Presentation is loading. Please wait.

Presentation is loading. Please wait.

Government Laws FITSP-M Module 2. Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings.

Similar presentations

Presentation on theme: "Government Laws FITSP-M Module 2. Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings."— Presentation transcript:

1 Government Laws FITSP-M Module 2

2 Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings are not the measure of success. What matters in the end is completion. Performance. Results. Not just making promises, but making good on promises. In my Administration, that will be the standard from the farthest regional office of government to the highest office of the land. President George W. Bush My Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government. - President Barack Obama Leadership

3 FITSP-M Exam Objectives: Security Topic: Regulatory & Standards Compliance A FITSP-Manager is expected to understand and to be able to apply:  Manage strategies for compliance with the organization’s information security program  Identify and stay current on all laws, regulations, standards, and best practices applicable to the organization  Oversee relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholders  Keep informed on pending information security changes, trends, and best practices by participating in collaborative settings  Supervise information security compliance performance measurement components

4 Government Laws Module Overview  Section A: Congress & The President –Federal Information Security Management Act of 2002 (Title III of the E-Government Act) Evolution of Compliance Elements of a Security Program Reporting Metrics  Section B: NIST – National Institute of Standards & Technologies –Computer Security Division –Risk Management Framework  Section C: OMB – Office of Management & Budget –Circular A-130 –Memorandum  Section D: DHS – Department of Homeland Security –Cybersecurity Responsibilities –Presidential Directives

5 CSA, FISMA PRA HSA CNSS NIST: Guidance OMB: Oversight DHS: Authority DHS: Authority OMB Liaison: Federal CIO DHS Liaison: Cybesecurity Coordinator Federal Agencies 2004 - 800-37 C&A 2010 – Rev1 RMF


7 Legislative History



10 E-Government Act of 2002 Public Law 107-347  Establishes Office of E-Gov within OMB  Areas of E-Gov: –Capital planning and investment control for information technology – Development of enterprise architectures (FEA) – Information Security (Title III) – Access to government information  Establishes CIO Counsel in the Executive branch

11 What is FISMA?  Title III of E-Gov Act of 2002  Requires Each Federal Agency to Implement an Information Security Program  Report annually to OMB – Adequacy of security program – Address adequacy in plans and reports relating to annual budgets – Significant deficiency  Continuously Evolving

12 The Evolution of FISMA Compliance  Continuous Monitoring  Timely, and Role-relevant Information  Outcome-based Metrics –“metrics are a policy statement about what Federal entities should concentrate resources on”  Monthly Data Feeds Directly from Security Management Tools (CyberScope)  Government-wide Benchmarking on Security Posture (Questionnaire)  Agency-specific interviews (CyberStat with DHS) This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security.

13 Reporting Metrics FY2012 Administration Priorities (AP) Key FISMA Metrics (KFM) Baseline Questions (Base)

14 Knowledge Check  This law gave OMB the authority to define policies for US Government Agencies.  This law assigned responsibilities to NIST for creating standards and guidelines relating to securing Federal information systems.  This OMB program provides a structure for Agencies to identify business processes.


16 NIST, Computer Security Division  Federal Information Security Management Act (FISMA) Implementation Project Protecting the Nation's Critical Information Infrastructure  Standards for categorizing (FIPS 199)  Standards for minimum security requirements (FIPS 200)  Guidance for selecting security controls (SP 800-53)  Guidance for assessing security controls (SP 800-53a)  Guidance for the security authorization (SP 800-37)  Guidance for monitoring the security controls (SP 800-137)

17 Risk Management Framework


19 The Management Side of OMB  Office of Federal Financial Management  Office of Federal Procurement Policy  Office of E-Government and Information Technology  Office of Performance and Personnel Management  Office of Information and Regulatory Affairs

20 OMB Instructions  Circulars –Budget –State and Local Governments –Educational and Non-Profit Institutions –Federal Procurement –Federal Financial Management –Federal Information Resources / Data Collection –Other Special Purpose  Memoranda –Providing further explanation and guidance

21 OMB Circular A-130  Establishes policy for the management of Federal information resources  Appendix III Security of Federal Automated Information Resources

22 OMB A-130 Background  Privacy Act of 1974  Paperwork Reduction Act 1980  Computer Security Act of 1987  Clinger-Cohen Act of 1996  Gov’t Paperwork Elimination Act of 1998

23 OMB A-130, Appendix III  Definitions –GSS General Support System –MA Major Application –Adequate security  Assignment of Responsibilities  Reporting –Deficiencies & Corrective Actions –Security Plan Summary

24 OMB Memoranda  General Guidance –POAMs –Continuity Plans –FDCC –Trusted Internet Connections  Reporting Guidance –GISRA –FISMA –Incidents involving PII  Policies –Federal Agency Public Websites –“File Sharing” Technology  Implementation Guidance –Government Paperwork Elimination Act –E-Government Act –HSPDs

25 Trusted Internet Connections M-09-32  Inventory External Connections  Meet TIC Critical Technical Capabilities  Implement Critical TIC capabilities  Acquire Telecommunications Connectivity Through Networx Contract  Consolidate External Connections Through Approved Access Points (TICAPS)

26 CIO Reporting Metric #7 Boundary Protection

27 Reporting Instructions (Changes) OMB M-11-33/ FISM 11-02/FISM 12-02  Cyberscope –…collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities. –Monthly Data Feeds –Quarterly Reporting –Annual Reporting (Mid-November) –Information Security Questions –CyberStat Review (Conducted by DHS) Sessions and Agency Interviews  (9) Must the DoD and the ODNI follow OMB policy and NIST guidelines? YES!!  (28) Is Reauthorization Required Every 3 Years… NO!  (34) USGCB Announced (FDCC Spin-off for W7 & IE8)

28 Standardized Desktop OS Configuration Settings  Federal Desktop Core Configuration (FDCC) –Windows XP & Vista  US Gov’t Baseline Configuration (USGBC) –Windows 7 & IE 8 –In Development: Mac OS X & Red Hat Enterprise Linux  Security Content Automation Protocol (S-CAP)

29 Privacy & Privacy Reporting M-07-16  Safeguarding PII  Breach Notification Policy  SAOP Reporting Metrics FY2012 –Information Security Systems (w/PII) –PIAs and SORNs –Privacy Training –PIA and Web Privacy Policies and Processes –Written Privacy Complaints –SAOP Advice and Guidance –Agency Use of Web Management and Customization Technologies (e.g., “cookies,” “tracking technologies”)

30 Knowledge Check  This document provides a policy framework for information resources management across the Federal government.  This OMB memo requires that agencies safeguard against and respond to breaches of personally identifiable information.  Name an initiative to create security configuration baselines for Information Technology products widely deployed across the federal agencies.  Agencies are required to adhere to DHS’ direction to report data through this automated reporting tool. What is the required frequency of these data feeds?  The OMB A-130’s stated requirement for reauthorization is at least once every 3 years. What must an agency do to waive that requirement?


32 DHS – Department of Homeland Security  Prevent Terrorism and Enhance Security  Secure and Manage our Borders  Enforce and Administer our Immigration Laws  Safeguard and Secure Cyberspace  Ensure Resilience to Disasters  And now… Cybersecurity!

33 Cybersecurity Responsibilities M-10-28  Office of Management and Budget –Annual FISMA Report to Congress –Cybersecurity Portions of the President’s Budget  Cybersecurity Coordinator –Cybersecurity Strategy and Policy Development  Department of Homeland Security –Critical Infrastructure Protection –US-CERT –Trusted Internet Connection Initiative –Primary Responsibility for the Operational Aspects of Cybersecurity

34 Presidential Decision Directives PDD Presidential Decision Directives 1993– 2001Clinton NSPD National Security Presidential Directives 2001– 2009G. W. Bush HSPD Homeland Security Presidential Directives2001- G. W. Bush and Obama PSD Presidential Study Directives2009-Obama PPD Presidential Policy Directives2009-Obama

35 Homeland Security Presidential Directives  HSPD-3 – Homeland Security Advisory System  HSPD-5 – Management of Domestic Incidents  HSPD-7 – Critical Infrastructure Identification, Prioritization, and Protection  PDD-8 – National Preparedness  HSPD-12 – Policy for a Common Identification Standard for Federal Employees and Contractors  HSPD-20/NSPD-51 – National Continuity Policy  HSPD-24 – Biometrics for Identification and Screening to Enhance National Security

36 Cybersecurity Legislative Proposal  50 New Cyber-related Bills  Protecting the American People  Protecting our Nation’s Critical Infrastructure  Protecting Federal Government Computers and Networks –The Administration proposal would update FISMA and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise.  New Framework to Protect Individuals’ Privacy and Civil Liberties

37 Government Laws Key Concepts & Vocabulary  Legislative Milestones –Paperwork Reduction Act of 1980 –Computer Security Act of 1987 –Clinger-Cohen Act of 1996 –Homeland Security Act & E-Government Act of 2002 (Title III FISMA)  NIST Standards & Guidelines –NIST SP 800-37r1 – Risk Management Framework  OMB Memorandums –M 10-28 Cybersecurity Responsibilities of DHS –FISM 11-01 Trusted Internet Connections –M 07-16 Privacy  DHS & Cybersecurity –M 08-16 Configuration Baselines –FISM 12-02/M 11-33 FISMA Reporting Guidelines –Cyberscope

38 Lab Activity 1 – Searching for Guidance OMB OMB Oversight – Policy OMB A-130 CNSS NIST Guidance – Standards (FIPS), Guidelines (SP) NIST Guidance – Standards (FIPS), Guidelines (SP)

39 Questions? Next Module: Risk Management FrameworkRisk Management Framework

Download ppt "Government Laws FITSP-M Module 2. Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings."

Similar presentations

Ads by Google