Lots of Updates! Where do we start?



Similar documents
Information Security for Managers

Information System Security Officer (ISSO) Guide

NOTICE: This publication is available at:

Review of the SEC s Systems Certification and Accreditation Process

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Information System Security Officer (ISSO) Guide

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

System Security Certification and Accreditation (C&A) Framework

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Seeing Though the Clouds

POSTAL REGULATORY COMMISSION

Final Audit Report. Report No. 4A-CI-OO

2012 FISMA Executive Summary Report

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

Security Authorization Process Guide

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Overview. FedRAMP CONOPS

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

International Trade Administration

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Get Confidence in Mission Security with IV&V Information Assurance

FINAL Version 1.0 June 25, 2014

Standard Operating Procedure

Security Control Standard

How To Improve Nasa'S Security

Security Authorization Process Guide

NARA s Information Security Program. OIG Audit Report No October 27, 2014

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Information Security for IT Administrators

United States Department of Agriculture. Office of Inspector General

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

OPM System Development Life Cycle Policy and Standards. Table of Contents

BPA Policy Cyber Security Program

AODR Role-Based Training. Name Title Division Name U.S. Department of Energy Office of the Associate CIO for Cyber Security

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

Information Security and Privacy Policy Handbook

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

DOJ F INFORMATION TECHNOLOGY SECURITY. Assistant Attorney General for Administration FOREWORD

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

FedRAMP Standard Contract Language

Out with. AP, In. with. (C&A) and (RMF) LUNARLINE, INC

Final Audit Report -- CAUTION --

SECURITY ASSESSMENT AND AUTHORIZATION

2014 Audit of the Board s Information Security Program

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

How To Audit The National Security System

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

United States Department of Health & Human Services Enterprise Architecture Program Management Office. HHS Enterprise Architecture Governance Plan

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

NASA Information Technology Requirement

United States Patent and Trademark Office

The HIPAA Security Rule: Theory and Practice

U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT INFORMATION TECHNOLOGY SECURITY POLICY. HUD Handbook REV4.1

INFORMATION SECURITY

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

AHS Vulnerability Scanning Standard

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Department of Veterans Affairs VA Handbook Information Security Program

Office of Inspector General Corporation for National and Community Service

Audit of the Department of State Information Security Program

Enterprise Performance Life Cycle Framework

Federal Risk and Authorization Management Program (FedRAMP)

Office of Inspector General

The Intersection of Internal Controls and Cyber Security

VA Office of Inspector General

AUDIT REPORT. The Energy Information Administration s Information Technology Program

OFFICE OF INSPECTOR GENERAL

DHS Sensitive Systems Policy Directive 4300A

Security Control Standard

VA Office of Inspector General

Project Type Guide. Project Planning and Management (PPM) V2.0. Custom Development Version 1.1 January PPM Project Type Custom Development

CMS Policy for Information Security and Privacy

From Chaos to Clarity: Embedding Security into the SDLC

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Transcription:

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project Management Community Meeting October 18, 2011

.

NIST Updates Updated Special Publications (SP) 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations (Sept 2011) 800-128: Guide for Security-Focused Configuration Management of Information Systems (Aug 2011) 800-53 Appendix J: Draft Privacy Control Catalog (July 2011) 800-39: Managing Information Security Risk: Organization, Mission and Information System View (Mar 2011) 800-30: Draft Guide for Conducting Risk Assessments (Sept 2011) 800-37, Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Feb 2010)

New Terms Certification & Accreditation (C&A) is now: System Authorization Designated Authorizing Authority (DAA) is now: Authorizing Official (AO) Project Categorization is now: System Categorization System Certification is now: Security Control Assessment System Re-certification/Re-Accreditation is now: System Re-Authorization

New (and old) Emphasis Risk Management more involvement by the system owner and project manager Continuous Monitoring new approaches and tools coming Continuous Authorization to Operate More to come from HHS on this new concept Cloud Computing new contract language POAMs and validation of mitigation tracked in NIH Certification & Accreditation Tool (NCAT) Remote Access and 2-factor authentication of moderate and high impact systems ensure it is built into new systems

Acronyms FISMA Federal Information System Management Act NCAT NIH Certification & Accreditation Tool NEAR - NIH Enterprise Architecture Repository HEAR - HHS Enterprise Architecture Repository SPORT HHS Security and Privacy Online Reporting Tool POAM Plan of Action and Milestones PMT Portfolio Management Tool (for Capital Planning [CPIC]) ISSO Information System Security Officer CISO - NIH Chief Information Security Officer CIO Chief Information Officer ISAO Information Security and Awareness Office NIH Master Glossary of IT Security Terms: http://ocio.nih.gov/security/isso%20glossary.doc

New Changes Coming (Things to watch for) All systems must be input into NEAR and NCAT in order to be listed in HEAR Once systems are in HEAR, SPORT will be populated so PIAs can be started Coordination done through the NCAT team Coordinate with your ISSO and Privacy Coordinator New Privacy Controls will be part of SP 800-53 POAM updates will be sent to HHS every two weeks Alignment of HEAR/NEAR/SPORT/PMT and new HHS Data Warehouse

Changes to Security Approach and Deliverables Per EPLC 1.4 (Phased in over time) Privacy Impact Assessment (PIA) Preliminary done in Concept Phase per EPLC 1.4 Final PIA must be done in coordination with the Implementation Phase Work with your IC Privacy Coordinator and ISSO Security Approach Removed based on new SP 800-37 methodology 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Changes to Security Approach and Deliverables Per EPLC 1.4 (Phased in over time) Interconnection Security Agreement (ISA) Could be part of a Computer Match Agreement (CMA) Does not take the place of a CMA NIH has ISA template http://ocio.nih.gov/nihsecurity/nih_isa_templates.html More to come on CMAs and ISAs New Security templates in NCAT coming soon

Other Changes to the EPLC Rev 1.4 Related to Security Project Manager responsibilities regarding POAMs updated Work with your ISSO and NCAT representative Validation of mitigation is very important (audit issue) Ongoing process Various sources for weakness identification (vulnerability scans, Security Control Assessments, continuous monitoring, audits, etc.) New HHS reporting process coming POAM information will be sent to HHS every two weeks starting in 2012

Other Changes to the EPLC Rev 1.4 Related to Security An Authority to Operate may be granted for a period of time to be determined by the Authorizing Official (AO) in compliance with HHS policies (not just three year periods more to come) Ensure that all high impact risks are documented and mitigated prior to entering the implementation phase Flexibility and tailoring regarding security control implementation is permitted Compensating controls can be utilized, but must be documented and accepted If waivers are required, submit them in a timely manner to the NIH CISO (via your ISSO)

Security Critical Partners What we look for Comprehensive indication that security risks and compliance are being included and evaluated. Some examples include: Access control & segregation of duties implemented Configuration standards documented, followed and tested Privacy evaluated Security Authorization costs included in budget Accurate and thorough design documentation included ISSO involvement Vulnerability scans/penetration tests performed and issues mitigated Security Plan accurate and up-to-date Contingency Plans tested POAMs documented, tracked and mitigated in timely manner Residual Risk mitigated or accepted by appropriate authority New program coming CIO/CISO acceptance of risk may be needed for NIH HIGH RISKS

Remember. Security should be built-in during system concept and design phases, not added on at the end A good design document is worth its weight in gold Reach out to your IC ISSO, the NIH Privacy Office and ISAO if you have questions (we really are here to help) New programs and processes are being developed to assist you and your input is very important Security needs to be implemented and monitored on a continuous basis The bad guys don t take vacations..;-)

Reference Links NIST Special Publications http://csrc.nist.gov/publications/pubssps.html NCAT Support Team ncat@mail.nih.gov Office of the Senior Official for Privacy privacy @mail.nih.gov OCIO Security Website http://ocio.nih.gov/security/index.html

Contact Info Kathleen (Kay) Coupe NIH FISMA Program Coordinator Information Security and Awareness Office Office of the Chief Information Officer coupek@mail.nih.gov 301-594-9848 Room 3G12 Fernwood Building

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information