figure 14: DHS NIST RMF Workflow Figure 15: POA&M Process Map FY14 DHS Information Security Performance Plan v Department of Homeland Security

7 List of Tables Table 1: Asset Definitions... 8 Table 2: Current and Future ISCM Capabilities Table 3: Continuous Monitoring Capability Groups Table 4: Data Elements for ISCM Metrics Table 5: FY14 Overall ISCM Score Contributions Table 6: FY14 Overall SPM Score Contributions Table 7: POA&M Assurance Checklist Table 8: NIST Reasonableness Resource Matrix Table 9: DIACAP Reasonableness Resource Matrix Table 10: Metric POCs Table 11: FY14 CCE Settings Table 12: Points of Contact Table 13: Reference Links FY14 DHS Information Security Performance Plan vi Department of Homeland Security

8 1. Executive Summary The annual Department of Homeland Security (DHS) Information Security Performance Plan defines performance requirements, priorities, and overall goals for all DHS Components throughout the current Fiscal Year (FY). It is a tactical interpretation of numerous strategic inputs including; federal mandates, interagency standards, and DHS-specific policies and initiatives. Performance Plan outputs also serve to communicate security posture and risk at the Component and Enterprise levels for remediation and strategic decision-making. The FY14 Performance Plan addresses an array of areas of information security through selected metrics: Inventory of Systems & Assets, Information Security Continuous Monitoring (ISCM), Security Management, and Enterprise and Chief Information Officer (CIO) initiatives. ISCM is of particular importance in FY14 as DHS looks to leverage the National Protection and Programs Directorate (NPPD) Federal Network Resilience s (FNR) Continuous Diagnostics and Mitigation (CDM) Program for purchasing security tools and services, therefore bolstering the capabilities across DHS while also becoming a more technological homogenous department. As in FY13, metrics will focus more on capability effectiveness rather than on implementation as DHS looks to mature the ability to provide more real-time and more expansive tactical data to risk executives and security leadership throughout DHS. Awareness of our asset Figure 1: Examples of Performance Plan Strategic Inputs vulnerabilities more often equates to better prepared Information Technology (IT) environments, and ultimately a more secure DHS. Progress remains measured by target levels of compliance and FY14 will continue to emphasize a focus on the asset level rather than the system level. With this process, risk is assumed by a Component rather than by a particular system. Overall, the FY14 Performance Plan echoes much of what was underscored in FY13 while improving upon the effectiveness of several metrics. These improvements are meant to promote more nuanced and accurate results and thereby better understanding of the information security at DHS and its Components. New in FY14, the scorecard will emphasize some themes which DHS is looking to grow, to include Whitelisting, Ongoing Authorization (OA), and completeness or coverage of Component scanning efforts (i.e., Scan Coverage). All of the metrics and topics described in this Performance Plan align either directly or indirectly with federal requirements and have been researched and incorporated in such a way as to help maintain DHS leadership role in federal government cyber security. FY14 DHS Information Security Performance Plan 1 Department of Homeland Security

9 2. Introduction 2.1 Purpose The Performance Plan describes annual requirements, priorities, and procedures applicable to Components in a given fiscal year. Metrics and a monthly scorecard are used to gauge progress toward Departmental goals. It also serves as a roadmap for future initiatives in order to encourage forethought and innovation amongst Components. FY14 continues the federal trend of measuring Federal Information Security management Act (FISMA) compliance in percentages but also markedly focuses on the role of specific risks at play within the Department. FY14 introduces mechanisms for correlating data from different security vantage points in order to support certainty and integrity of scanning and data collection efforts. FY14 also will represent new metrics on the scorecard as informational concepts to promote the more efficient use of data derived from mandated security activities; for instance, raising the visibility of the newly codified Ongoing Authorization program with an informational maturity metric. This metric is meant to promote OA as a more effective method for keeping security leadership aware of the risks and vulnerabilities associated with information systems by leveraging ISCM monthly data, inheritance of controls, and breaking the arbitrary mold of 3-year Authority to Operate (ATO)s. Other examples of promoting efficiency and correlation activities is introducing a mode of performing application Whitelisting which highlights unauthorized existence of applications in Component environments, and Information Security Vulnerability Management (ISVM) correlation against monthly ISCM patch and Common Vulnerability Enumeration (CVE) data. Approaching risk management in this manner provides more accurate insight into the threats faced by both DHS and the government at large. The FY14 Performance Plan draws from several key sources and initiatives for guidance including: Maturing Information Security Continuous Monitoring Prioritizing information security actions Addressing Government Accountability Office (GAO) High Risk Priorities Remediation of OIG-14-09: Evaluation of DHS Information Security Program for Fiscal Year 2013 Supporting the DHS Information Security Strategic Plan Ensuring alignment with Federal CyberSecurity Cross Agency Priority (CAP) Goals FY14 DHS Information Security Performance Plan 2 Department of Homeland Security

10 2.2 Scope The FY14 Performance Plan applies for the entirety of the fiscal year to all DHS Components and the operational 1 information systems for which they are responsible. Components are required to maintain FISMA Systems within the Information Security Office (ISO) FISMA Compliance Tool and also submit monthly data reflecting the security posture of their organizations to the DHS ISO for analysis. Data submissions are structured around metrics associated with Departmental goals 2. The Performance Plan is not intended to dictate the processes or methodology by which Components obtain the data necessary to generate these metrics, however, it does establish the precise type of data and format in which metrics must be reported which may significantly influence data collection methods. Metrics and associated requirements may differ depending on characteristics of a given system, such as whether it is Sensitive but Unclassified (SBU), National Security System (NSS), or a Chief Financial Officer (CFO) designated system 3. Specific disparities are documented in Appendix A for applicable metrics. Security Operations Centers (SOCs) within the DHS Enterprise are also required to report information pertaining to effective visibility into security events and management of reported incidents. The DHS Executive FISMA Scorecard is a consolidated Department view of all individual Component metrics. It is used to communicate overall security posture to DHS executives for strategic decision-making, as well as emphasize areas for improvement to Component-level security compliance and operations personnel. Furthermore, it integrates DHS and federal priorities in a single mode of communication for internal and external use. 1 Only systems designated as operation in the current FISMA Compliance Tool are subject to Performance Plan reporting requirements. Systems in implementation and modification status as per the System Engineering Life Cycle (SELC) are also considered operational. 2 ISO expects that some adjustments will be necessary once NIST revision 4 is released within the IACS tool. Until that time, however, the Department will continue to adhere to revision 3. 3 CFO-designated systems have additional information security requirements beyond the scope of the FY14 Performance Plan. FY14 DHS Information Security Performance Plan 3 Department of Homeland Security

11 2.3 Audience The Performance Plan is applicable to any DHS federal employee or contractor involved in IT compliance, security, architecture, and/or risk management. The DHS Chief Information Security Officer (CISO) is the primary owner of the Performance Plan, responsible for managing necessary updates or modifications. The DHS CISO Council, comprised of CISOs representing each DHS Component, is the authorizing body for the content of the Performance Plan. The primary output of the requirements contained in the Performance Plan is the DHS Executive FISMA Scorecard, which is used to communicate broadly to senior DHS executives, such as the CIO, as well as federal oversight entities, such as the Office of the Inspector General (OIG) and the Office of Management and Budget (OMB). DHS chairs and participates in several working groups that serve as forums for developing and disseminating information that can help Components meet current reporting requirements and develop new capabilities for future requirements to include: Compliance Working Group (CWG) The CWG is a forum used specifically to address issues and events related to Component FISMA Scorecard performance, FISMA Inventory, Compliance Tools, and Compliance related activities. This includes clarification of requirements, best practices for collecting and reporting information, and relevant changes to standard procedures. Continuous Monitoring Working Group (CMWG) The CMWG address the procurement, implementation, and operation of enterprise ISCM solutions and how they can best be leveraged by Components. 4 Enterprise System Security Working Group (ESSWG) The ESSWG develops and vets security requirements, policy, and architecture for all DHS enterprise service offerings. Ongoing Authorization Working Group (OAWG) The OAWG is an interagency working group, co-chaired by DHS and the Department of Health and Human Services (HHS) that works to develop a strategy for transitioning the traditional periodic Security Authorization (SA) process to an ongoing process, utilizing capabilities such as common controls and continuous monitoring. Joint Continuous Monitoring Working Group (JCMWG) is the interagency body for Continuous Monitoring collaboration, cooperation, and coordination; the principal venue by which the Executive Branch synchronizes Continuous Monitoring policy across the National Security Systems and non-national Security Systems. 4 The CWG and CMWG may occasionally combine as one meeting depending on the time of year, meeting resources, and content of the meeting. FY14 DHS Information Security Performance Plan 4 Department of Homeland Security

12 2.4 Goals and Objectives In FY14, the Department intends to 1) continue its security approach toward risk management through an evolved Scorecard, 2) mature information security continuous monitoring capabilities and effectiveness across the enterprise, and 3) bolster correlation, provide more efficient processes, and promote enterprise-wide security tool standardization. Comprehensive risk scoring and near real-time vulnerability and IT asset awareness are future goals that will become more feasible as DHS processes and capabilities mature. FY14 metrics support quarterly and annual FISMA reporting requirements. ISCM data is also used to meet required monthly Extensible Markup Language (XML) data feeds to OMB through its CyberScope application. As of October 2013, CyberScope XML feeds are required to be submitted for all Components and will be verified by FNR. The most significant improvements and changes for FY14 are: Concentrating information security continuous monitoring metrics focus on effectiveness versus implementation. o Vulnerability Management transitions to measuring critical and high vulnerabilities per asset. o Configuration Management expands to require United States Government Configuration Baseline (USGCB) settings for additional platforms beyond workstations. o Information Security Vulnerability Management, previously Patch Management, will now assess vulnerability data to ensure that required assets/systems were patched for all Alerts and two random Bulletins (one related to workstations and one related to servers). Implementation of an Ongoing Authorization Programs at the Enterprise level. Implementation of an Enterprise Whitelisting Program by leveraging current Security Content Automation Protocol (SCAP) data. Clarifying the relationship of External Information Systems (EIS), Cloud Service Providers (CSPs), and Cloud Tenant Minor Applications (CTM), and information security policy. The FY14 metrics as outlined in Appendix A are intended to: Integrate in-depth organizational monitoring across the layers of defense; Introduce a measurable whitelisting effort to increase scrutiny of application level security; Correlate data sources in order to bolster integrity of Component vulnerability scanning; Grow DHS s version of the OMB-endorsed (M 14-03) Ongoing Authorization concept; Eliminate critical and high vulnerabilities; Achieve automated asset inventory reporting; Measure the effectiveness of organization Plan of Action & Milestone (POA&M) management and Security Authorizations; Ensure accurate, real-time automated data; Maximize the use of DHS Enterprise License Agreements (ELAs); and Collect information that can be used to determine true measures of risk at the Department. FY14 DHS Information Security Performance Plan 5 Department of Homeland Security

13 2.5 Strategy In addition to being a representation of Departmental information security initiatives, the Performance Plan supports federal directives, congressional requirements, National Institute of Standards and Technology (NIST) guidance, and CIO FISMA priorities. DHS priorities align with federal mandates and interagency standards, in addition to focusing on DHS-specific security needs. FY14 metrics are grouped in several categories: Inventory of Systems and Assets Ensuring visibility and accountability for all information systems and assets, such as workstations and servers, is foundational to the completeness and integrity of nearly all other metrics. Inventory metrics reflect whether Department requirements are being met comprehensively. Information Security Continuous Monitoring ISCM metrics help to maintain an accurate picture of an organization s real-time security risk posture by consistently leveraging management tools, security controls, and prioritized risk mitigation. Security Management Metrics addressing longstanding security practices, many of which are federal compliance requirements. Security Operations Center A continuing initiative from FY12, DHS is seeking to better monitor and support the maturation of its SOC and incident response capabilities. FY14 metrics focus on timely Security Event Notice (SEN) management and verifying ISVM management. Enterprise Solutions Enterprise Solution metrics are not system specific, but rather measure how effectively enterprise security initiatives are deployed by large programs and/or entire Components. The metrics that make up each group are collectively used to form an Executive FISMA Scorecard broken up into two groups: Information Security Continuous Monitoring and Security Processes. The Executive FISMA Scorecard, in turn, feeds into Component-level scorecards, reports at the system-level, and reports at the asset level. This tiered approach maximizes visibility into all levels of the Department s security posture. They FY14 Performance Plan is designed to address each metric grouping, while also addressing how the DHS ISO and Components validate security compliance and risk management processes. 2.6 Verification and Validation Although Components assume ultimate responsibility for all data submitted to DHS ISO, quality checks and validation processes exist to assist with compliance and comprehensive risk management. Tools, review processes, and targeted Quality Assurance (QA) all work together to provide validation and verification for Department activities. FY14 DHS Information Security Performance Plan 6 Department of Homeland Security

14 3. Inventory Management In order to support the DHS mission, it is vital that the Department have an accurate accounting of all systems and assets within the Department s boundary. Unaccounted systems pose greater risk due to the uncertainty of ownership, maintenance, and compliance with federal mandates, directives, and policies. The goal of monitoring assets across the entire Department is to ensure that each facet of an information system poses the minimum possible risk. Ensuring security at the smallest level of each system enhances security for the enterprise as a whole. 3.1 System Inventory Accurate system and asset counts are the foundation upon which FY14 metrics are calculated. In FY14, Components scan, monitor, and report all systems (SBU, Classified, and Mission Essential) and assets to the Office of the Chief Information Officer (OCIO). In FY14, mobile devices are included within the scope of assets but do not contribute to the Scorecard metrics. The ISO Inventory Management Team (IMT) continues to discover and maintain Components inventories of systems through the Annual Refresh process, further detailed in section 3.4: ISO Inventory Reviews. 3.2 Asset Inventory Components are required to report all Hardware and Software Assets within their organization in order to accurately maintain a full Inventory for the ISCM Program that supports all FISMA related activities as defined in the RMF. A Hardware Asset often referred to as simply an asset in this text is defined as: any addressable device that can be connected to a DHS Network and used in the course of operational or business activities. Hardware Assets include, but are not limited to: laptops, workstations, servers, virtual computing platforms, network devices, mobile devices, printers, and communications media. A Software Asset is defined as: any application, excluding an operating system, deployed on a Hardware Device. Not all assets in the Department s inventory are required to be scanned and reported to the ISO Continuous Monitoring (CM) Team. These requirements are fully defined in Appendix A and Table 1: Asset Definitions. In Scope Assets represent the entire population of a Component s Hardware Asset Inventory that should be reported through the Asset Inventory form on the FISMA Reporting SharePoint Site (see Metric 1: In Scope Assets). All required assets that are scanned and reported to ISO are classified as either Managed or Invalid assets. Managed assets are those reporting ISCM data on a monthly basis. Managed Assets serve as the scoring population for ISCM metrics. Invalid assets have an invalid FISMA Identifier (ID) or are missing a unique hostname. These two fields are key identifiers for all assets. Invalid assets populate a Component s Asset Exception List and are reported back to the Component by the ISO CM Team. For more information on Asset Classification, see the Asset Classification White Paper located on the FISMA Reporting SharePoint Site. FY14 DHS Information Security Performance Plan 7 Department of Homeland Security

15 Term Definition Possible implications In Scope Asset A device that is or should be connected to the unclassified network and maintains an IP address. Should be scanned for monthly ISCM reporting and will be scored for Scan Coverage. Dormant Asset Those devices that may be stored for mission related purposes and are not currently in use or assigned. Considered Out of scope and will not be scored for any purposes. ISO will still track these devices. Mobile Asset Devices that currently cannot be scanned due to enterprise technology availability. (e.g. smartphones, tablets, or Universal Serial Bus (USB) devices). Considered Out of scope and will not be scored for any purpose. ISO will still track these devices. Invalid Asset A scanned asset that is 1) missing or has an invalid FISMA ID and/or 2) missing a hostname. Invalid assets cause an exception and are NOT imported into the Continuous Monitoring Database (CMDB) Managed Asset A scanned asset that contains a 1) valid FISMA ID and 2) hostname. Managed assets make up the scoring population for the Scorecard and can be called Operational Assets (comparable to Operational Systems ). Identified Assets A Managed Asset that is fully defined by the OS Common Platform Enumeration (CPE) (e.g. Microsoft Windows 7, Solaris, CISCO Internetwork Operating System (IOS), and Windows Server 2003). These are also called Hardware Managed Assets. In order to properly assign requirements to an asset, it must be identified. These assets have been credential scanned. Unidentified Assets A Managed Asset that cannot define the OS CPE OR is defined as a Windows OS Platform but contains an IP as a hostname. IP hostnames that are Dynamic Host Configuration Protocol (DHCP) create an unstable asset inventory that constantly shifts and changes. Unidentified assets will automatically fail all ISCM Metrics due to the threat that they pose. These generally result from failed or non-credentialed scans. Software Managed Assets A Managed Asset that reports at least one (1) application CPE (e.g. java, oracle, Internet Explorer). The goal is to work towards creating a software asset inventory due to increasing FISMA requirements in software management and configuration. Table 1: Asset Definitions FY14 DHS Information Security Performance Plan 8 Department of Homeland Security

16 3.3 Mission Essential Systems (MES) An accurate and up-to-date MES List is vital to ensuring the continuity of essential operations in the wake of a calamitous event. The MES List is a federal priority and Components should ensure that all systems deemed mission essential are identified. Neither non-operational systems nor external information systems may be deemed essential; however, a Component may claim a system as essential that is owned or operated by another Component, provided that system is vital to the first s mission. Mission essentiality is determined through self-reporting by Components as well as a given system s Federal Information Processing Standards (FIPS)-199 Availability rating, which should not be Low. Those systems qualifying as mission essential are added to a tracking list maintained at the Enterprise Operations Center (EOC) SharePoint Site. 5 The list is reviewed biannually and currently identifies 144 operational systems as mission essential across the enterprise. 3.4 ISO Inventory Reviews FISMA requires DHS to develop, maintain, and update an inventory of all information systems operated by the Department. The Annual Refresh process is the time period during which ISO helps Components identify any systems missing from the inventory and resolves any other inventory issues. ISO also assumes authority and responsibility for the unclassified and classified inventory of all Department FISMA systems and assets, enforces change control on that inventory, and assists Components in meeting compliance requirements for proper system categorization and reporting. Scorecard data is assessed for accuracy against official Inventory records for each Component. Any discrepancies identified result in notification to the relevant Component, and the component Inventory is updated pending resolution of the issue. All procedures and requirements are outlined in the DHS FISMA Inventory Methodology FISMA System Inventory Refresh Components are responsible for maintaining their inventories on an ongoing basis. The Annual Refresh augments this effort by allowing ISO to engage directly with Component personnel to identify any systems missing from the inventory and to recommend inventory updates. Due to the hundreds of site discovery visits conducted by ISO over the past few years, fewer and fewer systems remain un-inventoried. As a result, discovery visits are now conducted by Component request, with site recommendations discussed during the Annual Refresh Kickoff meeting. The typical Refresh lifecycle is described in figure 2. All research, analysis, and conclusions concerning the boundary of a selected system are documented in a formal report submitted by the Annual Refresh deadline of June 30 th, All links within this document will be defined in Appendix K. For access permissions, contact the steward of the site. For SharePoint sites click on the link to request access. FY14 DHS Information Security Performance Plan 9 Department of Homeland Security

17 Figure 2: Inventory Refresh Phases All critical or time-sensitive changes identified through site visits must be addressed through a change request submitted by the Component or initiated by ISO for Component validation. Components have 45 days to respond, otherwise, the change request goes into effect automatically Inventory Refresh Major Area of Focus Specific areas of focus are selected each year based on DHS initiatives or Inventory weaknesses. In FY14 the Major Area of Focus for the inventory refresh will be the classification of cloud systems and EISs. The IMT will review all systems categorized as EISs to determine which EISs are cloud systems and whether or not they should be re-categorized. If they are determined to be cloud General Support Systems (GSS) or Major Application then the IMT will take inventory of all associated applications and systems Inventory Management SharePoint Site The Inventory Management SharePoint Site was established in FY11. It provides Components access to current information and serves as a central, organized location to exchange data. Reference files, such as the Inventory methodology and change request forms, are stored in general access sections. Each Component has a customized page that may only be accessed by members of their organization. With Component CISO approval, the following elements may be stored on the Component s page: Unclassified FISMA system inventory, system leads, and action items Inventory refresh schedule Inventory meeting reports FY14 DHS Information Security Performance Plan 10 Department of Homeland Security

18 4. Information Security Continuous Monitoring Since 2011, ISCM has become a leading priority at DHS and is one of the three CAP Goals for the Executive Branch in Continuous Monitoring will help Agencies maintain an up-todate picture of what assets are on their information networks and when the security statuses of those assets change. ISCM is a Risk Management 6 approach that utilizes ongoing awareness of the security posture of information technology assets in order to maintain an accurate picture of organizational risk. This is accomplished through the use of automated security management tools that are able to detect, quantify, report, and potentially mitigate risks on a near real-time basis. 4.1 ISCM Capabilities NIST SP Rev 4 defines security capability as the set of mutually-reinforcing security controls that provides the requisite level of trustworthiness for organizational information systems. Organizations can group individual controls into capabilities which, when implemented, will mitigate relevant attacks that can have a negative impact to the mission. In 2012, the White House tasked DHS NPPD with overseeing an Information Security Continuous Monitoring Program on behalf of all Federal and Civilian Departments and Agencies. The objective of this Program is to obtain CM Tools and Services that will provide federal agencies the ability to enhance and automate their existing continuous monitoring network capabilities, correlate and analyze critical security-related information, and strengthen risk-based decision making at the agency and federal enterprise level. Figure 3 demonstrates NPPD s organization of mutually-reinforcing security controls into security capabilities that directly support the ISCM Program. Figure 3: Example of an ISCM Program 6 NIST Special Publication r1, Applying the Risk Management Framework to Federal Information Systems. FY14 DHS Information Security Performance Plan 11 Department of Homeland Security

19 4.2 Federal ISCM Plan and CDM Procurement The Executive Branch s CAP Goal for Continuous Monitoring includes transforming the historically static security control assessment and authorization process into an integral part of a dynamic enterprise-wide risk management process. This change allows departments and agencies to maintain an ongoing near real-time awareness and assessment of information security risk and rapidly respond to support organizational risk management decisions. OMB Memorandum M (November 18, 2013) provides agencies with guidance for managing information security risk on a continuous basis and builds upon efforts towards achieving the Cybersecurity CAP Goal. Departments will utilize ISCM tools and processes to manage their assets, but will do so in support of FISMA compliance and the NIST Risk Management Framework. In order to support Continuous Monitoring, a Federal Program to help agencies procure CDM tools is underway. The Federal ISCM Program, led by the FNR Branch of NPPD, is sequenced for implementation starting with the Manage Assets family of Figure 3 and continuing clockwise. It is anticipated that the scope of the ISCM program will expand to include the Security Capabilities of Figure 3 in FY15 and beyond. Beginning with the Manage Assets family and proceeding clockwise, it is envisioned that approximately five to six capabilities will become operational each year as shown in Table 2. Increment 1 Increment 2 Increment 3 Manage Assets 1. Hardware Inventory 2. Software Inventory / Anti-virus 3. Configuration Settings 4. Vulnerabilities Manage Accounts for People and Services 1. Network/Physical Access Control 2. Trust in People Granted Access 3. Security Related Behavior 4. Credentials & Authentication 5. Account Access Manage Events 1. Prepare for Incidents and Contingencies 2. Respond to Incidents and Contingencies Security Lifecycle Management/Design and Build in Security 1. Requirements, Policy and Planning 2. Quality Management Security Lifecycle Management Operate, Monitor, and Improve 1. Operational Security 2. Generic Audit/ Monitoring Table 2: Current and Future ISCM Capabilities FY14 DHS Information Security Performance Plan 12 Department of Homeland Security

20 4.3 DHS s Approach to ISCM and the CDM Procurement In FY14, DHS will expand its Information Security Continuous Monitoring Program to achieve greater standardization of ISCM tools. The DHS CIO and CISO will lead a coordinated One- DHS deployment of ISCM Capabilities through the Federal CDM Procurement. 7 The consolidated Department-wide approach will: decrease costs and leverage enterprise licensing, facilitate a Common Operating Picture (COP), make funds available for new/complimentary capabilities, and permit cross training and transfer of staff among the Components. The DHS CIO will work with FNR s CDM Program to develop an enterprise solution of CDM tools. They will follow a transparent methodology for requirements development and tool selection that will leverage component collaboration. Procurement, implementation, and tool transition will be stewarded by the DHS Office of the Chief Information Security Officer (OCISO) in coordination with the Department s CIO Council. Procurement activities are expected to begin in January of 2014 and will continue throughout the remainder of fiscal year. FNR s CDM program will fully fund costs associated with the transition. OMB has authorized existing budgeted dollars that are not spent to remain at Components for spending on alternate information security efforts (such as the mitigation of vulnerabilities). 4.4 Existing ISCM Capability Groups and Tools Over the last few years, DHS Components have been at the forefront of implementing Continuous Monitoring Capabilities. DHS Components have used a variety of tools to meet the technical capabilities required of an effective ISCM Program. DHS has encouraged standardization by managing ELAs and consolidating numerous disparate contracts and licenses across the Department. By providing access to a common set of ISCM tools, DHS was able to reduce operations and maintenance costs, and expand the availability of the most common capabilities to all DHS Components. Table 3 outlines the current and future capabilities areas and procurements of the DHS ISCM Program. Current ISCM data collection efforts (section 4.6: Data Collection) are directly aligned with Increment 1 of the Federal CDM Program. 7 One DHS Deployment of Continuous Diagnostics and Mitigation (CDM) Capability, DHS Acting Deputy Secretary Memorandum to Component Heads, November 15, FY14 DHS Information Security Performance Plan 13 Department of Homeland Security

21 Capability Group Description ELA Tool(s) Asset Management Identification of Hardware and Software Assets Tenable Nessus and/or McAfee epolicy Orchestrator (epo) Network-Based Vulnerability Auditing Credentialed vulnerability scanning achieved through periodic network scans Tenable Nessus and Security Center Configuration management Agent-based, active detection and remediation of non-compliant configurations. Capable of making changes directly to host endpoints. TBD Endpoint Protection Agent-based solution including capabilities such as anti-virus, anti-malware, host-based Intrusion Detection System (IDS), and removable media protection. McAfee epo and Endpoint Protection Advanced tool suite Table 3: Continuous Monitoring Capability Groups ISCM documentation supporting these capability areas and tools can be found on the CMWG SharePoint site includes: McAfee epo CM Reference Guide v2.1 SOP Data Feed Submission version v4.1 Tenable-Nessus Implementation Guide v2 Configuration Baseline Audit Files Tenable Parser 4.5 ISCM Data OMB Memo M requires agencies to develop an ISCM plan and to deploy Enterprise ISCM products and services instead of multiple disparate services across Agency Bureaus/Components. While standard enterprise tools are available to all Components, use of these tools will not be mandatory until the Department s CDM Procurement is complete. Nonetheless, there are monthly reporting standards, and the requirements of these standards are largely based on the capabilities and output formats inherent to the standard enterprise tools. The following chart lists required data elements corresponding to each of the FY14 ISCM metrics. See Appendix A for corresponding metric detail about these capabilities. FY14 DHS Information Security Performance Plan 14 Department of Homeland Security

22 Capability Required Data Elements 8 Asset Information (applies to ALL ISCM metrics) FISMA ID Hostname CPE Standard Device Role Last scan date Credentialed scan Software Asset Management CPE (application) Whitelisting Accepted CPE (application) according to the Enterprise Architecture (EA) Technical Reference Model (TRM) Vulnerability Management CVE standard Common Vulnerability Scoring System (CVSS) number Configuration Management Configuration name/version Common Configuration Enumeration (CCE) standard Configuration status (pass, fail, exception) Anti-Virus (Endpoint Protection) Gathered but not scored: o Product Version (Host Intrusion Prevention (HIPs)) o Hotfix/Patch Version HIPs o HIPs Status o Content Version Scored (Mandatory): o DAT File Version o OR Date of Last Definition Update ISVM Gathered but not scored: o Date of the most recently installed patch o Patch name of the most recently installed patch Scored (using Vulnerability Management data submitted): o Verification status of vulnerabilities mitigated from ISVM Alerts and 2 random ISVM Bulletins (1 Workstation Bulletin and 1 Server Bulletin) Table 4: Data Elements for ISCM Metrics 8 See and for detailed descriptions of the CPE, CVE, and CCE standards. FY14 DHS Information Security Performance Plan 15 Department of Homeland Security

23 Scan data can be split into different files (e.g. Vulnerability data can be separate from Configuration Management). Each separate file must contain the relevant FISMA ID and Hostname so that the data can be aggregated accordingly. See the SOP Data Feed Submission version v4.1 for template suggestions Asset Management Components are required to identify and report Hardware and Software Assets monthly to the ISO. Properly identifying assets is the single most important way for a Component to improve their score as Unidentified assets fail most Continuous Monitoring Metrics. In order to be considered Identified, an asset must pass the following criteria: (1) have a valid FISMA ID, (2) a valid hostname, (3) and an OS CPE. Certain assets (e.g. printers and network devices) that cannot report OS CPE may be classified as Identified if their Device Role is properly annotated in their monthly data feeds and match the Universal Device Role List Vulnerability Management Components are required to report vulnerability information for all visible workstations, servers, and virtual machines (where possible). Vulnerabilities are to be reported in SCAP compliant format (i.e. CVE with an associated CVSS score that indicates severity). Only high and critical vulnerabilities will impact the Vulnerability Management metric on the Scorecard, but every asset must report at least one CVE (regardless of CVSS) in order to pass the metric. Each identified asset will be evaluated as to whether it has been scanned and does not exceed the maximum threshold of (100) critical and high vulnerabilities Configuration Management Components must report select configuration baseline data for applicable platforms: Windows XP (end of life in April 2014) Windows 7 Windows Vista Windows Server 2003 Windows Server 2008 Unix (will be scored starting April 2014) Linux (will be scored starting April 2014) CISCO Router (will be scored starting April 2014) Additional required platforms, including Windows, UNIX, and Linux servers, will be placed inscope as ISO tests and publishes applicable baseline audit files. SCAP-compliant CCE data must be provided for each applicable asset, including a pass, fail, or exception status indicating compliance. Configuration settings, found in Appendix I, have been selected from the complete list of USGCB settings to condense the amount of data being submitted. Unidentified assets automatically fail this metric regardless of whether data is provided. There will be a 2 month grace period, once configuration audit files are published, prior to the platforms being required and scored on the monthly DHS Executive FISMA Scorecard. FY14 DHS Information Security Performance Plan 16 Department of Homeland Security

24 4.5.4 Information Security Vulnerability Management The ISVM metric focuses on ensuring that DHS SOC ISVM messages are properly addressed across the Department. This metric will verify compliance at the asset level through the vulnerability data submitted to ISO in order to determine that vulnerabilities have been mitigated. No new, additional reporting is required by Components in order for this metric to be scored. Please note that Component Information System Security Officers (ISSOs) will still continue to respond to ISVM messages and verify compliance in EOC Online. All Alert ISVMs will be verified and two random Bulletin ISVMs will be verified through this process. There is a 2 month lead time between ISVM messages having been issued and resolved to a relevant patch, and then verified via vulnerability scans Endpoint Protection and Antivirus Components must demonstrate progress in implementing agent-based, endpoint protection measures by reporting whether or not certain capabilities are installed and are active on applicable assets (or hosts). Applicable hosts (workstations and servers) have agents installed and are capable of reporting this information. In FY14, required capabilities are limited to antivirus (even though host intrusion detection and prevention systems are recommended). Data regarding product versions and updated signature files are also required. A central management platform able to communicate, aggregate, and analyze data from these separate agents or modules across all hosts is essential to the feasibility of reporting in an efficient and timely manner. The DHS Executive FISMA Scorecard verifies that asset anti-virus definition files have been updated within 30 days of scan-time. Unidentified assets automatically fail this metric. 4.6 Data Collection Recommended data flow for ISCM metrics begins with data generation and collection at the Component level using automated tools. Tenable Nessus data should be generated in Comma Separated Values (CSV) format or in a way that conforms to the data templates found in the Data Feed SOP (refer to section 4.5: ISCM Data). Other file formats such as Hyper Text Markup Language (HTML), will not be accepted. Once data is consolidated into either a single report or multiple reports corresponding to individual FISMA systems, it should be submitted to the ISO either through the ISCM mailbox (ISOContinuousMonitoring@hq.dhs.gov) or uploaded to the CMWG SharePoint Site by the 21 st of every month. Submissions will no longer be accepted after the 21 st (or the first business day after the 21 st ) of the month in order to get the DHS Executive FISMA Scorecard delivered on time. Corrections can only be accepted up to two days after the draft DHS Executive FISMA Scorecard is released. All reports are consolidated by the ISO ISCM team for analysis and used in FISMA, CyberScope, and the monthly DHS Executive FISMA Scorecard. FY14 DHS Information Security Performance Plan 17 Department of Homeland Security

25 4.7 ISCM Data Aggregation and Storage Data is transferred between submission method and the Management Aggregation and Security Tool (MAST), which hosts the CMDB), via encrypted USB flash drives. Access to MAST is physically restricted to all personnel except those supporting continuous monitoring at the ISO. Once data enters MAST, it is not removed for any purpose other than to fulfill mandatory reporting requirements. Data is consolidated and normalized for report generation. It is stored on a standalone, air-gapped system. The import process does not determine or recognize the tool used to provide the data. The application identifies data by field name(s) and required format. This means, any tool can be used to provide ISCM required data as long as all data elements are provided. Components are reminded to submit ISCM data in accordance with the SOP for Data Feed Submissions. In FY14, the MAST environment will be moved to the Data Center (DC) AppAuth environment in order to reduce processing time and allow ISO to provide feedback and reports at a much faster pace. Updated details and instructions will be provided to the Components prior to the migration. Components will upload ISCM data to a secure file store instead of the traditional method. 5. Security Management Security management metrics account for established and generally well-understood security practices. Many of these metrics were foundational to the initial development of the information security program at DHS and remain essential to meeting Federal compliance mandates (e.g. FISMA and OMB Circulars). ISO is responsible for the collection, validation, verification, and reporting of this information both internal and external to the Department. ISO provides tools, guidance, and Subject Matter Expertise (SME) to ensure that all Components are able to meet applicable requirements. With the integration of new technology and best practices such as ISCM, cloud computing, and security control inheritance, the customary ways of addressing these areas of security are gradually transforming. This section describes both the applicable metrics as well as initiatives that are already affecting or will likely affect them in the future. A significant initiative is the desire to reduce the amount of duplicative effort and cost oftentimes necessitated by the Security Authorization process. Security management processes such as common controls, OA, and Security Plan (SP) reduction have been emphasized since FY12 to streamline the SA process for the entire Department. In FY14, OA will take more of a role in transitioning to a better risk management approach. FY14 DHS Information Security Performance Plan 18 Department of Homeland Security

26 5.1 FISMA Compliance Management DHS uses a compliance workflow and monitoring tool, referred to as Information Assurance Compliance System (IACS), to manage Authorization tasks and other processes. Functions of the tools include: The development and monitoring of SA requirements and associated documentation via the NIST SP Risk Management Framework (RMF). The ability to customize the Requirements Traceability Matrix (RTM) based upon the unique characteristics of the system thus ensuring the ISSO is not overburdened with unnecessary requirements. The maintenance of the official inventory of FISMA systems. The ability to enter and track POA&Ms and annual security control assessments. IACS provides system owners and ISSOs the ability to develop and continuously monitor SA requirements through the NIST RMF. The ISSO is able to create security plans, contingency plans, along with all of the required documentation as part of the RMF. The RTM is a document which assists ISSOs and Security Control Assessors (SCAs) with identifying and testing security controls. The proper amount of security controls is critical to provide a confidence in accepting and managing risk for the system too few controls do not provide the confidence and too many overburden the ISSO with unnecessary controls. IACS provides a mechanism where the ISSO is able to tailor the RTM based upon the system components, environment, and other factors. IACS is also a component for entering, tracking, and closing POA&Ms, performing annual security assessments; updating system security information, and system security documentation. It provides the ability to track all of this information at the enterprise level making it easier for system owners, ISSOs, component compliance officers, and the ISO to collaborate and report systems security posture of the RMF. ISO performs necessary updates to the tool as a result of changes to either DHS policy or NIST publications (e.g. NIST revisions) generally within forty-five (45) days after the change occurs. 5.2 Authorization The SA process is vital to ensuring that security procedures for all operational DHS systems are properly documented, validated, and updated on a regular basis. The Department currently requires that systems submit updated SA documentation to ISO for review at a minimum of every three years in order to obtain validation of the system s Authorization package. The ISO performs a comprehensive Document Review (DR) process in order to verify compliance with FISMA, NIST, and DHS requirements and provides a recommendation for initial or continued operation of the system. A detailed explanation of the DR process can be found in Section 5.5: Document Review. FY14 DHS Information Security Performance Plan 19 Department of Homeland Security