Cyber Security Assessment & Management (CSAM) CSAM C&A web

Cyber Security Assessment & Management (CSAM) CSAM C&A web Introduction to CSAM 1

CSAM C&A Web Solution The CSAM C&A Web solution is an enterprise-wide tool for: Leveraging guidance from the Office of Management and Budget (OMB) National Institute of Standards and Technology (NIST), other regulatory requirements, and industry best practices to assist in assessing IT security and support management. To provide comprehensive FISMA compliance, the CSAM C&A Web application automates management of five services for one complete FISMA solution. An authoring tool in the application comes populated with easily tailored.

CSAM at USDA In 2007-2008, the USDA implemented the Cyber Security Assessment and Management (CSAM) system into the IT Security Program. CSAM provides the USDA Security Program, Program Officials, and IT Security managers with a web-based secure network capability to assess, document, manage, and report on the status of IT security risk assessments and implementation of Federal and DOC mandated IT security control standards and policies. In addition, it also provides a centralized system for the management of Plan of Action and Milestone to include creating, tracking, and closing, as well as automates system inventory and FISMA reporting capabilities.

System Security Plans (SSP) SSPs are all too often considered shelf-ware that is costly to develop and maintain. In the CSAM C&A Web application, the SSP is 95 percent documented based on the enterprise work accomplished in the first two services (policy and program planning) and by using the automated support in the CSAM C&A Web solution system requirements assessment.

CSAM is the SSP NAVIGATIONAL GUIDE DATA SOURCES 1 2 3 4 5 6 7 INFO TYPES 8 9 10 Security Accreditation Package 1 SSP CSAM C&A Web REPORT CARD CSAM-generated SSP template utilizes paragraph numbers to incorporate system data populated on the various CSAM screens. CSAM extracts data from screens and inserts the information into the SSP where appropriate to automatically generate the SSP when desired.

Inventory Management CSAM currently contains 253 systems of which are OMB reportable. Including sub-systems CSAM currently holds approximate combined total of 730 operational systems. Introduction to CSAM 6

POA&M Management Since Implementation, CSAM maintains the information on 7000 POA&Ms USDA currently has 800 open POA&Ms Introduction to CSAM 7

Assessment We fully utilize the assessment features of CSAM here at USDA Introduction to CSAM 8

Security Accreditation Package Security Accreditation Package SSP Template (paragraph numbering) 1 SSP 2 POA&Ms 3 Security Assessment Report (SAR) CSAM generates three key documents found in the Security Accreditation Package. CSAM extracts data from screens and inserts the information into the SSP where appropriate to automatically generate the SSP when desired. Introduction to CSAM 9

CSAM Future CSAM Version 3 New look and feel Alignment with NIST 800-37 Rev1 and other NIST Guidance NIST 800-53 Rev4? Introduction to CSAM 10

Risk Management Framework 6 Steps and tasks outlined Checklist! Introduction to CSAM 11

V3.0 Dashboard In V3.0 CSAM plans to change the format of the Dashboard using dashlets. There is a limited 4 page offerings including the Enterprise page. However there is no limit of dashlets per PG 1 enterprise PG 2 PG 3 PG 4 PERSONAL USE page 12

V3.0 General Screen/SSP Identification In V3.0 CSAM plans to revise the layout of the general screen making it more user friendly. Introduction to CSAM 13

Motives Continuous Monitoring Introduction to CSAM 14

CSAM v3.0 Common Control Programs In v3.0, CSAM plans to list programs as systems making the layout more uniformed. With the new layout, programs can be easily used for tagging POA&Ms and CCs offerings. Introduction to CSAM 15

CSAM v3.0 POC Maintenance Plan In V3.0, CSAM plans to remove redundant POCs and merge duplicates (as shown in top left). The plan is that POC maintenance should only be available to Dept Level Users and anyone less than that must provide feedback to input changes (as shown in top right). Introduction to CSAM 16

V3.0 Roles & Privileges Plan In v3.0, CSAM plans to make use of an expandable tree methodology layout which provide more granular offerings and flexibility. BLUE BACKFILL: Indicates system specific Role. Only applies to system where user is assigned in that role. Introduction to CSAM 17

CSAM v3.0 Inheritance Plan In V3.0 CSAM is working on removing current improper INH offerings and preventing future improper offerings (as shown to the right top & bottom). The plan is that the agency will select which controls that can be inherited and then limit access of inheritance to systems of their choice preventing unwanted offerings (as shown above). Introduction to CSAM 18

Control Offering Control Inheritance is significantly improved Introduction to CSAM 19

Assessment Screen Introduction to CSAM 20

I am everywhere! OnSite @USDA Timothy Lisbon (USDA Contractor) Email: Timothy.Lisbon@OCIO.USDA.GOV Phone: 202-690-2087 Personal Web: www.nashobasolutions.com Email: Tim.Lisbon@NashobaSolutions.com Twitter: @TheCSAMGuy Facebook: www.facebook.com/nashobasolutions LinkedIN: http://www.linkedin.com/in/tlisbon GovLoop: www.govloop.com/profile/timothyjlisbon Phone: 703-293-0456 Introduction to CSAM 21