Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Similar documents
IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Automate Risk Management Framework

FREQUENTLY ASKED QUESTIONS

Security Controls Assessment for Federal Information Systems

Overview. FedRAMP CONOPS

Information Security for Managers

Security Control Standard

2014 Audit of the Board s Information Security Program

Review of the SEC s Systems Certification and Accreditation Process

Federal Risk and Authorization Management Program (FedRAMP)

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

FedRAMP Standard Contract Language

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Security Authorization Process Guide

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Cyber Security Assessment & Management (CSAM) CSAM C&A web

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

2012 FISMA Executive Summary Report

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

AODR Role-Based Training. Name Title Division Name U.S. Department of Energy Office of the Associate CIO for Cyber Security

Security Control Standard

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

FISMA Compliance: Making the Grade

Get Confidence in Mission Security with IV&V Information Assurance

How To Monitor Your Entire It Environment

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

NetIQ FISMA Compliance & Risk Management Solutions

NOTICE: This publication is available at:

Total Protection for Compliance: Unified IT Policy Auditing

NARA s Information Security Program. OIG Audit Report No October 27, 2014

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Out with. AP, In. with. (C&A) and (RMF) LUNARLINE, INC

IT Security Risk Management: A Lifecycle Approach

Compliance Risk Management IT Governance Assurance

Audit of the Department of State Information Security Program

Office of Inspector General Corporation for National and Community Service

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

How To Transform It Risk Management

Business Resiliency Business Continuity Management - January 14, 2014

Continuous Monitoring

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

SECURITY ASSESSMENT AND AUTHORIZATION

Symantec Control Compliance Suite Standards Manager

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

DOE CYBER SECURITY EBK: CORE COMPETENCY TRAINING REQUIREMENTS Key Cyber Security Role: Authorizing Official (AO)

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

PROTIVITI FLASH REPORT

for Information Security

Information Technology Risk Management

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Lots of Updates! Where do we start?

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Understanding the NIST Cybersecurity Framework September 30, 2014

Security Control Standard

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Information Security for IT Administrators

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

IA Metrics Why And How To Measure Goodness Of Information Assurance

How To Improve Your Business

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Information System Security Officer (ISSO) Guide

Baseline Cyber Security Program

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

IT-CNP, Inc. Capability Statement

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

2.0 ROLES AND RESPONSIBILITIES

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

How To Manage Security In A Federal System

OFFICE OF INSPECTOR GENERAL

PHASE 5: DESIGN PHASE

How To Get The Nist Report And Other Products For Free

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Information Security Risk and Compliance Series Risking Your Business

Building Security In:

Enterprise Security Tactical Plan

Continuous Network Monitoring

United States Department of Agriculture. Office of Inspector General

Policy on Information Assurance Risk Management for National Security Systems

FINAL Version 1.0 June 25, 2014

NASA OFFICE OF INSPECTOR GENERAL

NEC Managed Security Services

Transcription:

Monitoring in a Risk Management Framework US Census Bureau Oct 2012

Agenda Drivers for Monitoring What is Monitoring Monitoring in a Risk Management Framework (RMF) RMF Cost Efficiencies RMF Lessons Learned

Drivers for Monitoring Regulatory change and increasing demand are driving the search for a viable Monitoring (CM) solution Regulatory Change OMB A-130 will be updated to require Monitoring House and Senate proposed legislation that mandates Monitoring Industry Momentum Departments are planning transitions to Monitoring DHS/FNS plans to provide tools and services for Monitoring Budgetary Concerns Agencies have budgetary incentives to take advantage of cost efficiencies from Monitoring Agencies want to end the spend on C&A activities

What is Monitoring? NIST SP 800-137 defines continuous monitoring as ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based decision making CM involves ongoing assessment and analysis of the effectiveness of all security controls CM provides ongoing reporting on the security posture of information systems CM supports risk management decisions to help maintain organizational risk tolerance at acceptable levels Facilitate Risk- Based Decisions Assess All Security Controls Monitoring Report on Security Posture Collect & Correlate Security Data

What is Monitoring?(cont d) Monitoring plays a central role in the NIST Risk Management Framework (RMF), which provides a structured but dynamic process for near real-time risk management Risk Management Framework Monitoring Automation CM should be embedded in a comprehensive information security program, such as the NIST RMF RMF relies on continuous monitoring to provide ongoing assessment and authorization of systems CM requires assessment of all security controls, including management and operational controls that cannot be assessed using automated tools CM requires both automated and manual processes Automated tools can improve CM efficiency and cost-effectiveness NIST SP 800-53 technical controls can be monitored with automated tools

Census Bureau Challenges When developing our approach to Monitoring, we needed to answer some fundamental questions: 1. Can we satisfy our compliance mandates while still moving forward with a security-centric Monitoring plan? 2. How can we control the scope of work needed to continuously assess the full catalog of security controls? 3. How can we drive higher levels of involvement with our executive stakeholders to make risk-based decisions? 4. How can we afford to do all of this on our existing budget? C h a l l e n g e s t o O v e r c o m e Compliance Security Budget

What are RMF Benefits? The RMF transforms the traditional Certification & Accreditation (C&A) process into a risk-based approach for managing security Elimination of 3-Year Certification & Accreditation (C&A) Cycle Single point-in-time assessments are replaced with Monitoring RMF Cohesive Framework for Risk- Centric Decision-Making Risk Profiles correlate the mission, business, and technology factors that drive IT systems Increased Use of Automated Security Assessments Existing IT toolsets are leveraged to reduce LOE for assessments Comprehensive reporting on risk and compliance status Key metrics are incorporated into regular executive reporting

RMF at Census The RMF program at Census consists of SDLC integration, Risk Profiling, manual and automated Assessments, and Governance

RMF at Census Risk Profile The Risk Profile is a key element of the Census RMF deployment Monitoring of all security controls can be time and resource prohibitive The Risk Profile makes it possible to perform Monitoring of all implemented security controls by using a risk-based approach to prioritize control assessments Business and technical factors are considered to identify a component s Risk Profile, which determines the assessment frequency for each control based on its associated risk The Risk Profile leverages Enterprise Common Control Providers (ECCPs) to reduce the number of security controls to be assessed, reducing the scope of work while maintaining compliance

RMF at Census Automation Security automation is a critical enabler of the Census RMF deployment by helping to reduce costs, increase efficiency, and improve the reliability of Monitoring efforts Security configuration benchmarks form the basis for the automation requirements Automated compliance checks are created, customized, and mapped to NIST SP 800-53 technical controls. Automated controls assessments are conducted using the automated checks NIST 800-53 Security Content Automation Protocol (SCAP) is used to provide a standard format for checking security configuration settings with automated tools Security Benchmarks SCAP

Monitoring in RMF Monitoring in a Risk Management Framework consists of continuous assessments, reporting, and authorization of information systems to monitor security risks Supports FISMA compliance for ongoing assessment of security control effectiveness Assessment SCAP provides a unifying protocol to normalize data feeds from both automated and manual assessments Enables near real-time risk management of information systems Authorization Reporting Increases situational risk awareness and supports FISMA reporting requirements

Assessment A system is continuously assessed according to the assessment frequency determined by its Risk Profile Security controls with higher risk are assessed more frequently than controls associated with lower risk More reliance on automated assessments support a higher frequency of assessments with minimal manual effort System stakeholders provide assessors with access to documentation so assessors can independently gather evidence for controls Security assessment process will be streamlined to reduce the Level of Effort (LOE) for system stakeholders Assessment results are incorporated back into the system s Risk Profile and reported to stakeholders based on system ownership and responsibility

Reporting Regular risk reporting on assessment status allows for Monitoring of systems. Authorizing Officials receive information security reports for systems in their CENs: Trend in overall residual risk, broken down by inherited risk, accepted risk, and risk to be mitigated by POA&Ms System-specific risk analysis Top risk contributors by security controls and system components Status of open POA&Ms

Authorization Once a Risk Profile SSP is assessed, the Authorizing Official (AO) determines whether the system can maintain its Authorization To Operate (ATO) and remain in Monitoring System Owner (SO) reviews the Risk Profile SSP assessment reports to determine which residual risks to mitigate Risk-based approach means that resources will be allocated towards mitigating risks considered to be most critical AO reviews the security authorization package to determine whether risks are at an acceptable level to maintain an ATO With an ATO, the information system is monitored continuously. The AO can continue to provide continuous authorization if the system maintains an acceptable risk posture, as reflected in continuous monitoring reports

Monitoring Status at Census Census is taking a phased approach to deploying Monitoring in a RMF solution, and is nearing 50% completion RMF Strategy & Transition Planning Monitoring Design & Pilot Monitoring Implementation Timeline 3-4 months 8-9 months 3 years Objective Understand how the RMF can be tailored to the unique characteristics of Census Obtain key stakeholder support and strategic direction to set the stage for success down the road Develop a comprehensive framework of automation and process redesign to implement a continuous monitoring program in lieu of traditional C&A activities Conduct a pilot to test the program design concepts Transform existing SSPs to new Risk Profiles 50% Utilize tools to develop automated compliance checks 30% Develop risk reporting database 30% Establish governance processes and change management 60%

RMF Cost Efficiencies In response to the Federal mandate for Monitoring, the Census Bureau RMF provides a cost effective approach for near real-time risk management RMF Strategy Security Program Consolidation Leverage of ECCPs Automated Assessments POA&M Assistance Cost Savings Reduction in cost from replacing duplicative programs for compliance and vulnerability management with a single, comprehensive Risk Management Program 80% reduction in the number of controls to be assessed by leveraging Enterprise Common Control Providers (ECCPs), resulting in lower assessment costs 80% reduction in LOE to assess controls using automated checks instead of manual checks. Five months to recover the cost for automating assessment checks Reduction in time to open and close POA&Ms, as remediation steps in the Risk Profile SSP make it easier for ISSOs to develop the remediation strategy for POA&Ms

RMF Lessons Learned The transition to Monitoring in a Risk Management Framework can be facilitated by proper planning for key considerations Transition Planning Governance Change Management Automation Tools Develop a RMF transition strategy tailored to the agency environment Establish policies and procedures to support new RMF processes Deploy training and communications to promote new RMF processes Capitalize on existing tools to reduce the cost for automating assessments

Questions?

Census Contacts Tim Ruland Chief Information Security Officer US Census Bureau 301.763.2869 Timothy.P.Ruland@census.gov Jaime Lynn Noble Risk Management Program Manager US Census Bureau 301.763.5916 Jaime.L.Noble@census.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information