Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Risk Management Framework (RMF): The Future of DoD Cyber Security is Here"

Transcription

1 Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA Phone: Fax:

2 In 2008, the Intelligence Community (IC) CIO, the Department of Defense (DoD) CIO, the Committee on National Security Systems (CNSS), and the National Institute of Standards and Technology (NIST) formed the Joint Task Force (JTF) Transformation Initiative Interagency Working Group. This interagency working group s effort is to produce a holistic, common process for security risk management, as documented in NIST Special Publications (SP) designated as JTF Transformation Initiative documents. The initial transformation plan laid out seven goals: 1. Define a common set of trust (impact) levels and adopt and apply them across the IC and DoD. Organizations will no longer use different levels with different names based on unlike criteria. (CNSSI-1253: Security Categorization and Control Selection for National Security Systems, dated October 2009 via DoDI ) 2. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing. (NIST SP , Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems via DoDI ) 3. Define, document, and adopt common security controls, using NIST Special Publication (SP) as a baseline. (NIST SP , Revision 3: Recommended Security Controls for Federal Information Systems and Organizations via DoDI ) 4. Adopt a common lexicon, using CNSS Instruction 4009 as a baseline; thereby providing DoD and IC a common language understanding. (CNSSI National Information Assurance Glossary) 5. Institute a Senior Risk Executive Function (REF), which bases decisions on an enterprise view of risk considering all factors, including mission, Information Technology (IT), budget, and security. (NIST SP , Rev 1 via DoDI ) 6. Incorporate information assurance (IA) into Enterprise Architectures and deliver IA as common enterprise services across the IC and DoD. (NIST SP , Rev 1 via DoDI and DoDI ) 7. Enable a common process that incorporates security within the lifecycle processes and eliminate security-specific processes. The common process will be adaptable to various development environments. (NIST SP , Rev 1 via DoDI and DoDI ) The DoD CIO developed control level mapping between NIST SP and DoDI in collaboration with Department of the Navy (DON) CIO and posted to the DoD Information Assurance Certification and Accreditation Process (DIACAP) Knowledge Risk Management Framework: The Future of DoD Cyber Security is Here 1

3 Service for review and feedback. The mapping intended to inform the community on the relationships between the DoDI and NIST SP security controls not become directive in nature. This was intended as an evolving product and the community has been encouraged to provide input and comment on the mapping. The goal of the transition in the DoD is that there will be no hard-right turns. IA is already embedded throughout DoD s acquisition and capabilities development lifecycles with the current DIACAP process. The NIST SP , Risk Management Framework (RMF), aligns closely with the DIACAP process and the RMF will be implemented via the DIACAP Knowledge Service and DoDD/I updates. The main concern for the DoD will be the use of NIST SP Rev 4 for the security controls and the changes in terminology. The DoD will be reissued as an instruction and incorporate DoDI IA Implementation. It changes the name from Information Assurance to Cybersecurity, a standard throughout the community. The updated policy will also provide the following: Extend applicability to all IT processing DoD information; Emphasize operational resilience, integration and interoperability; Align with Joint transformation Transitions to NIST SP Control Catalog; Adopt a common lexicon; Provide more leverage of federal policies and standards; Adopt reciprocity as the norm; Incorporate security early and continuously within the acquisition lifecycle; Emphasize continuous monitoring and timely correction of deficiencies; and Facilitate multinational information sharing efforts DIACAP will be renamed to the Risk Management Framework for DoD Information Technology and align with the Joint Transformation goals. It provides clarity on which IT systems, devices, applications, etc. should undergo the RMF process, how it should be implemented, and codifies reciprocity, a theme throughout the transition and the RMF. The DoD will implement CNSSI 1253 Security Categorization and Control Selection for National Security Systems and NIST SP Recommended Security Controls for Federal Information Systems and Organizations. In addition, there will be a Risk Management Framework: The Future of DoD Cyber Security is Here 2

4 sunsetting of DoDI controls and a transition to NIST SP controls. System categorization will shift from the use of a Mission Assurance Category (MAC) and Confidentiality Level (CL) to the utilization of the CNSSI NIST SP A, Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Assessment Plans will be the guide for assessing the controls, taking the place of the validation spreadsheet. It will not however, replace the Security Technical Implementation Guides (STIGs), but provide support for the security requirements. The documentation that the DoD will be leveraging to support the process include the following: NIST Special Publications (SP) Joint Task Force (JTF) Initiative documents NIST SP , Security and Privacy Controls for Federal Information Systems and Organizations NIST SP A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST SP , Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP , Managing Information Security Risk: Organization, Mission, and Information System View NIST SP , Guide for Conducting Risk Assessments CNSSI 1253, Security Categorization and Control Selection for National Security Systems The RMF process is composed of six Steps: Step 1 Categorize Information System Step 2 Select Security Controls Step 3 Implement Security Controls Step 4 Assess Security Controls Step 5 Authorize Information System Step 6 Monitor Security Controls Risk Management Framework: The Future of DoD Cyber Security is Here 3

5 The output of the RMF process includes current security authorization artifacts (submitted as part of the Security Authorization Package) for the Information System (IS) that the Authorizing Official (AO) will use to determine whether deployment of the IS presents, or continues to present, an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. Security artifacts include, but are not limited to: System Security Plan (SSP), Risk Assessment Report (RAR), Information Security Continuous Monitoring (ISCM) Plan, Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M). The transition for the DoD can be almost seamless to the organizations if they properly train their personnel and prepare for the changes. Organizations must understand that there will be a period of time in which they must manage accreditation packages under both DIACAP and the RMF, to include differences in security controls and documentation. The ultimate goal would be not to focus so much on the differences in Risk Management Framework: The Future of DoD Cyber Security is Here 4

6 the process and packages, but understanding that they both are emphasizing risk management. Each organization will need to develop a transition plan that works for them effectively and efficiently. The last thing that needs to happen is significant delays in the approval process due to a change in the accreditation process. There are already significant issues in many DoD organizations with systems getting through the accreditation process in an acceptable period of time. I personally have worked on accreditations for systems that have taken over three years. By the time the approval to operate (ATO) was signed, a newer version of the operating system had already been migrated in the DoD, which obviously caused significant issues and additional delays. DoD Instructions and Agency Regulations provide the minimal requirements and guidelines for DoD specific implementation of security, STIGs are provided as a guideline to developing a baseline security for a system, and NIST Special Publications are written to provide a framework and minimal recommendation for security for systems and organizations. The authorization process is a unique balance of security, operations and budget. The cost of security should not be more than the value of the system or the data it stores, transmits and processes. Organizations need to understand that the AO is the only person that can accept risk. This means that they are not to halt packages from moving through the approval process due to open vulnerabilities alone. Paragraph of DODI states Severity categories are expressed as category (CAT) I, CAT II, and CAT III. Severity categories are assigned after considering all possible mitigation measures that have been implemented within system design and architecture limitations for the DoD IS in question. For instance, what may be a CAT I weakness in a component part of a system (e.g., a workstation or server) may be offset or mitigated by other protections within hosting enclaves so that the overall risk to the system is reduced to a CAT II. On multiple occasions, we have been told by DoD IA personnel that a DoD site s security posture (firewalls, IDS, IPS, ect) cannot be considered as a mitigation for a vendor s application or system that will reside within the DOD site s enclave. This begs the question: Has the site implemented multilevel security architecture as required by DoD regulation or is the IA staff neither properly trained nor experienced enough to understand the site s security implementation or are they merely unfamiliar with the directives and instructions inherent to their position? In order to effectively transition to the RMF, we must train our personnel. There are currently not enough security engineers to fill the available positions in the DoD and therefore, personnel are filling the roles of Information Assurance Manager, Validator, Certifier, and Security Engineer who do not have the knowledge and experience. This is causing significant issues in the process. I have attended validation testing for my system and the security engineer conducting the validation testing could not get the vulnerability assessment tool to run and did not know what many of the manual checks in the STIGs were asking them to validate. My team eventually ran the scans while the Risk Management Framework: The Future of DoD Cyber Security is Here 5

7 validator watched. This is not risk management or vulnerability assessment, but a complete waste of time for six people since we provided the exact tests and reports the week before, along with all supporting evidence for False Positives and items needing to be annotated as an acceptable risk mitigated by defense in depth strategies. Another key issue that the RMF emphasizes is Reciprocity. While DIACAP Reciprocity was directed in July of 2009, and I am sure there may be some implementation of reciprocity somewhere in the DOD I have yet to see any organization implement an instance of reciprocity. While all DAA s have their own pain threshold for risk acceptance, I do not believe the vast majority of DAA s and IAM s have the training or experience to understand, let alone implement reciprocity. This lack of implementation causes all parties (DOD and vendors supporting the DOD) an excessive loss of manhours due to duplication of efforts. Currently the Reciprocity Memorandum is a paper tiger, without teeth. A mandate without enforcement is useless. The RMF also assists with the approval and use of Commercial Cloud Service Providers (CSPs). The Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) provides a streamlined avenue for federal agencies to utilize the CSPs as a way to store, transmit and process federal information and potentially save significant costs. CSPs can receive a Provisional Authorization after undergoing a third-party interdependent security assessment by an accredited Third-Party Assessment Organizations (3PAO), such as Lunarline. The benefit to the DoD here is that the FedRAMP process is governed by the JAB who have representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). It has been agreed upon that the JAB can issue Provisional Authorizations for CSP s identified as Mission Assurance Category (MAC) II, Sensitive by the DoD. This again is another way in which the entire transformation is helping to speed up the process and reduce costs by leveraging reciprocity. It is my hope that as an organization, the DoD can work to get qualified individuals in the cyber security positions and work to appropriately train those already filling the positions. As well, the transition to the RMF will require planning, coordination and education to all personnel involved in the process. The most advantageous piece of this transition is that federal agencies have been following this process for years and there is an enormous amount of people who can provide guidance, lessons learned and recommendations for the transition. There is no reason to go at this alone and try to recreate the process to make a name for ourselves. The process is thoroughly documented, the templates are in place and proven, and the training is widely available. Let s leverage it this time. For detailed information on the DoD s interpretation of the RMF please see the previously documented White Paper. rmf%20-%20lunarline%20white%20paper_dec%2011.pdf Risk Management Framework: The Future of DoD Cyber Security is Here 6

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition Dr. Charles Kiriakou, Ms. Kate Cunningham, Mr. Kevin Winters, & Mr. Carl Rice September 3, 2014 UNCLASSIFIED 1 Bottom Line Up Front (BLUF) The

More information

Overview. FedRAMP CONOPS

Overview. FedRAMP CONOPS Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

More information

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED Cybersecurity and the Risk Management Framework Wherewe ve been and where we re going Information Assurance DoD Instruction 8500.01,Para 1(d),adoptsthe term cybersecurity as it is defined in National Security

More information

Federal Risk and Authorization Management Program (FedRAMP)

Federal Risk and Authorization Management Program (FedRAMP) Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide

More information

Security Authorization Process Guide

Security Authorization Process Guide Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...

More information

Out with. AP, In. with. (C&A) and (RMF) LUNARLINE, INC.. 571-481-9300

Out with. AP, In. with. (C&A) and (RMF) LUNARLINE, INC.. 571-481-9300 Out with the DIACA AP, In with the DIARMF Say Goodbye to Certificatio n and Accreditation (C&A) and Hello to the Risk Management Framework (RMF) Author: Rebecca Onuskanich Program Manager, Lunarline LUNARLINE,

More information

Cloud Security for Federal Agencies

Cloud Security for Federal Agencies Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service

More information

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1. 12 January 2015

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1. 12 January 2015 DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 1 12 January 2015 Developed by the Defense Information Systems Agency (DISA) for the Department of Defense

More information

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments

More information

The Premier IA & Cyber Security Training Specialist

The Premier IA & Cyber Security Training Specialist The Premier IA & Cyber Security Training Specialist ISO 9001: 2008 Certified Maturity Level 2 of CMMI Top 2% D&B Rating VA Certified Service Disabled Veteran Owned Small Business SDVOSB DCAA Approved Accounting

More information

Policy on Information Assurance Risk Management for National Security Systems

Policy on Information Assurance Risk Management for National Security Systems CNSSP No. 22 January 2012 Policy on Information Assurance Risk Management for National Security Systems THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 8510.01 March 12, 2014 DoD CIO SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) References: See Enclosure 1 1. PURPOSE. This instruction:

More information

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015 RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and

More information

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville Tim.Denman@dau.mil

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville Tim.Denman@dau.mil Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville Tim.Denman@dau.mil Current State of Cybersecurity in the DoD Current Needs Communications focus Changing

More information

Information Security Risk and Compliance Series Risking Your Business

Information Security Risk and Compliance Series Risking Your Business Information Security Risk and Compliance Series Risking Your Business Sergio Saenz and Ron Nemes June 2015 Introduction As the DoD Information Assurance Certification and Accreditation Process (DIACAP)

More information

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007 DIACAP Presentation Presented by: Dennis Bailey Date: July, 2007 Government C&A Models NIST SP 800-37 - Guide for the Security Certification and Accreditation of Federal Information Systems NIACAP - National

More information

IT-CNP, Inc. Capability Statement

IT-CNP, Inc. Capability Statement Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government

More information

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION Directive Current as of 19 November 2014 J-8 CJCSI 8410.02 DISTRIBUTION: A, B, C, JS-LAN WARFIGHTING MISSION AREA (WMA) PRINCIPAL ACCREDITING AUTHORITY

More information

Review of the SEC s Systems Certification and Accreditation Process

Review of the SEC s Systems Certification and Accreditation Process Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy

More information

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified LUNARLINE: School of Cyber Security Dedicated to providing excellence in Cyber Security Training Certifications ISO 9001: 2008 Certified Maturity Level 2 of CMMI Top 2% D&B Rating VA Certified Service

More information

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the

More information

Information Assurance in the Cloud

Information Assurance in the Cloud Information Assurance in the Cloud The Status of FedRAMP, April 2013 AGA - Montgomery/Prince George s Chapter cliftonlarsonallen.com Session Outline 1. Cloud Services in Federal Government The Opportunity

More information

2014 Audit of the Board s Information Security Program

2014 Audit of the Board s Information Security Program O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL

More information

Continuous Monitoring. Integrated services, best practices, and automation tools from Telos Corporation the leader in federal cybersecurity.

Continuous Monitoring. Integrated services, best practices, and automation tools from Telos Corporation the leader in federal cybersecurity. Continuous Monitoring Integrated services, best practices, and automation tools from Telos Corporation the leader in federal cybersecurity. Continuous Monitoring Continuous monitoring of information systems

More information

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS Steve Mills DAU-South 1 Overview Questions Cybersecurity Owners and Stakeholders Cybersecurity Why It Matters to DoD Program Managers Defense Science

More information

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives DON IT Conference // AFCEA West 2015 Presented by: RDML John Ailes Chief Engineer SPAWAR

More information

UNCLASSIFIED. Trademark Information

UNCLASSIFIED. Trademark Information SAMSUNG KNOX ANDROID 1.0 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 3 May 2013 Developed by Samsung Electronics Co., Ltd.; Fixmo, Inc.; and General Dynamics C4 Systems,

More information

Hosted by Lunarline: School of Cyber Security

Hosted by Lunarline: School of Cyber Security Hosted by Lunarline: School of Cyber Security Please Fax Government Purchase Orders and SF 182s To (22) 315-33 Cybersecurity is one of the hottest issues for today s Federal and DOD Agencies and commercial

More information

Cybersecurity Throughout DoD Acquisition

Cybersecurity Throughout DoD Acquisition Cybersecurity Throughout DoD Acquisition Tim Denman Cybersecurity Performance Learning Director DAU Learning Capabilities Integration Center Tim.Denman@dau.mil Acquisition.cybersecurity@dau.mil Cybersecurity

More information

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc. Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc. May 2012 (Updated) About the Author Gregory G. Jackson is a senior cyber

More information

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE

More information

PREPARED BY: DOD JOINT SAP CYBERSECURITY (JSCS) WORKING GROUP

PREPARED BY: DOD JOINT SAP CYBERSECURITY (JSCS) WORKING GROUP DOD SPECIAL ACCESS PROGRAM (SAP) PROGRAM MANAGER S (PM) HANDBOOK TO THE JOINT SPECIAL ACCESS PROGRAM (SAP) IMPLEMENTATION GUIDE (JSIG) AND THE RISK MANAGEMENT FRAMEWORK (RMF) AUGUST 11, 2015 PREPARED BY:

More information

1 July 2015 Version 1.0

1 July 2015 Version 1.0 1 July 2015 Version 1.0 Cleared for Open Publication June 26, 2015 DoD Office of Prepublication and Security Review Cybersecurity T&E Guidebook ii July 1, 2015 Version 1.0 Table of Contents 1 INTRODUCTION...

More information

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012

More information

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015 JAB P-ATO Vulnerability Scan Requirements Guide Page 1 Revision History Date Version Page(s) Description Author May 27,

More information

A Comprehensive Cyber Compliance Model for Tactical Systems

A Comprehensive Cyber Compliance Model for Tactical Systems A Comprehensive Cyber Compliance Model for Tactical Systems Author Mark S. Edwards, CISSP/MSEE/MCSE Table of Contents July 28, 2015 Meeting Army cyber security goals with an IA advocate that supports tactical

More information

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL Version 1.0 Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD) EXECUTIVE SUMMARY The 26 June 2012 DoD

More information

DoD Cloud Computing Security Requirements Guide (SRG) Overview

DoD Cloud Computing Security Requirements Guide (SRG) Overview DoD Cloud Computing Security Requirements Guide (SRG) Overview 1 General SRG Information Released 12 January 2015 Version 1, release 1 Provides comprehensive security guidance for components (missions)

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 8551.01 May 28, 2014 DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: See Enclosure 1 1. PURPOSE. In accordance with the authority

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

Lots of Updates! Where do we start?

Lots of Updates! Where do we start? NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project Management Community Meeting October 18, 2011 .

More information

United States Department of Agriculture. Office of Inspector General

United States Department of Agriculture. Office of Inspector General United States Department of Agriculture Office of Inspector General U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2013 Federal Information Security Management Act

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

Baseline Cyber Security Program

Baseline Cyber Security Program NNSA Policy Letter NAP-14.1-D Approved: Baseline Cyber Security Program NATIONAL NUCLEAR SECURITY ADMINISTRATION Office of Information Management and the Chief Information Officer AVAILABLE ONLINE AT:

More information

Federal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration

Federal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration efast Cloud Computing Services 25 October 2012 1 Bottom Line Up Front The FAA Cloud Computing Vision released in 2012 identified the agency's road map to meet the Cloud First Policy efast must provide

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,

More information

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922. CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS 1 Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.8761 Overview Cybersecurity Policy Overview Questions Challenge #1 -

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 8540.01 May 8, 2015 DoD CIO SUBJECT: Cross Domain (CD) Policy References: See Enclosure 1 1. PURPOSE. This instruction: a. Establishes policy, assigns responsibilities,

More information

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing Warren S. Udy, CISSP Senior Cyber Security Advisor Office of Cyber Security 301-903-5515 warren.udy@hq.doe.gov

More information

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified

LUNARLINE: School of Cyber Security. Dedicated to providing excellence in Cyber Security Training Certifications. ISO 9001: 2008 Certified LUNARLINE: School of Cyber Security Dedicated to providing excellence in Cyber Security Training Certifications ISO 9001: 2008 Certified Maturity Level 2 of CMMI Top 2% D&B Rating VA Certified Service

More information

Esri Managed Cloud Services and FedRAMP

Esri Managed Cloud Services and FedRAMP Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP

More information

Building Security In:

Building Security In: #CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me

More information

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES OCTOBER 2014 3300 North Fairfax Drive, Suite 308 Arlington, Virginia 22201 USA +1.571.481.9300 www.lunarline.com OUR CLIENTS INCLUDE Contents Healthcare

More information

Applying the DOD Information Assurance C&A Process (DIACAP) Overview

Applying the DOD Information Assurance C&A Process (DIACAP) Overview Applying the DOD Information Assurance C&A Process (DIACAP) Overview C&A, Risk, and the System Life Cycle 2006 Hatha Systems Agenda Part 1 Part 2 Part 3 The C&A Challenge DOD s IA Framework Making C&A

More information

Cybersecurity in a Mobile IP World

Cybersecurity in a Mobile IP World Cybersecurity in a Mobile IP World Alexander Benitez, Senior Scientist, ComSource Introduction by Robert Durbin, Cybersecurity Program Manager, ComSource Introduction ComSource s cybersecurity initiative

More information

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services 4937 Fargo Street North Charleston SC 29418 Phone 843.266.2330 Fax 843.266.2333 w w w. c o d e l y n x. c o m Request for Information: Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring,

More information

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis

More information

C O R P O R AT E O V E R V I E W. a C y b e r S e c u r i t y a n d P r i v a c y C o m p a n y

C O R P O R AT E O V E R V I E W. a C y b e r S e c u r i t y a n d P r i v a c y C o m p a n y C O R P O R AT E O V E R V I E W a C y b e r S e c u r i t y a n d P r i v a c y C o m p a n y Our Only Discipline is Cyber Security & Privacy Solutions Status: VA Certified Service Disabled Veteran Owned

More information

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014 Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability

More information

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 Washington, DC 20420 Transmittal Sheet February 28, 2012 CLOUD COMPUTING SERVICES 1. REASON FOR ISSUE: This Directive establishes the Department of Veterans

More information

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012 Monitoring in a Risk Management Framework US Census Bureau Oct 2012 Agenda Drivers for Monitoring What is Monitoring Monitoring in a Risk Management Framework (RMF) RMF Cost Efficiencies RMF Lessons Learned

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Committee on National Security Systems CNSS Instruction No. 1253 October 2009 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Version 1 Committee on National Security Systems

More information

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool INL/CON-07-12810 PREPRINT CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool ISA Expo 2007 Kathleen A. Lee January 2008 This is a preprint of a paper intended for publication in a journal

More information

Automate Risk Management Framework

Automate Risk Management Framework Automate Risk Management Framework Providing Dynamic Continuous Monitoring, Operationalizing Cybersecurity and Accountability for People, Process and Technology Computer Network Assurance Corporation (CNA)

More information

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN Independent Security Operations Oversight and Assessment Captain Timothy Holland PM NGEN 23 June 2010 Independent Security Operations Oversight and Assessment Will Jordan NGEN Cyber Security 23 June 2010

More information

Continuous Monitoring

Continuous Monitoring Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums

More information

System Security Certification and Accreditation (C&A) Framework

System Security Certification and Accreditation (C&A) Framework System Security Certification and Accreditation (C&A) Framework Dave Dickinson, IOAT ISSO Chris Tillison, RPMS ISSO Indian Health Service 5300 Homestead Road, NE Albuquerque, NM 87110 (505) 248-4500 fax:

More information

BPA Policy 434-1 Cyber Security Program

BPA Policy 434-1 Cyber Security Program B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy

More information

NICE and Framework Overview

NICE and Framework Overview NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to

More information

Audit of the Department of State Information Security Program

Audit of the Department of State Information Security Program UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program

More information

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield Cybersecurity Defending the New Battlefield Steven J. Hutchison, Ph.D. Cybersecurity is one of the most important challenges for our military today. Cyberspace is a new warfighting domain, joining the

More information

Information System Security Officer (ISSO) Guide

Information System Security Officer (ISSO) Guide Information System Security Officer (ISSO) Guide Office of the Chief Information Security Officer Version 10 September 16, 2013 DEPARTMENT OF HOMELAND SECURITY Document Change History INFORMATION SYSTEM

More information

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov 1 Today s Training Welcome to Part Four of the FedRAMP Training Series:

More information

DOD & Cloud Computing: Rapid Access Computing Environment (RACE) A Case Study

DOD & Cloud Computing: Rapid Access Computing Environment (RACE) A Case Study DOD & Cloud Computing: Rapid Access Computing Environment (RACE) A Case Study Henry J. Sienkiewicz Technical Program Director Computing Services Digital Government Institute s Cloud Computing Conference

More information

Introduction to NICE Cybersecurity Workforce Framework

Introduction to NICE Cybersecurity Workforce Framework Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,

More information

NASA Information Technology Requirement

NASA Information Technology Requirement NASA Information Technology Requirement NITR-2800-2 Effective Date: September 18,2009 Expiration Date: September 18, 2013 Email Services and Email Forwarding Responsible Office: OCIO/ Chief Information

More information

SECURITY ASSESSMENT AND AUTHORIZATION

SECURITY ASSESSMENT AND AUTHORIZATION SECURITY ASSESSMENT AND AUTHORIZATION INFORMATION SYSTEM SECURITY ASSESSMENT AND AUTHORIZATION PROCESS CHAPTER 02 ITS-HBK-2810.02-02 HANDBOOK EFFECTIVE DATE: 20150201 EXPIRATION DATE: 20180201 RESPONSIBLE

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Cybersecurity of. President. July 2, 2013. mchipley@pmcgroup.biz

Cybersecurity of. President. July 2, 2013. mchipley@pmcgroup.biz To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-6000

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-6000 DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-6000 NOV 1 0 2015 CHIEF INFORMATION OFFICER MEMORANDUM FOR ASSISTANT SECRETARY OF THE ARMY FOR ACQUISITION, LOGISTICS AND TECHNOLOGY ASSIST

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

Guidelines for Cybersecurity DT&E v1.0

Guidelines for Cybersecurity DT&E v1.0 Guidelines for Cybersecurity DT&E v1.0 1. Purpose. These guidelines provide the means for DASD(DT&E) staff specialists to engage and assist acquisition program Chief Developmental Testers and Lead DT&E

More information

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,

More information

Report No. D-2009-097 July 30, 2009. Data Migration Strategy and Information Assurance for the Business Enterprise Information Services

Report No. D-2009-097 July 30, 2009. Data Migration Strategy and Information Assurance for the Business Enterprise Information Services Report No. D-2009-097 July 30, 2009 Data Migration Strategy and Information Assurance for the Business Enterprise Information Services Additional Information and Copies To obtain additional copies of this

More information

VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker

VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker Office of Technology Strategies (TS) Architecture, Strategy, and Design (ASD) Office of Information and Technology

More information

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January 2014. PPM Project Type Custom Development

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January 2014. PPM Project Type Custom Development Project Planning and Management (PPM) V2.0 Project Type Guide Custom Development Version 1.1 January 2014 Last Revision: 1/22/2014 Page 1 Project Type Guide Summary: Custom Development Custom software

More information

Strategic Plan On-Demand Services April 2, 2015

Strategic Plan On-Demand Services April 2, 2015 Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on

More information

Approved for Public Release; Distribution Unlimited. Case Number 14-3551 2014 The MITRE Corporation. ALL RIGHTS RESERVED.

Approved for Public Release; Distribution Unlimited. Case Number 14-3551 2014 The MITRE Corporation. ALL RIGHTS RESERVED. Beyond Compliance ---Addressing the Political, Cultural and Technical Dimensions of Applying the Risk Management Framework Jennifer Fabius Richard Graubart Abstract The Risk Management Framework (RMF)

More information

Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov

Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov Cloud Computing Briefing Scott Renda Office of Management and Budget www.whitehouse.gov/omb/egov Cloud Computing Basics Style of computing Cloud Computing: What Does it Mean? Close public/private sector

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Introduction to AWS Security July 2015

Introduction to AWS Security July 2015 Introduction to AWS Security July 2015 Page 1 of 7 Table of Contents Introduction... 3 Security of the AWS Infrastructure... 3 Security Products and Features... 4 Network Security... 4 Inventory and Configuration

More information

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup. Corporate Overview MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.com IS&P Practice Areas Core Competencies Clients & Services

More information

Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions

Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions Benjamin Bergersen Certified in the Governance of Enterprise IT - CGEIT Certified Information Systems Security

More information