How To Navigate The Maze In Your Organization

Transcription

1 Corporate Headquarters: 1010 Wayne Avenue, Suite 1150 Silver Spring, Maryland Telephone Facsimile Satellite Offices: 80 M Street, S.E., Suite 715 Washington, DC Coppermine Road, Suite 221 Herndon, Virginia Navigating the Maze of Shifting Cyber Security Policies An e-management Webinar Presenter: Rick Randall, PMP, ITILF v3, CISSP Feb. 25, 2009 SBA certified 8(a) woman-owned, minority-owned small business

2 Agenda Understanding the Maze Cyber Security Policy Background Changes Underway and Changes Predicted Navigating the Maze in Your Organization Recap 2

3 The Maze Cyber security policy background The FISMA Law FISMA The Federal Information Security Management Act of 2002* makes the head of each federal agency responsible for: 3544 (a) (2) (C) implementing policies and procedures to cost effectively reduce risks to an acceptable level * FISMA is published in Title III of the e-government Act, Public Law

4 The Maze Cyber security policy background Other Applicable Federal Laws Other public laws (P.L.) affecting cyber security policy implementation in federal agencies include: P.L : Federal Manager s Financial Integrity Act of 1982 (FMFIA) P.L : Clinger Cohen Act P.L : Health Insurance Portability and Accountability Act of 1996 (HIPAA) P.L , Federal Financial Management Improvement Act of 1996 (FFMIA) Agency specific legislation requiring protection of data 4

5 The Maze Cyber security policy background Office of Management and Budget (OMB) Circulars and Memoranda The OMB is empowered by the Clinger- Cohen and FISMA laws to define government-wide directives for cyber security. These include, for example: OMB Circular A-130 Appendix III: Long standing policy defining agency security responsibilities OMB Memoranda and : Federal Desktop Core Configuration (FDCC) OMB Memoranda 06-16, 07-16, and 08-21: Requirements related to Personally Identifiable Information (PII) protection OMB Memoranda and 08-27: Trusted Internet Connections (TIC) 5

6 The Maze Cyber security policy background Policy Hierarchy 6

7 The Maze Cyber security policy background Policies are a Subset of Requirements 7

8 The Maze Cyber security policy background Policies Versus Suggestions Good Policies Use Compulsory Language, such as: Shall Required Directed to Mandatory Compliant with Conform to Annually / Quarterly Weak or Ineffective Policies Use Discretionary Language, such as: Should When possible Advised to Recommended Observing best practices As needed Regularly Suggestions do not belong in POLICY documents. 8

9 Cyber security changes underway and changes predicted Changes Currently Underway Overview First, which change trends are likely not changing soon? NIST s Risk Management Framework (RMF) Changes to NIST s Security Controls Special Publication, SP Changes in NIST s Certification and Accreditation (C&A) guidance The future of FISMA? 9

10 Cyber security changes underway and changes predicted Change trends which are likely to continue Increasing emphasis by OMB and NIST on secure configurations Federal Desktop Core Configuration (FDCC): Likely not going away Expect to see server platforms addressed in the future Increasing emphasis on the automation of testing We currently see this for FDCC compliance Policy mandates may expand into other types of security testing Expect future mandates on agencies to utilize NIST SP A for Security Test and Evaluation (ST&E) 10

11 Cyber security changes underway and changes predicted NIST s Risk Management Framework (1) Defined in draft NIST Special Publication (SP) Integrates several NIST publications into a coherent risk based structure Describes a risk executive function having an organizationwide risk perspective 11

12 Cyber security changes underway and changes predicted NIST s Risk Management Framework (2) Plusses / Benefits Provides clarity for the FISMA mandate to reduce risks to an acceptable level Explains security management in the context of a life cycle Integrates the concepts of several existing publications Pitfalls/Yellow Flags The Risk Management Framework (RMF) is not a policy Policies will have to be modified to require use of the RMF The RMF by itself does not ease the paperwork burden of the underlying component publications (NIST SPs , , etc) 12

13 Cyber security changes underway and changes predicted Easing the Paperwork Burden through Risk Management Automation Consider NIST SP : 357 pages of material spanning two volumes Improper security categorization is a frequently cited finding of Inspector General (IG) reports Automation of analysis reduces errors and saves hours of time Automation of NIST SP analysis 13

14 Cyber security changes underway and changes predicted NIST SP Changes Initial Public Draft of NIST SP Revision 3 was posted on February 5, Proposed changes in this draft include: Eight (8) new System and Communications Protection (SC) controls Fifteen (15) new security controls overall Sixteen (16) security controls withdrawn Total controls: 101 for low impact, 151 for moderate, and 162 for high impact systems Too much to track manually in MS-Word documents! 14

15 Cyber security changes underway and changes predicted Changes to NIST C&A Guidance NIST has also posted draft Revision 1 to SP on its web site. The proposed changes include: Renaming C&A to the Security Authorization Process Linking directly to the Risk Management Framework of SP , and addressing the entire life cycle of systems Modifying roles, such as renaming the Certification Agent role to Security Control Assessor, renaming the DAA role to Authorizing Official, and introducing the risk executive function Providing more specificity on required activities in the process Now totaling thirty three (33) tasks 15

16 Cyber security changes underway and changes predicted Additional Changes Predicted Possible new presidential directive topics Revisions to Homeland Security Presidential Directive 7 (HSPD-7) regarding critical infrastructure responsibilities Possible new OMB Memoranda topics from the Obama administration Strengthening of acquisition rules for outsourced IT functions Specific direction regarding supervisory control and data acquisition (SCADA) systems Network security testing and network hardening for Trusted Internet Connections (TIC) 16

17 Cyber security changes underway and changes predicted The Future of FISMA? At some point, the Congress will likely amend or modify the FISMA law Has the current FISMA law been helpful since 2002? Accountability has improved Some improvements have occurred in the identification/inventory of systems How might the FISMA law change? Possibly a greater emphasis on testing Possibly more prescriptive responsibilities for agencies (Less likely) private sector requirements 17

18 Applying Policy Changes Locally Navigating the Maze in Your Organization (1) Recall the policy hierarchy. What can you do to navigate policy changes in your immediate organization? Ensure first that you have clarity about Roles and Responsibilities Who implements C&A/security authorization services? Who implements technical solutions? Who monitors them? Who decides on policy waivers or exceptions? Remove ambiguities wherever you can Define specific frequencies of when things must be done Invoke specific standards in your policies Don t reinvent the wheel in policy documents Provide a realistic waiver/deviation/exception mechanism 18

19 Applying Policy Changes Locally Navigating the Maze in Your Organization (2) Work smarter, not harder Revisit FIPS 199 ratings on systems at least annually Downgrade a FIPS 199 rating (e.g., High to Moderate) when appropriate and defensible Automate artifact and report generation: Steer away from endless manual MS-Word/MS-Excel document updating Mandate greater testing and monitoring rigor in policies for the systems that truly affect the mission Provide specific policy direction regarding who resolves mission questions (i.e., the risk executive function) Automate your risk collection and reporting to measure your organization s risk posture 19

20 Recap FISMA requires federal agencies to develop policies to reduce risks to an acceptable level Changes are occurring on many fronts including: Security configurations, organizational risk management, NIST controls, and C&A guidance among others Greater testing requirements for networks and SCADA systems may emerge Automation is necessary to work smarter and make the best use of your scarce resources 20

21 Q&A Rick Randall Director, Strategic IT Solutions and e-gov RPM Product Manager e-management 1010 Wayne Avenue, Suite 1150 Silver Spring, MD Phone: Fax: Save the Date! Next webinar April 28! 21